Forum OpenACS Development: OpenACS 4.6 Install Doc Changes

Collapse
Posted by Vinod Kurup on
I've been making some changes to the install docs and I wanted to float them here for approval before I commit.

Changes:

  • Install PG 7.2.3
  • Install OpenFTS 0.3.1
  • Lots of AOLserver changes
    • Made nsd binaries owned by root so that they can't be moved/hacked by someone who exploits aolserver.
    • Got rid of the nsadmin user and instead run AOLserver as '-u nobody -g web'
    • Moved webroot into the user's home directory
    • Moved the error and access logs into user's home directory
    • Small adjustments in nsd.tcl to accomodate these changes
  • Updated PG backup script
  • Lots of other minor cleanup

The new docs are temporarily on my home server at http://66.108.4.52:8000/doc/unix-install.html. Please ignore the fact that it still says OpenACS 4.5 in most places. This is easily changeable thanks to Roberto's work on the DocBook files, but I was too lazy to change it yet 😊

Thanks to Pascal Scheffers for pointing out some of the AOLserver security issues to me. He hasn't seen these changes yet, so all errors are completely mine. I would like feedback, but I probably don't have time to make wholesale changes at the moment (this has taken me a while to get it to this point). If I don't hear a lot of negative feedback, I'll commit this over the next couple days.

Collapse
Posted by Dan Wickstrom on
Vinod,  for  version 4.6 of openacs, the recommended version of openfts will be version 0.3.2.  I'm going to try and release it today, provded that sourceforge is done with their big data move.
Collapse
Posted by Vinod Kurup on
Thanks Dan,

I've updated the docs to install version 0.3.2. A couple minor things...

* The AOLSERVER.INSTALL file says to 'cp fts.so [aolserver bin directory]', but it should be nsfts.so.

* The configure script doesn't seem to pick up the Tcl headers on a standard Debian install (/usr/lib/tcl8.3). It's easy enough to add a --with-tcl argument, but it would be nice if that was picked up automatically.

* The openfts-driver package still has a param 'openfts_tcl_src_path' that I believe is obsolete now, right?

Thanks again!

Collapse
Posted by Dan Wickstrom on
Argh! Oh well, the typo will have to stand until I do another release.

The code for locating the tcl lib location is located in some m4 macros that I lifted from somewhere, so I'm not too familiar with it.  But it should be setup to deal with the standard loations for tcl installations.  With aolserver  going to using stock tcl distro's, it will be necessary for alot of people to use the --with-tcl flag anyway, but I will try and fix it in the next release.  My testing showed that the configure script would pick up a tcl installtion in /usr/local, so I'm surprised that it didn't pick it up in /usr/lib.  when you say /usr/lib/tcl8.3 are you referring to a directory?  Where is the tclConfig.sh file located relative to that directory?  For now, if you could put a comment about using the --with-tcl flag, I would appreciate it.

The openfts-driver package still uses the openfts_tcl_src_path parmater, so it stays.

Collapse
Posted by Jade Rubick on
Vinod, would you mind including a short section on what you should do if upgrading from OpenACS 4.5?
Collapse
Posted by Vinod Kurup on
when you say /usr/lib/tcl8.3 are you referring to a directory? Where is the tclConfig.sh file located relative to that directory?

Yup - /usr/lib/tcl8.3 is a directory and tclConfig.sh is inside it (/usr/lib/tcl8.3/tclConfig.sh)

For now, if you could put a comment about using the --with-tcl flag, I would appreciate it.

Will do.

The openfts-driver package still uses the openfts_tcl_src_path parameter, so it stays.

When I installed 0.3.1, I forgot to update the parameter but the installation still worked and searching seemed to work fine, so I thought it was no longer needed. Maybe I was just lucky? I'll update the docs to make sure that the user updates the parameter then.

Collapse
Posted by Dan Wickstrom on
If you untarred openfts in the /usr/local directory, then I think you would get lucky.

I looked at the m4 macro for finding the tclConfig.sh file, and it doesn't look in /usr/lib anything.  Basically it does the following:

1. Checks for --with-tcl and uses that if set.
2. Checks the following for a private tcl install:

../tcl
'ls -dr ../tcl[[8-9]].[[0-9]]* 2>/dev/null`
../../tcl \
`ls -dr ../../tcl[[8-9]].[[0-9]]* 2>/dev/null`
../../../tcl
`ls -dr ../../../tcl[[8-9]].[[0-9]]* 2>/dev/null`

(it's just walking up the directory tree looking for a plain or versioned tcl dir)

3. Then it checks a few common locations:

/usr/local/lib

and

${prefix}/lib

4. Checks relative to ${srcdir}

${srcdir}/../tcl

and

'ls -dr ${srcdir}/../tcl[[8-9]].[[0-9]]* 2>/dev/null`

If it's not found, exit with error.

