Difference between revisions of "Enterprise Linux GIS"

From OSGeo
Jump to navigation Jump to search
(Introduce HOW TO GeoServer)
Line 140: Line 140:
  
 
These two files are registered in svn:ignore and can typically be automatically generated by scripts or a build framework.
 
These two files are registered in svn:ignore and can typically be automatically generated by scripts or a build framework.
 +
 +
== HowTo Install GeoServer 2.0 on Tomcat 5 (standard packages) ==
 +
This how-to goes through the various steps required to have GeoServer 2.0 running as a Java web application inside the standard Tomcat 5 container.
 +
 +
=== Basic install (with base OpenJdk) ===
 +
* Install the required packages
 +
sudo yum install java-1.6.0-openjdk-devel tomcat5
 +
* (optional) Install tomcat-native frop EPEL
 +
sudo yum install tomcat-native
 +
* Download GeoServer
 +
cd ~/Downloads
 +
wget http://downloads.sourceforge.net/project/geoserver/GeoServer/2.0.2/geoserver-2.0.2-war.zip?&use_mirror=mesh
 +
* Unpack to Tomcat webapps
 +
cd /var/lib/tomcat5/webapps/
 +
sudo unzip ~/Downloads/geoserver-2.0.2-war.zip geoserver.war
 +
* Create a separate data directory
 +
sudo mkdir -p /var/lib/geoserver
 +
cd /var/lib/geoserver
 +
sudo jar -xvf /var/lib/tomcat5/webapps/geoserver.war data
 +
sudo chown -R tomcat.tomcat /var/lib/geoserver
 +
* Update /etc/tomcat/tomcat5.conf to add the recommended Java settings and to point to the data directory. You can increase/decrease the maximum memory allocated to Java with the -Xmx flag (-Xms is the initial allocation):
 +
# Geoserver recommended
 +
# http://docs.geoserver.org/stable/en/user/production/container.html
 +
JAVA_OPTS="-showversion -server -Xmx512m -Xms64m -XX:SoftRefLRUPolicyMSPerMB=36000 -XX:MaxPermSize=128m -XX:+UseParallelGC"
 +
JAVA_OPTS="$JAVA_OPTS -DGEOSERVER_DATA_DIR=/var/lib/geoserver/data"
 +
* Add an AJP proxy in the Apache configuration (e.g. in /etc/httpd/conf.d/geoserver.conf)
 +
<Location /geoserver/>
 +
ProxyPass  ajp://localhost:8009/geoserver/
 +
# Uncomment to forbid non ssl access
 +
#RequireSSL
 +
</Location>
 +
* (optional) If using SELinux, allow the proxying by setting the appropriate boolean
 +
setsebool -P httpd_can_network_connect=1
 +
* Start Tomcat
 +
sudo /sbin/service tomcat5 start
 +
* (optional) You can tail Tomcat logs to make sure that it is starting properly
 +
tail -500f /var/log/tomcat5/catalina.out
 +
* Restart Apache
 +
sudo /sbin/service httpd restart
 +
* Visit http://yourhost.org/geoserver/
 +
* Log in as admin (default password is 'geoserver')
 +
 +
=== With Sun/Oracle JRE and JAI native (recommended by GeoServer) ===
 +
GeoServer documentation [http://docs.geoserver.org/stable/en/user/production/java.html recommends] to use a Sun/Oracle JRE with the JAI and JAI-ImageIO native extensions. There was an obvious performaince gain inthe tile generation by doing so
 +
 +
* Download in install Sun/Oracle JDK in /opt (a JRE should be enough)
 +
* Hack the /usr/bin/dtomcat5 script to add an explicit reference to Sun/Oracle JDK at the beginning (did not find any better way neither through /etc/tomcat5/tomcat5.conf nor /etc/init.d/tomcat5 nor the alternatives system, ideas welcome...)
 +
...
 +
JAVA_HOME=/opt/jdk1.6.0_21
 +
...
 +
* Go into the Sun JDK directory:
 +
cd /opt/jdk1.6.0_21
 +
* Dowload and install JAI from https://jai.dev.java.net/binary-builds.html:
 +
sudo sh ~/Downloads/jai-1_1_3-lib-linux-amd64-jdk.bin
 +
* Dowload JAI-ImageIO from https://jai-imageio.dev.java.net/binary-builds.html.
 +
* Note: On x86_64 the archive of JAI-ImageIO to download as of 1.1 is corrupted, fix it with the command below and run the fixed archive (thanks to http://jgrasstechtips.blogspot.com/2009/07/jai-tail-cannot-open-215-for-reading-no.html for the tip)
 +
sed s/+215/-n+215/ jai_imageio-1_1-lib-linux-amd64-jdk.bin > jai_imageio-1_1-lib-linux-amd64-jdk-fixed.bin
 +
* Install JAI-ImageIO
 +
sudo sh ~/Downloads/jai_imageio-1_1-lib-linux-amd64-jdk-fixed.bin
 +
