AOLserver needs to be started as the root user if you want to use port 80. Once it starts, though, it will drop the root privileges and run as another user, which you must specify on the command line. It's important that this user has as few privileges as possible. Why? Because if an intruder somehow breaks in through AOLserver, you don't want her to have any ability to do damage to the rest of your server.
At the same time, AOLserver needs to have write access to some files on your system in order for OpenACS to function properly. So, we'll run AOLserver with a different user account for each different service. A service name should be a single word, letters and numbers only. If the name of your site is one word, that would be a good choice. For example "$OPENACS_SERVICE_NAME" might be the service name for the $OPENACS_SERVICE_NAME.net community.
We'll leave the password blank, which prevents login by
password, for increased security. The only way to log in will be
with ssh certificates. The only people who should log in are
developers for that specific instance. Add this user, and put it in
the $OPENACS_SERVICE_NAME
group so
that it can use database and server commands associated with that
group. (If you don't know how to do this, type man usermod
. You can type
groups
to find out
which groups a user is a part of)
[root root]# useradd $OPENACS_SERVICE_NAME
You also need to set up a group called web.
[root root]# groupadd web
Then change the user to be a part of this group:
[root root]# usermod -g web $OPENACS_SERVICE_NAME
FreeBSD creates the user this way:
[root root]#mkdir -p /home/$OPENACS_SERVICE_NAME
[root root]#pw useradd -n $OPENACS_SERVICE_NAME -g web -d /home/$OPENACS_SERVICE_NAME -s /bin/bash
[root root]# mkdir -p /home/$OPENACS_SERVICE_NAME pw useradd -n $OPENACS_SERVICE_NAME -g web -d /home/$OPENACS_SERVICE_NAME -s /bin/bash
For Linux Standard Base compliance and ease of backup, all of
the files in each OpenACS site are stored in a subdirectory of
/var/lib/aolserver
, one
subdirectory per site. The first time you install an OpenACS site
on a server, you must create the parent directory and set its
permissions:
[root root]#mkdir /var/lib/aolserver
[root root]#chgrp web /var/lib/aolserver
[root root]#chmod 770 /var/lib/aolserver
[root root]# mkdir /var/lib/aolserver chgrp web /var/lib/aolserver chmod 770 /var/lib/aolserver
A bash script is available to automate all of the steps for the rest of this section. It requires tclwebtest. The automated script can greatly accelerate the install process, but is very sensitive to the install environment. We recommend that you run the automated install and, if it does not work the first time, consider switching to a manual installation.
Get the install script from CVS. It is located within the main cvs tree, at /etc/install. Use anonymous CVS checkout to get that directory in the home directory of the service's dedicated user. We put it there so that it is not overwritten when we do the main CVS checkout to the target location.
[root root]#su - $OPENACS_SERVICE_NAME
[$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$cvs -d :pserver:anonymous\@cvs.openacs.org:/cvsroot co -d install openacs-4/etc/install
cvs server: Updating install U install/README U install/TODO ... many lines omitted ... U install/tcl/twt-procs.tcl U install/tcl/user-procs.tcl [$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$cd install
[$OPENACS_SERVICE_NAME install]$emacs install.tcl
Edit the installation configuration file, /home/$OPENACS_SERVICE_NAME/install/install.tcl
and update the site-specific values, such as the new service's
IP address and name, which will be written into the new
service's config.tcl
file.
If your system is different from the one described in the previous
sections, check the file paths as well. Set do_checkout=yes
to create a new OpenACS
site directly from a CVS checkout, or =no
if you have a fully configured site and
just want to rebuild it (drop and recreate the database and repeat
the installation). If you have followed a stock installation, the
default configuration will work without changes and will install an
OpenACS site at 127.0.0.1:8000.
Run the install script install.sh
as root:
[$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$exit
[root root]#sh /home/$OPENACS_SERVICE_NAME/install/install.sh
/home/$OPENACS_SERVICE_NAME/install/install.sh: Starting installation with config_file /home/$OPENACS_SERVICE_NAME/install/install.tcl. Using serverroot=/var/lib/aolserver/ $OPENACS_SERVICE_NAME, server_url=http://0.0.0.0:8000, do_checkout=yes, do_install=yes, dotlrn=no, and database=postgres., use_daemontools=true ... many lines omitted ... Tue Jan 27 11:50:59 CET 2004: Finished (re)installing /var/lib/aolserver/$OPENACS_SERVICE_NAME. ###################################################################### New site URL: http://127.0.0.1:8000 admin email : admin\@yourserver.net admin password: xxxx ###################################################################### [root root]#
You can proceed to the section called “Next Steps”.
