HOWTO install Enkive 1.3 on CentOS 6.4
From Enkive Wiki
This HOWTO documents step-by-step how to install and configure Enkive 1.3 on CentOS 6.4. (The instructions should work on all versions of CentOS 6 and Red Hat Enterprise Linux 6.x, but they have not been tested on those platforms.)
Before continuing, you should read the official, and generic, installation instructions for Enkive 1.3 at http://wiki.enkive.org/index.php/1.3_Installation_Instructions.
Assumptions: This will be a standalone server that only runs the Enkive email archiver. Any email sent to this machine's postfix (port 25) gets archived. In a production environment you will have to configure your existing mail server(s) to send a copy of each email that comes in to and goes out of your organization to this Enkive server. Configuring your existing mail server(s) to send duplicate emails to Enkive is not covered in this HOWTO.
Contents |
Prerequisites
The files used to install Enkive 1.3. These were the latest available versions at the time of this writing (June 2013):
- enkive-1.3.tar.gz
- jdk-7u21-linux-x64.tar.gz (or jdk-7u21-linux-x64.rpm)
- mongodb-linux-x86_64-2.4.4.tgz
- indri-5.4.tar.gz
- commons-daemon-1.0.15-native-src.tar.gz (do not use an earlier version than 1.0.12 with Enkive 1.3)
The download links are available at http://wiki.enkive.org/index.php/1.3_Installation_Instructions.
Linux operating system:
- CentOS 6.4. Default install from the DVD, except selected "Desktop" package installation. You can customize the partitioning any way you like, but make sure there is enough room in /opt as this HOWTO installs most of the Enkive components in that directory.
Make sure you have at least 10GB (and preferably a lot more) of free space on your machine. MongoDB won't start properly if there's not enough free space.
Preliminary steps
SELinux
Since SELinux is in enforcing mode by default, you will want to set it to permissive while you install and configure Enkive. Modify the line in file /etc/selinux/config so that:
SELINUX=enforcing
becomes
SELINUX=permissive
You can also disable SELinux entirely by changing the line in /etc/selinux/config to:
SELINUX=disabled
You should reboot your server after modifying /etc/selinux/config. You can also switch to permissive mode on the fly with:
setenforce 0
Remember that changing SELinux with "setenforce" does not hold across reboots!
There are notes further down in this document on how to allow Enkive running with SELinux in enforcing mode.
iptables
We recommend leaving iptables temporarily disabled while installing and configuring Enkive. You can do this with:
system-config-firewall-tui
Postfix
Edit /etc/postfix/main.cf so that postfix doesn't just listen on localhost, which is the default behavior. For example, change the line, in /etc/postfix/main.cf:
inet_interfaces = localhost
to
inet_interfaces = all
Now restart Postfix:
/etc/init.d/postfix restart
Development environment
Some of the Enkive-related packages need to be compiled, so get a development environment installed. At minimum, the packages you'll need are:
- gcc
- gcc-c++
- make
- libcap-devel
yum install gcc gcc-c++ make libcap-devel
You can also get a fairly complete development environment by doing:
yum groupinstall "Development Tools" yum groupinstall "Server Platform Development" yum groupinstall "Desktop Platform Development" yum groupinstall "Additional Development"
Java
Unpack the tarball in /opt:
tar zxvf jdk-7u21-linux-x64.tar.gz -C /opt/
Make a symbolic link:
cd /opt/ ln -s jdk1.7.0_21/ java
So, per the Enkive wiki instructions, $JAVA_HOME is: /opt/jdk1.7.0_21 or /opt/java. We'll use /opt/java as the $JAVA_HOME from now on.
You may want to put /opt/java/bin in your path. The typical way to do this on CentOS/RHEL is to modify the $HOME/.bash_profile file. You could modify the line as follows:
PATH=/opt/java/bin:$PATH
This will put Java first in your path. Remember to log out and log back in to update your $PATH variable.
You can also install Java with the rpm:
rpm -Uvh jdk-7u21-linux-x64.rpm
If Java was installed using the rpm, then $JAVA_HOME will be:
/usr/java/jdk1.7.0_21
Jsvc
Note: You must use Jsvc version 1.0.12 (or later) with Enkive 1.3. Earlier versions of Jsvc are not compatible with Enkive 1.3.
For Jsvc, we will compile with the java option and then copy the resulting binary to another directory so that it's in our path. Note that $JAVA_HOME is /opt/java:
tar zxvf commons-daemon-1.0.15-native-src.tar.gz cd commons-daemon-1.0.15-native-src/ cd unix/ ./configure --with-java=/opt/java make cp jsvc /usr/local/bin/
Now "jsvc" is in your path. This is also where the enkive initscript expects to find the jsvc binary.