* Restart Tomcat
 +
sudo /sbin/service tomcat5 restart
 +
* Visit your GeoServer status page in order to make sure that native JAI is taken into account
 +
 +
=== LDAP Authentication (experimental) ===
 +
This will allow you to have you user referential in LDAP (tested with base CentOS 5 openldap-servers).
 +
Your users need to be inetOrgPerson under ou=People,dc=my_org,dc=org
 +
Your GeoServer administrators need to belong to the cn=administrator,ou=Roles,dc=my_org,dc=org role:
 +
dn: cn=administrator,ou=Roles,dc=my_org,dc=org
 +
objectClass: top
 +
objectClass: groupOfNames
 +
cn: administrator
 +
member: uid=mbaudier,ou=People,dc=my_org,dc=org
 +
Other roles can be defined similarly under ou=Roles,dc=argeo,dc=org, and should be added mnaually when defining rules in GeoServer. You can of course adapt the following configuration with your specific LDAP settings.
 +
 +
Caveats:
 +
* the list of users won't be properly displayed in GeoServer.
 +
* as usual with autentication via HTTP make sure that users are using SSL (https://) when they authenticate, otherwise their credentials will be sent in clear. If you want to mix public with private data and stay compatible with client which don't support HTTPS, this is not necessarily easy.
 +
 +
Procedure:
 +
* Extract applicationContextSecurity.xml from the main-jar (in /var/lib/tomcat5/webapps/geoserver/WEB-INF/lib/)
 +
* Copy it to /var/lib/tomcat5/webapps/geoserver/WEB-INF/
 +
* Add the following at the beginning of the applicationContextSecurity.xml file (after the <beans> tag)
 +
<pre>
 +
<beans>
 +
<bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
 +
<constructor-arg value="ldap://my_ldap_server:389/dc=my_org,dc=org" />
 +
<!--<property name="managerDn" value="mydomain\myuser" /> <property name="managerPassword"
 +
value="mypasswd" /> -->
 +
</bean>
 +
 +
<bean id="userSearch" class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
 +
<constructor-arg index="0">
 +
<value>ou=People</value>
 +
</constructor-arg>
 +
<constructor-arg index="1">
 +
<value>(uid={0})</value>
 +
</constructor-arg>
 +
<constructor-arg index="2">
 +
<ref local="initialDirContextFactory" />
 +
</constructor-arg>
 +
<property name="searchSubtree">
 +
<value>false</value>
 +
</property>
 +
</bean>
 +
<bean id="ldapAuthenticationProvider"
 +
class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
 +
<constructor-arg>
 +
<bean
 +
class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
 +
<constructor-arg>
 +
<ref local="initialDirContextFactory" />
 +
</constructor-arg>
 +
<property name="userSearch">
 +
<ref local="userSearch" />
 +
</property>
 +
</bean>
 +
</constructor-arg>
 +
<constructor-arg>
 +
<bean
 +
class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
 +
<constructor-arg>
 +
<ref local="initialDirContextFactory" />
 +
</constructor-arg>
 +
<constructor-arg>
 +
<value>ou=Roles</value>
 +
</constructor-arg>
 +
  <property name="groupRoleAttribute">
 +
<value>cn</value>
 +
</property>
 +
<property name="rolePrefix">
 +
<value>ROLE_</value>
 +
</property>
 +
<property name="convertToUpperCase">
 +
<value>true</value>
 +
</property>
 +
</bean>
 +
</constructor-arg>
 +
</bean>
 +
</pre>
 +
* Modify the following section
 +
<pre>
 +
...
 +
<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
 +
<property name="providers">
 +
<list>
 +
<ref local="ldapAuthenticationProvider" />
 +
<!-- <ref local="daoAuthenticationProvider" /> -->
 +
...
 +
</pre>
 +
* Modify /var/lib/tomcat5/webapps/geoserver/WEB-INF/web.xml to use WEB-INF/applicationSecurityContext.xml instead of classpath*:/applicationSecurityContext.xml
 +
<pre>
 +
...
 +
    <context-param>
 +
        <param-name>contextConfigLocation</param-name>
 +
        <param-value>classpath*:/applicationContext.xml WEB-INF/applicationSecurityContext.xml</param-value>
 +
    </context-param>
 +
...
 +
</pre>
 +
* Restart Tomcat
 +
sudo /sbin/service tomcat5 restart
 +
 +
Thanks to http://jira.codehaus.org/browse/GEOS-3778 for the tip.
  