You should already have downloaded the OpenACS tarball to the
/var/tmp
directory. If not,
download the OpenACS
tarball and save it in /var/tmp
and proceed:
Unpack the OpenACS tarball and
rename it to $OPENACS_SERVICE_NAME
. Secure the directory
so that only the owner can access it. Check the permissions by
listing the directory.
FreeBSD note: Change the period in chown -R
$OPENACS_SERVICE_NAME.$OPENACS_SERVICE_NAME
$OPENACS_SERVICE_NAME
to a colon: chown -R
$OPENACS_SERVICE_NAME:$OPENACS_SERVICE_NAME
$OPENACS_SERVICE_NAME
[root root]#su - $OPENACS_SERVICE_NAME
[$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$cd /var/lib/aolserver
[$OPENACS_SERVICE_NAME aolserver]$tar xzf /var/tmp/openacs-5.9.0.tgz
[$OPENACS_SERVICE_NAME aolserver]$mv openacs-5.9.0 $OPENACS_SERVICE_NAME
[$OPENACS_SERVICE_NAME aolserver]$chmod -R 775 $OPENACS_SERVICE_NAME
[$OPENACS_SERVICE_NAME aolserver]$chown -R $OPENACS_SERVICE_NAME.$OPENACS_SERVICE_NAME$OPENACS_SERVICE_NAME
[$OPENACS_SERVICE_NAME aolserver]$ls -al
total 3 drwxrwx--- 3 root web 1024 Mar 29 16:41 . drwxr-xr-x 25 root root 1024 Mar 29 16:24 .. drwx------ 7 $OPENACS_SERVICE_NAME web 1024 Jan 6 14:36 $OPENACS_SERVICE_NAME [$OPENACS_SERVICE_NAME aolserver]$exit
logout [root root]# su - $OPENACS_SERVICE_NAME cd /var/lib/aolserver tar xzf /var/tmp/openacs-5.9.0.tgz mv openacs-5.9.0 $OPENACS_SERVICE_NAME chmod -R 755 $OPENACS_SERVICE_NAME chown -R $OPENACS_SERVICE_NAME.$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME exit
Add the Service to CVS (OPTIONAL)
Prepare the database
Prepare Oracle for OpenACS. If you won't be using Oracle, skip to Prepare PostgreSQL for an OpenACS Service
You should be sure that your user account (e.g. $OPENACS_SERVICE_NAME
) is in the
dba
group.
Verify membership by typing groups
when you login:
[$OPENACS_SERVICE_NAME ~]$ groups dba web
If you do not see these groups, take the following action:
[$OPENACS_SERVICE_NAME ~]$su -
Password: ************ [root ~]#adduser $OPENACS_SERVICE_NAME dba
If you get an error about an undefined group, then add that group manually:
[root ~]#groupadd dba
[root ~]#groupadd web
Make sure to logout as root
when you are finished with this step and log back in as your
regular user.
Connect to Oracle using svrmgrl
and login:
[$OPENACS_SERVICE_NAME ~]$svrmgrl
SVRMGR>connect internal
Connected.
Determine where the system tablespaces are stored:
SVRMGR> select file_name from dba_data_files;
Example results:
/ora8/m01/app/oracle/oradata/ora8/system01.dbf /ora8/m01/app/oracle/oradata/ora8/tools01.dbf /ora8/m01/app/oracle/oradata/ora8/rbs01.dbf /ora8/m01/app/oracle/oradata/ora8/temp01.dbf /ora8/m01/app/oracle/oradata/ora8/users01.dbf /ora8/m01/app/oracle/oradata/ora8/indx01.dbf /ora8/m01/app/oracle/oradata/ora8/drsys01.dbf
Using the above output, you should determine where to store your
tablespace. As a general rule, you'll want to store your
tablespace on a mount point under the /ora8
directory that is separate from the
Oracle system data files. By default, the Oracle system is on
m01
, so we will use
m02
. This enables your Oracle
system and database files to be on separate disks for optimized
performance. For more information on such a configuration, see
Chapter 12 of Philip's
book. For this example, we'll use /ora8/m02/oradata/ora8/
.
Create the directory for the datafile; to do this, exit from
svrmgrl
and login as
root
for this step:
SVRMGR>exit
[$OPENACS_SERVICE_NAME ~]$su -
Password: ************ [root ~]#mkdir -p /ora8/m02/oradata/ora8/
[root ~]#chown $OPENACS_SERVICE_NAME:web /ora8/m02/oradata/ora8
[root ~]#chmod 775 /ora8/m02/oradata/ora8
[root ~]#exit
[$OPENACS_SERVICE_NAME ~]$
Create a tablespace for the service. It is important that the
tablespace can autoextend
. This
allows the tablespace's storage capacity to grow as the size of
the data grows. We set the pctincrease to be a very low value so
that our extents won't grow geometrically. We do not set it to
0 at the tablespace level because this would affect Oracle's
ability to automatically coalesce free space in the tablespace.