(To use a bundled openjdk runtime, it may be possible to substitute for the configure step: export JAVA_HOME=/usr/lib/jvm/default-java ; ./configure )
If you installed Java with the RPM, change the "configure" line to:
./configure --with-java=/usr/java/jdk1.7.0_21
Swig
For swig:
yum install swig zlib zlib-devel
If you did a package group installation (ie, yum groupinstall) of the development tools and development libraries, then the swig, zlib, and zlib-devel packages are already installed.
Indri
For indri, we're going to install it in /opt/indri, as the Enkive wiki suggests.
tar zxvf indri-5.4.tar.gz cd indri-5.4/ ./configure --prefix=/opt/indri --enable-java --with-javahome=/opt/java make make install
Note: If you installed Java with the rpm, then the configure line will be:
./configure --prefix=/opt/indri --enable-java --with-javahome=/usr/java/jdk1.7.0_21
MongoDB
For mongodb, unpack it in /opt. Create a symbolic link for it. Create a directory within it (ie, data/db) for the database files.
tar zxvf mongodb-linux-x86_64-2.4.4.tgz -C /opt/ cd /opt/ ln -s mongodb-linux-x86_64-2.4.4/ mongodb cd mongodb/ mkdir -p data/db
Create the initscript for mongodb, and put the following in /etc/init.d/mongodb:
#!/bin/bash # # mongodb Startup script for the mongodb server # # chkconfig: - 60 40 # description: MongoDB Database Server # # processname: mongodb # # Credit for this initscript goes to: http://ewanleith.com/downloads/mongodb.txt, # It has only been slightly modified. # # # Source function library . /etc/rc.d/init.d/functions if [ -f /etc/sysconfig/mongodb ]; then . /etc/sysconfig/mongodb fi prog="mongod" mongod="/opt/mongodb/bin/mongod" RETVAL=0 start() { echo -n $"Starting $prog: " daemon $mongod "--fork --dbpath /opt/mongodb/data/db --logpath /var/log/mongodb.log --logappend 2>&1 >>/var/log/mongodb.log" RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog return $RETVAL } stop() { echo -n $"Stopping $prog: " killproc $prog RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog return $RETVAL } reload() { echo -n $"Reloading $prog: " killproc $prog -HUP RETVAL=$? echo return $RETVAL } case "$1" in start) start ;; stop) stop ;; restart) stop start ;; condrestart) if [ -f /var/lock/subsys/$prog ]; then stop start fi ;; reload) reload ;; status) status $mongod RETVAL=$? ;; *) echo $"Usage: $0 {start|stop|restart|condrestart|reload|status}" RETVAL=1 esac exit $RETVAL
Make the mongodb initscript executable:
chmod 755 /etc/init.d/mongodb
Start mongodb. It may take a minute to start on slower machines:
/etc/init.d/mongodb start
Enkive (and Postfix)
Now unpack the Enkive tarball and put it in /opt. We also create a symbolic link here.
tar zxvf enkive-1.3.tar.gz -C /opt/ cd /opt/ ln -s enkive-1.3/ enkive
Create the Enkive socket filter:
cd /opt/enkive/support/filters/postfix/enkive-socket-filter/ make
This socket filter is now at:
/opt/enkive/support/filters/postfix/enkive-socket-filter/dist/enkive-socket-filter
We'll need the path to it for Postfix.
Edit the /etc/postfix/master.cf file as follows. There's already a line at the top for "smtp". You will add a second line below it for the content filter, and then 3-line filter section.
The top of the master.cf file should look something like this:
smtp inet n - n - - smtpd -o content_filter=filter:dummy filter unix - n n - - pipe flags=Rq user=nobody null_sender= argv=/opt/enkive/support/filters/postfix/enkive-socket-filter/dist/enkive-socket-filter localhost 2527 ${sender} ${recipient}
Restart Postfix:
/etc/init.d/postfix restart
Create an "enkive" user. The -r option will make a system user, rather than a regular user:
useradd -r enkive
Allow the new "enkive" user to read and write to Enkive (don't forget the trailing slash!):
chown -R enkive.enkive /opt/enkive/
Prepare the enkive initscript.
cp /opt/enkive/scripts/enkive /etc/init.d/enkive chmod 755 /etc/init.d/enkive
At the top of the enkive initscript you need to edit several variables.
The relevant portion of the initscript:
... # SYSTEM ADMINISTRATOR LIKELY WANTS TO MODIFY THE FOLLOWING VARIABLES # user id under which Enkive is run; a good practice is to create a # user specifically to run Enkive (e.g., "enkive") ENKIVE_USER=enkive # path to top-level Enkive directory; this directory would contain # "lib" and "config" ENKIVE_HOME=/opt/enkive # path to the jsvc executable file JSVC=/usr/local/bin/jsvc # path to top level of the Java JDK (must be a JDK and not a JRE); # should contain "bin", "lib", and "lib/tools.jar" JAVA_HOME=/opt/java # path to directory that Indri was installed in -- typically /usr/local # or /opt/indri. Expect to find underneath this directory both # lib/libindri_jni.so and share/indri/indri.jar . INDRI_INSTALL_PATH=/opt/indri ...