 
= Historical Reference =
 
= Historical Reference =

Revision as of 23:35, 28 September 2010

This page gathers links and information about running FLOSS GIS software on Enterprise Linux (shortened EL hereafter) and derivatives, that is Red Hat Enterprise Linux (RHEL), CentOS and Scientific Linux.

EL is a popular and robust platform for servers and computing-heavy workstations, and is therefore a good fit for the specific requirements of GIS.

The mailing list el@lists.osgeo.org is used for communication (with an online archive).

Useful repositories for GIS software

  • EPEL is an official Fedora project which repackages many Fedora packages which are not part of the standard EL distribution. It contains quite a few GIS packages and base libraries. Note that one of the rules of the packages maintained in EPEL is that they should never require to change the base EL distribution.
  • ELGIS repository maintains versions of packages which cannot be maintained in EPEL. This is where our packaging effort currently takes place. It requires EPEL to be configured as a repository.
  • PostgreSQL RPM Building Project maintains many versions of the PostgreSQL database as well as PostGIS packages

One goal is also to integrate well with Debian GIS with regards to the versions maintained (see their Packages Thermometer) in order to improve interoperability.

Packages Status Summary

Detailed package lists for ELGIS are available here: http://elgis.argeo.org

Package Version (stable) Version (testing) Repository Comment
gdal 1.7.2 elgis built against postgresql84
geos 3.2.2 elgis
gpsbabel 1.3.3 epel
grass 6.4.0 elgis no NVIZ and digitizer in the wxPython UI (has been removed from upstream, use -tcltk UI; scheduled for 6.4.1)
mapserver 5.6.5 elgis
osm2pgsql 0.1.20100821svn elgis built against postgresql84
pgrouting 1.03 elgis built against postgresql84
postgis 1.5.1 1.5.2 elgis built against postgresql84
proj 4.7.0 elgis
qgis 1.4.0 elgis-plus Python plugins not working, probably requires a higher version of Python

How To

How to enable the ELGIS repository

sudo rpm -Uvh http://elgis.argeo.org/repos/5/elgis-release-5-5_0.noarch.rpm
  • if you want to install QGIS, edit the /etc/yum.repos.d/elgis.repo file and enable the 'elgis-plus'. WARNING: this updates the base distribution

How to hack and locally build the ELGIS packages

For the time being, the ELGIS packages (that is, those not maintained by EPEL) are versioned by and distributed through argeo.org.

You can see the currently versioned packages here:

Note: simply accept the self-signed certificate

You can checkout all the packages:

svn co https://projects.argeo.org/elgis/svn/factory/trunk/rpmbuild rpms

Or one by one, for example:

svn co https://projects.argeo.org/elgis/svn/factory/trunk/rpmbuild/elgis/gdal gdal

Each package directory follows the directory structure expected by rpmbuild (see how to set an rpmbuild environment).

We version only the spec files (under <package name>/SPECS/<package name>.spec) and the patches or some light sources (under <package name>/SOURCES). The source packages of the underlying libraries needs to be downloaded in the SOURCES directory.

Please send patches to the spec files to the el@lists.osgeo.org mailing-list.