[$OPENACS_SERVICE_NAME ~]$svrmgrl
SVRMGR>connect internal;
SVRMGR>create tablespace $OPENACS_SERVICE_NAME datafile '/ora8/m02/oradata/ora8/$OPENACS_SERVICE_NAME01.dbf' size 50M autoextend on next 10M maxsize 300M extent management local uniform size 32K;
Create a database user for this service. Give the user access to
the tablespace and rights to connect. We'll use $OPENACS_SERVICE_NAMEpassword
as
our password.
Write down what you specify as service_name (i.e. $OPENACS_SERVICE_NAME
) and
database_password (i.e.
$OPENACS_SERVICE_NAMEpassword
).
You will need this information for configuring exports and
AOLserver.
SVRMGR>create user $OPENACS_SERVICE_NAME identified by $OPENACS_SERVICE_NAMEpassword default tablespace $OPENACS_SERVICE_NAME temporary tablespace temp quota unlimited on $OPENACS_SERVICE_NAME;
SVRMGR>grant connect, resource, ctxapp, javasyspriv, query rewrite to $OPENACS_SERVICE_NAME;
SVRMGR>revoke unlimited tablespace from $OPENACS_SERVICE_NAME;
SVRMGR>alter user $OPENACS_SERVICE_NAME quota unlimited on $OPENACS_SERVICE_NAME;
SVRMGR>exit;
Your table space is now ready. In case you are trying to delete a previous OpenACS installation, consult these commands in the section called “Deleting a tablespace” below.
Make sure that you can login to Oracle using your service_name account:
[$OPENACS_SERVICE_NAME ~]$sqlplus $OPENACS_SERVICE_NAME/$OPENACS_SERVICE_NAMEpassword
SQL>select sysdate from dual;
SYSDATE ---------- 2001-12-20 SQL>exit;
You should see today's date in a format 'YYYY-MM-DD.' If you can't login, try redoing step 1 again. If the date is in the wrong format, make sure you followed the steps outlined in the section called “Troubleshooting Oracle Dates”
Prepare PostgreSQL for an OpenACS Service.
Create a user in the database matching the service name. With default PostgreSQL authentication, a system user connecting locally automatically authenticates as the postgres user of the same name, if one exists. We currently use postgres "super-users" for everything, which means that anyone with access to any of the OpenACS system accounts on a machine has full access to all postgresql databases on that machine.
[root root]#su - postgres
[postgres pgsql]$createuser -a -d $OPENACS_SERVICE_NAME
CREATE USER [postgres pgsql]$exit
logout [root root]#
Create a
database with the same name as our service name, $OPENACS_SERVICE_NAME. The full
pathname for createdb
needs to
be used, since the pgsql directory has not been added to the
$OPENACS_SERVICE_NAME bash profile.
[root root]#su - $OPENACS_SERVICE_NAME
[$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$/usr/local/pgsql/bin/createdb -E UNICODE $OPENACS_SERVICE_NAME
CREATE DATABASE [$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$ su - $OPENACS_SERVICE_NAME /usr/local/pgsql/bin/createdb -E UNICODE $OPENACS_SERVICE_NAME
Automate daily database Vacuuming. This is a process which
cleans out discarded data from the database. A quick way to
automate vacuuming is to edit the cron file for the database user.
Recommended: VACUUM ANALYZE
every hour and VACUUM FULL
ANALYZE
every day.
[$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$ export EDITOR=emacs;crontab -e
Add these lines to the file. The vacuum command cleans up
temporary structures within a PostgreSQL database, and can improve
performance. We vacuum gently every hour and completely every day.
The numbers and stars at the beginning are cron columns that
specify when the program should be run - in this case, whenever the
minute is 0 and the hour is 1, i.e., 1:00 am every day, and every
(*) day of month, month, and day of week. Type man 5 crontab
for more information.
0 1-23 * * * /usr/local/pgsql/bin/vacuumdb --analyze $OPENACS_SERVICE_NAME 0 0 * * * /usr/local/pgsql/bin/vacuumdb --full --analyze $OPENACS_SERVICE_NAME
Depending on your distribution, you may receive email when the
crontab items are executed. If you don't want to receive email
for those crontab items, you can add > /dev/null 2>&1
to the end of
each crontab line
Add Full Text Search Support (OPTIONAL)
At this point the database should be ready for installing OpenACS.