I'll look around and see if there is a more up to date version of the tcl.m4 macro file that includes things like /usr/lib and so forth.  It doesn't look to hard to fix, so I'll modify it if I can't find a new macro file that works.

Anybody else have a different install directory (standard for other distros like suse, mandrake, etc.)?

Collapse
Posted by Luigi Martini on
I've been trying to install OpenACS 4.5 for months, and yet I could not reach the final point.
Hopefully the 4.6 instructions will be easier for me to follow.
What I ask you here is: would it be possible to include a chapter devoted to clean previous installations and start from scratch?
Otherwise I would probably be forced to reformat the entire disk and reinstall all linux (which took me weeks + a miracle to install), set an internet connection (which took days and yet I do not know how it works) and so on.
Collapse
Posted by Vinod Kurup on
Jade and Luigi,

I'll try to make the changes that you suggest, but I can't guarantee a timeline. If anyone can help, it would be appreciated.

In the meantime, everything that I know about upgrading is in these two threads: https://openacs.org/forums/message-view?message_id=32581 and https://openacs.org/forums/message-view?message_id=44983. I did install 4.5, install some packages and add some data and then run the upgrade process to 4.6 and things seemed to work, but I've never actually upgraded a production server, so take it with mounds of salt.

This post describes how I clean an OpenACS 4.5 installation off a server completely (for Debian): https://openacs.org/forums/message-view?message_id=28553

Collapse
Posted by Andrew Piskorski on
Vinod, I'm not sure precisely why, by the two versions of your Oracle install docs online at openacs.org, /doc/oracle.html and /doc/openacs-4/oracle.html are not the same! I believe /doc/oracle is newer, but there is no way to tell this by looking at the document.

So I pulled the latest version of the doc from CVS (currently rev. 1.8.2.2 in this case), but I still have no good way to know just which old version I was looking at on the website.

Suggestion: All static documents should include both a "Last Revised" date indicating the last time a human being revised the document and substantially changed it (and remembered to update the date), and and embedded CVS "$Id$ tag so we can see precisely what version the document is. Of the two, the CVS Id tag is more important, but I think it's worth having both.

Collapse
Posted by Vinod Kurup on
Hi Andrew,

How did you find /doc/oracle.html? In any case, both are out-of-date at the moment. There is a CVS ID tag on both documents, but it's at the bottom of the doc. Is that sufficient?

I know Jeff mentioned that he might set up a cronjob to regenerate the docs, but I'm not sure if he's done this yet. If not, I agree with him that it is a great idea!!

As an update, I have committed all the changes that I mentioned above. I also added a change that Jeff and Roberto suggested (I think?) to include a link back to the openacs.org website on all doc pages. That way, comments on locally installed pages can easily be placed on the openacs.org website. Of course, the version of the docs that is *actually* living on the openacs.org website should not have this link, cuz it would just be confusing. So, that part of the XSL stylesheet should be commented out on openacs.org.

Collapse
Posted by Andrew Piskorski on
To get to /doc/oracle.html, from openacs.org, click on Documentation for this Installation of OpenACS, Unix Installation Guide, Install Oracle 8.1.7, and there you are.

CVS Id tag at the bottom? There is? Ah... Yes, sorry, you are correct, I missed it. It's in a somewhat odd location though, a bit hard to spot. It would be better in either the header or footer of the document, or both. I personally like putting it in the the lower right corner of the footer, but as long as it's consistent I don't see any real difference. But the very most important thing is that it's there, somewhere - which you'd already done.

Collapse
Posted by Michael Bluett on
I am planning on putting OpenACS and AOLServer on a shared server (Hatters Cooperative), and am interested in setting the server up on the box as safely as I can, with as little future maintenance as possible.
  • I will be running multiple instances of AOLServer (using Jerry Asher's virtual hosting patch). I believe that means running AOLServer 3.3+ad13.
  • We still need to have the server running as web? I'll create a separate user for each server and have them all as members of a renamed "web" group (the group of the log and server directories according to the AOLServer guide). I will also need to change the group of where the socket files (for virtual hosting) live to "web".
  • AOLServer maintenance docs suggests I shouldn't worry about rolling the server log (not the access log) in normal use. This thread features people that have worried about server log rolling.
  • Should I be worried enough to use SSL (scottg's site) for logins for my personal sites? It doesn't appear that OpenACS.org uses it.
Does anyone have any other suggestions? Thanks in advance.
Collapse
Posted by Andrew Piskorski on
Michael,

