Difference between revisions of "User:Dominik.epple"
|Line 18:||Line 18:|
apt-get install less vim pwgen apt-transport-https
apt-get install less vim pwgen apt-transport-https
Revision as of 14:03, 15 June 2018
- 1 Install Guide
- 1.1 About this document
- 1.2 Preparations
- 1.3 Install OX software
- 1.4 Install database schemas
- 1.5 Initial configuration
- 1.6 Registering stuff
- 1.7 Configure Apache
- 1.8 Provision a Test User
About this document
The aim of this document is to improve on the existing quickinstall guides to be more structured, provide a more extensive view on "single node and beyond" topics, follow closer to existing "best practices" (also, but not only security-wise), and point out what needs to be changed in clustered installations.
Most of the commands given in this document thus assume a high level design of "single-node, all-in-one".
This document was created on Debian Stretch (which, as of time of writing, is not even supported yet), but it should work as-is also for jessie. Porting to RHEL/SLES/... is TODO.
You want to start on latest patchlevel of your OS:
apt-get update apt-get dist-upgrade apt-get install less vim pwgen apt-transport-https # or yum update yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm yum install vim less pwgen wget
This guide shall feature copy-paste ready commands which create installations with no default passwords.
We will pre-generate some passwords which will live as dotfiles in /root.
pwgen -c -n 16 1 > /root/.oxpw pwgen -c -n 16 1 > /root/.dbpw pwgen -c -n 16 1 > /root/.dbrootpw
In real-world installations this will probably be multiple galera clusters of a supported flavor and version. For educational purposes a standalone DB on our single-node machine is sufficient.
Even for single-node, don't forget to apply database tuning. See our oxpedia article for default tunings. Note that typically you need to re-initialize the MySQL datadir after changing InnoDB sizing values, and subsequently start the service:
mysql_install_db service mysql restart
We aim to create secure-by-default documentation, so here we go: Run mysql_secure_installation, and chose every security relevant option, but let the root password empty in this step, as we set it in the next step:
# leave the root password empty in mysql_secure_installation as we set it in the subsequent step mysql_secure_installation # now, configure the password from /root/.dbrootpw mysql -e "UPDATE mysql.user SET Password=PASSWORD('$(cat /root/.dbrootpw)') WHERE User='root'; FLUSH PRIVILEGES;" cat >/root/.my.cnf <<EOF [client] user=root password=$(cat /root/.dbrootpw) EOF
MySQL 5.7: the aforementioned must be adjusted using
ALTER USER USER() IDENTIFIED BY 'tiez7EiNgaish0ee';
These credentials also needs to be put in /etc/mysql/debian.cnf.
Prepare OX user
While the packages will create the user automatically if it does not exist, we want to prepare the filestore now, and we need the user therefore.
useradd -r open-xchange
There are several options here.
Single-Node: local directory
For a single-node installation, you can just prepare a local directory:
mkdir /var/opt/filestore chown open-xchange:open-xchange /var/opt/filestore
If using NFS:
Setup on the NFS server:
apt-get install nfs-kernel-server service nfs-kernel-server restart
Configure /etc/exports. This is for traditional ip based access control; krb5 or other security configuration is out of scope of this document.
mkdir /var/opt/filestore chown open-xchange:open-xchange /var/opt/filestore echo "/var/opt/filestore 192.168.1.0/24(rw,sync,fsid=0,no_subtree_check)" >> /etc/exports exportfs -a
Clients can then mount using
mkdir /var/opt/filestore mount -t nfs -o vers=4 nfs-server:/filestore /var/opt/filestore
Or using fstab entries like
nfs-server:/filestore /var/opt/filestore nfs4 defaults 0 0
You can use an object store. For lab environments Ceph is a convenient option. For demo / educational purpuses a "single node Ceph cluster" even co-located on your "single-node machine" is reasonble, but its setup is out of scope of this document. If you want to use this, be prepared to provide information about endpoint, bucket name, access key, secret key.
If you dont want to provide a filestore, you can configure OX later to run without filestore. (Q: do we still need a dummy registerfilestore on a local directory in that event?)
Prepare mail system
Formally out of scope of this document.
If you need to create a testing dovecot/postfix setup, you can use our performance testing sample config.
Install OX software
You need an ldb user and password for updates and proprietary repos. If you dont have such a user, you can still install the free components. You'll get a lot of authentication failed warnings however from apt tools unless you deconfigure the closed repos.
wget http://software.open-xchange.com/oxbuildkey.pub -O - | apt-key add - wget -O/etc/apt/sources.list.d/ox.list http://software.open-xchange.com/products/DebianJessie.list ldbuser=... ldbpassword=... sed -i -e "s/LDBUSER:LDBPASSWORD/$ldbuser:$ldbpassword/" /etc/apt/sources.list.d/ox.list apt-get update apt-get install open-xchange open-xchange-authentication-database open-xchange-grizzly open-xchange-admin open-xchange-appsuite-backend open-xchange-appsuite-manifest open-xchange-appsuite
Install database schemas
If the DB runs on localhost and you have root access, you can use
/opt/open-xchange/sbin/initconfigdb --configdb-pass="$(cat /root/.dbpw)" -a
/opt/open-xchange/sbin/oxinstaller --add-license=YOUR-OX-LICENSE-CODE --servername=oxserver --configdb-pass="$(cat /root/.dbpw)" --master-pass="$(cat /root/.oxpw)" --network-listener-host=localhost --servermemory 1024
servername is more like a clustername and needs to be the same for all nodes.
servermemory should be adjusted to reflect the expected number of concurrent active sessions; sizing assumption is 4MB per session.
Start the service:
systemctl restart open-xchange
Register the "server":
/opt/open-xchange/sbin/registerserver -n oxserver -A oxadminmaster -P "$(cat /root/.oxpw)"
And the filestore:
/opt/open-xchange/sbin/registerfilestore -A oxadminmaster -P "$(cat /root/.oxpw)" -t file:/var/opt/filestore -s 1000000 -x 1000000
And the database:
/opt/open-xchange/sbin/registerdatabase -A oxadminmaster -P "$(cat /root/.oxpw)" -n oxdb -p "$(cat /root/.dbpw)" -m true
Create config files /etc/apache2/conf-enabled/proxy_http.conf, /etc/apache2/sites-enabled/000-default.conf by copy-pasting as explained in AppSuite:Open-Xchange_Installation_Guide_for_Debian_8.0#Configure_services
Make sure you are using mpm_event. Apply concurrent connections tuning as described in Tune_apache2_for_more_concurrent_connections.
Configure modules and restart:
a2enmod proxy proxy_http proxy_balancer expires deflate headers rewrite mime setenvif lbmethod_byrequests systemctl restart apache2
Provision a Test User
Provision a sample context and user:
/opt/open-xchange/sbin/createcontext -c 1 -A oxadminmaster -P secret -N localdomain -u oxadmin -d "Admin User" -g Admin -s User -p secret -e oxadmin@localdomain -q 100 --access-combination-name groupware_premium /opt/open-xchange/sbin/createuser -c 1 -A oxadmin -P secret -u testuser -d "Test User" -g Test -s User -p secret -e testuser@localdomain --access-combination-name groupware_premium
Context_Preprovisioning#Sample_Script provides an example how to fast-mode provision a huge number of contexts quickly.