Configure an AOLserver Service for OpenACS.
The AOLserver architecture lets you run an arbitrary number of
virtual servers. A virtual server is an HTTP service running on a
specific port, e.g. port 80. In order for OpenACS to work, you need
to configure a virtual server. The Reference Platform uses a
configuration file included in the OpenACS tarball, /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/config.tcl
.
Open it in an editor to adjust the parameters.
[root root]#su - $OPENACS_SERVICE_NAME
[$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$cd /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc
[$OPENACS_SERVICE_NAME etc]$emacs config.tcl
You can continue without changing any values in the file.
However, if you don't change address
to match the computer's IP
address, you won't be able to browse to your server from other
machines.
httpport - If you want your server on a different port, enter it here. The Reference Platform port is 8000, which is suitable for development use. Port 80 is the standard http port - it's the port used by your browser when you enter http://yourserver.test. So you should use port 80 for your production site.
httpsport - This is the port for https requests. The Reference Platform https port is 8443. If http port is set to 80, httpsport should be 443 to match the standard.
address - The IP address of the server. If you are hosting multiple IPs on one computer, this is the address specific to the web site. Each virtual server will ignore any requests directed at other addresses.
server - This is the keyword that, by convention, identifies the service. It is also used as part of the path for the service root, as the name of the user for running the service, as the name of the database, and in various dependent places. The Reference Platform uses $OPENACS_SERVICE_NAME.
db_name - In almost all cases, this can be kept as a reference to $server. If for some reason, the tablespace you are using is different than your servername, then you can set it here. You should have a good reason for doing this.
servername - This is just a *pretty* name for your server.
user_account - The account that will both own OpenACS files and connect to the database (for Postgresql).
debug - Set to true for a very verbose error log, including many lines for every page view, success or failure.
AOLserver is very configurable. These settings should get you started, but for more options, read the AOLserver docs.
Enable OpenFTS Full Text Search (OPTIONAL)
Install nsopenssl for SSL support. (OPTIONAL)
Verify AOLserver startup.
Kill any
current running AOLserver processes and start a new one. The
recommended way to start an AOLserver process is by running the
included script, /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/daemontools/run
.
If you are not using the default file paths and names, you will
need to edit run
.
If you want to use port 80, there are complications. AOLserver
must be root to use system ports such as 80, but refuses to run as
root for security reasons. So, we call the run script as root and
specify a non-root user ID and Group ID which AOLserver will switch
to after claiming the port. To do so, find the UID and GID of the
$OPENACS_SERVICE_NAME user via
grep $OPENACS_SERVICE_NAME
/etc/passwd
and then put those numbers into the command line
via -u 501 -g
502
. In AOLserver 4, you must
also send a -b
flag. Do this by
editing the run
file as
indicated in the comments.
If you are root then killall will affect all OpenACS services on
the machine, so if there's more than one you'll have to do
ps -auxw | grep nsd
and
selectively kill by job number.
[$OPENACS_SERVICE_NAME etc]$killall nsd
nsd: no process killed [$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$/usr/local/aolserver/bin/nsd-postgres -t /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/config.tcl
[$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$ [08/Mar/2003:18:13:29][32131.8192][-main-] Notice: nsd.tcl: starting to read config file... [08/Mar/2003:18:13:29][32131.8192][-main-] Notice: nsd.tcl: finished reading config file.
Attempt to connect to the service from a web browser. You should
specify a URL like: http://yourserver.test:8000
You should see a page that looks like this. If you imported your files into
cvs, now that you know it worked you can erase the temp
directory with rm -rf
/var/lib/aolserver/$OPENACS_SERVICE_NAME.orig
.
If you don't see the login page, view your error log
(/var/lib/aolserver/$OPENACS_SERVICE_NAME/log/$OPENACS_SERVICE_NAME-error.log
)
to make sure the service is starting without any problems. The most
common errors here are trying to start a port 80 server while not
root, failing to connect because of a firewall, and AOLserver
failing to start due to permissions errors or missing files. If you
need to make changes, don't forget to kill any running servers
with killall
nsd
.
Automate AOLserver keepalive (OPTIONAL)
Configure a Service with the OpenACS Installer. Now that you've got AOLserver up and running, let's install OpenACS 5.9.0.