You certainly should roll the server log as well as the access log, unless you want it to grow enormous and eventually fill up your disk. I'm not sure what you mean by "worry about". Rolling the log is very easy, you might as well do it. Use ns_logroll - see this thread, but basically, just do something like this:

ns_schedule_daily 00 00 ns_logroll

Using nsopenssl isn't that hard, so if I'd use it at least for logging into any OpenACS account with admin privileges. But it's up to you. How much security do you want? Plus if you don't have the general public using SSL, you might as well just save some money and use a self-signed cert.

You don't "need" to have an particular scheme for what unix user and group AOLserver runs as, you just have to come up with something that meets your needs. In the OpenACS world, I believe nsadmin/web is still the most common. I believe both AOLserver 3.3+ad13 and 3.4.x (don't know abou 3.5 and 4.0) still have a bug where non-default unix group memberships are not honored, but I don't remember the details - search the BBoard, it's all in here somewhere.

Preferably, if AOLserver runs as user nsadmin then nsadmin should not have write access to the AOLserver binaries or anything else it doesn't really need write access to, but most people don't worry about that. (And those people will be in worse shape if their AOLserver gets cracked.)

Collapse
Posted by Bart Teeuwisse on

Michael,

Dossy recently patched Jerry's virtual hosting for AOLserver 3.5.1. You can download it from aolserver.sourceforge.net. Dossy's message as posted on the AOLserver list:

Everyone,

After thorough testing, I've finally committed the changes 
to nsvhr and nsunix which originated from Jerry Asher's 
excellent work on these two modules for the AOLserver 3.3.x 
core, which I reviewed and pared down to the minimal changes
and have tested against the AOLserver 3.5.x core.

There are no AOLserver core changes required to use nsvhr 
and nsunix now. nsvhr and nssock should also continue to 
work just fine.

The changes have been checked in and tagged as nsvhr3_5 and 
nsunix3_5.

Any feedback is certainly welcome,

-- Dossy 

Some OpenACS sites do use SSL. Seven Sisters Trading (www.7-sisters.com) is a good example. This eCommerce site uses the ecommerce package, which requires SSL to secure the checkout process.

Be aware that you can secure only one site with SSL if you are combining SSL and virtual hosting.

/Bart

Collapse
Posted by Randy O'Meara on
Hi All.

Did Vinod's updated 4.6 install document make it to a place where it may be downloaded/accessed?

Also, does /new-file-storage here at OpenACS.org work for you? Since the site migration, every time I try to access it, I get thrown back to the logon/reg page.

Randy

Collapse
Posted by Vinod Kurup on
Hi Randy,

Unfortunately, my dynamic IP has changed (that's redundant); the new link is http://66.65.107.38:8000/doc/unix-install. My changes are also in OpenACS 4.6 which is available in the openacs 4.6 beta tarball. Once it's released as final, I'm sure we'll make the docs available at https://openacs.org/doc

Going to /new-file-storage asks you to register/login because it's redirecting to the old openacs server. Once you login, it will show you the documents

Collapse
Posted by Randy O'Meara on
Thank you, Vinod.

Your docs were helpful.

The redirect to /new-file-storage does not act as you suggest (and I would expect). Even after providing login credentials, I'm returned to the register/login page. I believe something else is happening here. It used to work for me before the site migration.

Randy

Collapse
Posted by Brad Duell on
After providing your login credentials, what happens if you close your browser window and re-visit the new-file-storage?
Collapse
Posted by Randy O'Meara on
I am directed to https://openacs.org/register/index.tcl with a return_url of new-file-storage.
Collapse
Posted by Randy O'Meara on
A little more info:

I cleared all cookies and cached content from my browser and closed the browser.

I then launched the browser and tried /new-file-storage directly (no login to openacs.org first). I was directed to the register/login page at sdm.openacs.org. When I entered my credentials, I was allowed access to /new-file-storage.

I then went back to openacs.org and was directed to the register/login page. When I entered my credentials, I was allowed access to openacs.org.

However, now when I try to access /new-file-storage, I'm directed to the (endless loop) register/login page at sdm.openacs.org.

Collapse
Posted by Chris Johnson on

Very cool work Vinod!

Your research on fixing some of the documented ways of installing AOLserver (e.g. user perms etc.) contributed to my construction of the gentoo aolserver-4.0b2 package.

See this thread.

--Chris