In order to actually build, you can then configure %_topdir in your ~/.rpmmacros file to point to where you checked out a package, for example:

%_topdir %(echo $HOME)/dev/rpmbuild
%rhel 5
%packager Mathieu Baudier <mbaudier@argeo.org>
%dist .el5.elgis

A more persistent alternative is to have the two following files in each package directory:

  • <package directory>/rpmrc
include: /usr/lib/rpm/rpmrc
macrofiles: /usr/lib/rpm/macros:/usr/lib/rpm/ia32e-linux/macros:/usr/lib/rpm/redhat/macros:/etc/rpm/macros.*:/etc/rpm/macros:/etc/rpm/ia32e-linux/macros:~/.rpmmacros:<package directory>/rpmmacros

(note the ':<package directory>/rpmmacros' appended at the end of the macrofiles line)

  • <package directory>/rpmmacros
%_topdir <package directory>
%rhel 5
%packager Mathieu Baudier <mbaudier@argeo.org>
%dist .el5.argeo

And then call rpmbuild as follow

cd <package directory>
rpmbuild --rcfile=rpmrc -ba SPECS/<package name>.spec

These two files are registered in svn:ignore and can typically be automatically generated by scripts or a build framework.

HowTo Install GeoServer 2.0 on Tomcat 5 (standard packages)

This how-to goes through the various steps required to have GeoServer 2.0 running as a Java web application inside the standard Tomcat 5 container.

Basic install (with base OpenJdk)

  • Install the required packages
sudo yum install java-1.6.0-openjdk-devel tomcat5
  • (optional) Install tomcat-native frop EPEL
sudo yum install tomcat-native
  • Download GeoServer
cd ~/Downloads
wget http://downloads.sourceforge.net/project/geoserver/GeoServer/2.0.2/geoserver-2.0.2-war.zip?&use_mirror=mesh
  • Unpack to Tomcat webapps
cd /var/lib/tomcat5/webapps/
sudo unzip ~/Downloads/geoserver-2.0.2-war.zip geoserver.war
  • Create a separate data directory
sudo mkdir -p /var/lib/geoserver
cd /var/lib/geoserver
sudo jar -xvf /var/lib/tomcat5/webapps/geoserver.war data
sudo chown -R tomcat.tomcat /var/lib/geoserver
  • Update /etc/tomcat/tomcat5.conf to add the recommended Java settings and to point to the data directory. You can increase/decrease the maximum memory allocated to Java with the -Xmx flag (-Xms is the initial allocation):
# Geoserver recommended
# http://docs.geoserver.org/stable/en/user/production/container.html
JAVA_OPTS="-showversion -server -Xmx512m -Xms64m -XX:SoftRefLRUPolicyMSPerMB=36000 -XX:MaxPermSize=128m -XX:+UseParallelGC"
JAVA_OPTS="$JAVA_OPTS -DGEOSERVER_DATA_DIR=/var/lib/geoserver/data"
  • Add an AJP proxy in the Apache configuration (e.g. in /etc/httpd/conf.d/geoserver.conf)
<Location /geoserver/>
	ProxyPass  ajp://localhost:8009/geoserver/
	# Uncomment to forbid non ssl access
	#RequireSSL
</Location>
  • (optional) If using SELinux, allow the proxying by setting the appropriate boolean
setsebool -P httpd_can_network_connect=1
  • Start Tomcat
sudo /sbin/service tomcat5 start
  • (optional) You can tail Tomcat logs to make sure that it is starting properly
tail -500f /var/log/tomcat5/catalina.out
  • Restart Apache
sudo /sbin/service httpd restart

With Sun/Oracle JRE and JAI native (recommended by GeoServer)

GeoServer documentation recommends to use a Sun/Oracle JRE with the JAI and JAI-ImageIO native extensions. There was an obvious performaince gain inthe tile generation by doing so

  • Download in install Sun/Oracle JDK in /opt (a JRE should be enough)
  • Hack the /usr/bin/dtomcat5 script to add an explicit reference to Sun/Oracle JDK at the beginning (did not find any better way neither through /etc/tomcat5/tomcat5.conf nor /etc/init.d/tomcat5 nor the alternatives system, ideas welcome...)
...
JAVA_HOME=/opt/jdk1.6.0_21
...
  • Go into the Sun JDK directory:
cd /opt/jdk1.6.0_21
sudo sh ~/Downloads/jai-1_1_3-lib-linux-amd64-jdk.bin
sed s/+215/-n+215/ jai_imageio-1_1-lib-linux-amd64-jdk.bin > jai_imageio-1_1-lib-linux-amd64-jdk-fixed.bin
  • Install JAI-ImageIO
sudo sh ~/Downloads/jai_imageio-1_1-lib-linux-amd64-jdk-fixed.bin
  • Restart Tomcat
sudo /sbin/service tomcat5 restart
  • Visit your GeoServer status page in order to make sure that native JAI is taken into account