Note: If you installed Java with the rpm, the "JAVA_HOME" line should be:
JAVA_HOME=/usr/java/jdk1.7.0_21
Now start enkive:
/etc/init.d/enkive start
Give it a few seconds. Then log in to a graphical desktop and use the web browser to go to http://localhost:8888/ediscovery/. Even better: from another computer on your network go to http://enkiveIPaddress:8888/ediscovery/ in a web browser.
Log in as user "enkive" with the password "enkive". There won't be any archived email yet to search. Log out.
Add email to Enkive
The telnet client is sometimes not installed by default on CentOS 6, so:
yum install telnet
Sent a test email to the Enkive using the telnet client. If you've never done this before, you might want to read the following:
- http://workaround.org/ispmail/lenny/test-mail-through-telnet
- http://www.expta.com/2010/03/how-to-use-telnet-to-send-smtp-email-to.html (Windows-centric, but useful)
Follow the session below. You can only escape from the telnet session with CTRL-] (not CTRL-C!).
The actual lines you type after telnetting to port 25 are:
ehlo localhost mail from:<bill@example.com> rcpt to:<ted@example.org> data From: Bill <bill@example.com> To: Ted <ted@example.org> Subject: my first archived email Archive me, please! .
Note that you finally "send" the email by typing a single period by itself on a line, then hit enter. After which, postfix will queue the message.
[root@localhost ~]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 localhost.localdomain ESMTP Postfix ehlo localhost 250-localhost.localdomain 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:<bill@example.com> 250 2.1.0 Ok rcpt to:<ted@example.org> 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> From: Bill <bill@example.com> To: Ted <ted@example.org> Subject: my first archived email Archive me, please! . 250 2.0.0 Ok: queued as 2C27F1E4836 ^] telnet> quit Connection closed.
Now go back to http://localhost:8888/discovery and log in. You will be able to search for the email.
Final clean up and reboot
Make sure everything starts on boot.
chkconfig --add enkive chkconfig --add mongodb chkconfig enkive on chkconfig mongodb on
Reboot for good measure.
Note: MongoDB should start before Enkive. If you're having issues with Enkive not starting on boot, it could be that MongoDB has not finished starting when Enkive starts. If that's the case, you need to modify the sequence numbers in the mongodb and enkive initscripts. The current settings used here should work, however.
SELinux
At this point, your Enkive installation is working, but only when SELinux is in permissive mode or if SELinux is disabled entirely. If you switch to enforcing mode, Postfix won't work with the Enkive socket filter because Postfix runs confined in SELinux. What will happen in this case is that Postfix won't have permission to run the Enkive socket filter and will report "permission denied" in /var/log/maillog. Also, any mail that gets sent to postfix will just stay in the mail queue.
If SELinux was in permissive mode, you can look in /var/log/audit/audit.log and check for lines that say "avc denied". This happened when you added mail to the archiver using the telnet client. Permissive mode doesn't actually block the action, but just reports what it would be had it been in enforcing mode.
To modify your SELinux policy, you will need the "audit2allow" command. If you don't have it, you need to install the following package:
yum install policycoreutils-python
The following will work, but read the cautionary note afterward:
cat /var/log/audit/audit.log | audit2allow -M postfixenkive
This will create files called "postfixenkive.te" and "postfixenkive.pp", but you can use whatever name you like. Now install the SELinux module:
semodule -i postfixenkive.pp
You should be careful with this because you are submitting the entire audit.log to audit2allow. Now if this is being performed on a newly installed server that is solely dedicated to Enkive, this shouldn't be much of a problem.
The following might be preferable and is verified to work on CentOS 6.4. Put the following in a text file called postfixenkive.te:
module postfixenkive 1.0; require { type postfix_pipe_t; type usr_t; class file { read execute execute_no_trans }; } #============= postfix_pipe_t ============== allow postfix_pipe_t usr_t:file { read execute execute_no_trans };
Run the following commands:
checkmodule -M -m postfixenkive.te -o postfixenkive.mod semodule_package -m postfixenkive.mod -o postfixenkive.pp semodule -i postfixenkive.pp
You can temporarily turn on SELinux with:
setenforce 1
and then test Enkive again.
This will put it in enforcing mode, but it won't survive a reboot. If you want this change permanent, modify /etc/selinux/config so that:
SELINUX=enforcing
iptables
If you want to set up a host-based iptables firewall, run:
system-config-firewall-tui
Remember to leave ports 25 and 8888 open.
You're mostly done
At this point, if you want to start archiving email you will have configure your mail server (and there may be more than one in your organization) to send a duplicate of each email to this Enkive server.
Postfix (including Zimbra), sendmail and exim have different ways of doing this; however, this is not covered here yet.