You should see a page from the webserver titled OpenACS Installation: Welcome
. You will be
warned if your version of the database driver is out of date, if
AOLserver cannot connect to the database, if any modules are
missing or out-of-date, or if there are any problems with
filesystem permissions on the server side. But if everything is
fine, you can click Next
to
proceed to load the OpenACS Kernel data model.
The next page shows the results of loading the OpenACS Kernel data model - be prepared to wait a few minutes as it works. You should see a string of output messages from the database as the datamodel is created. You'll see the line:
Loading package .info files ... this will take a few minutes
This will really take a few minutes. Have faith! Finally,
another Next
button will appear
at the bottom - click it.
The following page shows the results of loading the core package
data models. You should see positive results for each of the
previously selected packages, but watch out for any errors.
Eventually, the page will display "Generating secret
tokens" and then "Done"- click Next
.
You should see a page, "OpenACS Installation: Create
Administrator" with form fields to define the OpenACS site
administrator. Fill out the fields as appropriate, and click
Create User
.
You should see a page, "OpenACS Installation: Set System
Information" allowing you to name your service. Fill out the
fields as appropriate, and click Set
System Information
You'll see the final Installer page, "OpenACS Installation: Complete." It will tell you that the server is being restarted; note that unless you already set up a way for AOLserver to restart itself (i.e. inittab or daemontools), you'll need to manually restart your service.
[$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$ /usr/local/aolserver/bin/nsd-postgres -t /var/lib/aolserver/$OPENACS_SERVICE_NAME/config.tcl
Give the server a few minutes to start up. Then reload the final page above. You should see the front page, with an area to login near the upper right. Congratulations, OpenACS 5.9.0 is now up and running!
If you want to track fresh code developments between releases,
or you are an OpenACS core developer, you may want to install from
CVS. This is identical to Option 2 except that you get the files
from CVS instead of the tarball: CVS Checkout Instructions.
In short, instead of
, use tar xzf
/var/tmp/openacs-5.9.0.tgz
to obtain an ACS core
installation.cvs -z3 -d
:pserver:anonymous\@openacs.org:/cvsroot co
acs-core
Use daemontools supervise
and svc
, or inittab
, to automate server startup and
shutdown.
Install Full Text Search (OPTIONAL). If you have installed OpenFTS and enabled OpenFTS, you can now install the OpenFTS Driver package and Full Text Search Engine package in the OpenACS service.
This is a good time to make a backup of your service. If this is a production site, you should set up automatic nightly backups.
If you want traffic reports, set up analog or another log processing program.
Follow the instruction on the home page to change the appearance of your service or add more packages. (more information)
Proceed to the tutorial to learn how to develop your own packages.
Set up database environment variables for the site user. Depending on how you installed Oracle or PostgreSQL, these settings may be necessary for working with the database while logged in as the service user. They do not directly affect the service's run-time connection with the database, because those environmental variables are set by the wrapper scripts nsd-postgres and nsd-oracle.
[root root]#su - $OPENACS_SERVICE_NAME
[$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$emacs .bashrc
Put in the appropriate lines for the database you are running. If you will use both databases, put in both sets of lines.
PostgreSQL:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/pgsql/lib export PATH=$PATH:/usr/local/pgsql/bin
Oracle. These environment variables are specific for a local Oracle installation communicating via IPC. If you are connecting to a remote Oracle installation, you'll need to adjust these appropriately. Also, make sure that the '8.1.7' matches your Oracle version.
export ORACLE_BASE=/ora8/m01/app/oracle
export ORACLE_HOME=$ORACLE_BASE/product/8.1.7
export PATH=$PATH:$ORACLE_HOME/bin
export LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib
export ORACLE_SID=ora8
export ORACLE_TERM=vt100
export ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data
Test this by logging out and back in as $OPENACS_SERVICE_NAME
and
checking the paths.
[$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$exit
logout [root src]#su -
[$OPENACS_SERVICE_NAME ~]$$OPENACS_SERVICE_NAME
env
For PostgreSQL, you should see:
LD_LIBRARY_PATH=:/usr/local/pgsql/lib PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/bin/X11:/usr/X11R6/bin:\ /root/bin:/usr/local/pgsql/bin:/usr/local/pgsql/bin
For Oracle:
ORACLE_BASE=/ora8/m01/app/oracle ORACLE_HOME=/ora8/m01/app/oracle/product/8.1.7 PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/bin/X11:/usr/X11R6/bin:\ /root/bin:/ora8/m01/app/oracle/product/8.1.7/bin LD_LIBRARY_PATH=/ora8/m01/app/oracle/product/8.1.7/lib:/lib:/usr/lib ORACLE_SID=ora8 ORACLE_TERM=vt100 ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data
Test your backup and recovery procedure.