LDAP Authentication (experimental)

This will allow you to have you user referential in LDAP (tested with base CentOS 5 openldap-servers). Your users need to be inetOrgPerson under ou=People,dc=my_org,dc=org Your GeoServer administrators need to belong to the cn=administrator,ou=Roles,dc=my_org,dc=org role:

dn: cn=administrator,ou=Roles,dc=my_org,dc=org
objectClass: top
objectClass: groupOfNames
cn: administrator
member: uid=mbaudier,ou=People,dc=my_org,dc=org

Other roles can be defined similarly under ou=Roles,dc=argeo,dc=org, and should be added mnaually when defining rules in GeoServer. You can of course adapt the following configuration with your specific LDAP settings.

Caveats:

  • the list of users won't be properly displayed in GeoServer.
  • as usual with autentication via HTTP make sure that users are using SSL (https://) when they authenticate, otherwise their credentials will be sent in clear. If you want to mix public with private data and stay compatible with client which don't support HTTPS, this is not necessarily easy.

Procedure:

  • Extract applicationContextSecurity.xml from the main-jar (in /var/lib/tomcat5/webapps/geoserver/WEB-INF/lib/)
  • Copy it to /var/lib/tomcat5/webapps/geoserver/WEB-INF/
  • Add the following at the beginning of the applicationContextSecurity.xml file (after the <beans> tag)
 <beans>
 	<bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
 		<constructor-arg value="ldap://my_ldap_server:389/dc=my_org,dc=org" />
 		<!--<property name="managerDn" value="mydomain\myuser" /> <property name="managerPassword" 
 			value="mypasswd" /> -->
 	</bean>
 
 	<bean id="userSearch" class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">
 		<constructor-arg index="0">
 			<value>ou=People</value>
 		</constructor-arg>
 		<constructor-arg index="1">
 			<value>(uid={0})</value>
 		</constructor-arg>
 		<constructor-arg index="2">
 			<ref local="initialDirContextFactory" />
 		</constructor-arg>
 		<property name="searchSubtree">
 			<value>false</value>
 		</property>
 	</bean>
 	<bean id="ldapAuthenticationProvider"
 		class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
 		<constructor-arg>
 			<bean
 				class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
 				<constructor-arg>
 					<ref local="initialDirContextFactory" />
 				</constructor-arg>
 				<property name="userSearch">
 					<ref local="userSearch" />
 				</property>
 			</bean>
 		</constructor-arg>
 		<constructor-arg>
 			<bean
 				class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
 				<constructor-arg>
 					<ref local="initialDirContextFactory" />
 				</constructor-arg>
 				<constructor-arg>
 					<value>ou=Roles</value>
 				</constructor-arg>
  				<property name="groupRoleAttribute">
 	 				<value>cn</value>
 				</property>
 				<property name="rolePrefix">
 					<value>ROLE_</value>
 				</property>
 				<property name="convertToUpperCase">
 					<value>true</value>
 				</property>
 			</bean>
 		</constructor-arg>
 	</bean>
  • Modify the following section
 ...
 	<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
 		<property name="providers">
 			<list>
 				<ref local="ldapAuthenticationProvider" />
 				<!-- <ref local="daoAuthenticationProvider" /> -->
 ...
  • Modify /var/lib/tomcat5/webapps/geoserver/WEB-INF/web.xml to use WEB-INF/applicationSecurityContext.xml instead of classpath*:/applicationSecurityContext.xml
 ...
     <context-param>
         <param-name>contextConfigLocation</param-name>
         <param-value>classpath*:/applicationContext.xml WEB-INF/applicationSecurityContext.xml</param-value>
     </context-param>
 ...
  • Restart Tomcat
sudo /sbin/service tomcat5 restart

Thanks to http://jira.codehaus.org/browse/GEOS-3778 for the tip.

Historical Reference