How to cleanly separate read-only and writable directories?

Question

How to cleanly separate read-only and writable directories?

yurivict opened this issue 5 years ago · comments

Once the package is installed, all it installs is read-only.
All writable data must be in separate directories, typically:

/var/db/openmeetings   - for database
/var/log/openmeetings  - for log
/var/run/openmeetings  - for pid files, etc.

I install it into /usr/local/share/openmeetings/, a read-only location. From there I create a symlink to openmeetings->/var/db/openmeetings.

However, it fails to create the database:

org.springframework.transaction.CannotCreateTransactionException: Could not open JPA EntityManager for transaction; nested exception is <openjpa-3.0.0-r422266:1833209 fatal general error> org.apache.openjpa.persistence.PersistenceException: Cannot create PoolableConnectionFactory (Failed to create database 'openmeetings', see the next exception for details.)

Thu Jun 20 12:11:12 PDT 2019 Thread[main,5,main] Cleanup action starting
ERROR XBM0J: Directory /var/db/openmeetings already exists.
        at org.apache.derby.iapi.error.StandardException.newException(Unknown Source)
        at org.apache.derby.iapi.error.StandardException.newException(Unknown Source)
        at org.apache.derby.impl.services.monitor.StorageFactoryService$10.run(Unknown Source)

Is there/should there be a DB_HOME environment variable to tell it where the DB is?

For reference, Arch linux has a port for openmeetings here https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=openmeetings, but it just copies files into /opt/openmeetings and assumes that it would be run as root from the same directory, which is a very bad practice.

It also writes some data into webapps/openmeetings/data/streams and webapps/openmeetings/data/upload. Is this a complete list?

Maxim Solodovnik · Answer 1 · Fri Jun 21 2019 11:32:07 GMT+0800 (China Standard Time)

Hello @yurivict,

First of all I would not recommend to use Apache Derby in production, OM supports Postgres, MSSQL out-of the box (MySQL, Oracle and DB2 will require jdbc drivers)

To set up DB location for Derby you need to set DERBY_HOME environment (https://db.apache.org/derby/docs/10.14/getstart/tgssetupjavaenvir.html)

OM uses FS for internal needs, this location is configurable since 4.0.9 and 5.0.0-M1
Please specify -DDATA_DIR=_path_to_data_dir (https://issues.apache.org/jira/browse/OPENMEETINGS-2033)

Running OM as root is bad idea, I always suggest to run it as nobody

yuri@FreeBSD · Answer 2 · Fri Jun 21 2019 15:05:50 GMT+0800 (China Standard Time)

I added the file /usr/local/share/openmeetings/bin/setenv.sh with this content:

DERBY_HOME=/var/db/openmeetings
CATALINA_OPTS="-DDATA_DIR=/var/db/openmeetings"

/var/db/openmeetings is writable.

but there is this failure:

20-Jun-2019 23:59:18.111 SEVERE [main] org.apache.catalina.startup.HostConfig.beforeStart Unable to create directory for deployment: [/usr/local/share/openmeetings/conf/Catalina/localhost]

and this failure:

^[[1;31mERROR^[[0;39m 06-20 23:59:36.586 ^[[36mo.a.o.w.a.Application:311 [main]^[[0;39m - [appStart]
org.springframework.transaction.CannotCreateTransactionException: Could not open JPA EntityManager for transaction; nested exception is <openjpa-3.0.0-r422266:1833209 fatal general error> org.apache.openjpa.persistence.PersistenceException: Cannot create PoolableConnectionFactory (Failed to create database 'openmeetings', see the next exception for details.)

and

Caused by: org.apache.derby.iapi.error.StandardException: Directory /usr/local/share/openmeetings/openmeetings cannot be created.

Not sure why does it try to create /usr/local/share/openmeetings/openmeetings when DB is supposed to be in /var/db/openmeetings.

yuri@FreeBSD · Answer 3 · Fri Jun 21 2019 15:11:39 GMT+0800 (China Standard Time)

First of all I would not recommend to use Apache Derby in production, OM supports Postgres, MSSQL out-of the box (MySQL, Oracle and DB2 will require jdbc drivers)

I would like to first create a working package using Derby. Setting up more involved DBs like Oracle and MySQL isn't really a function of the package. Package message should only recommend users how to do this in the future.

MSSQL doesn't exist on BSD, but SQLite would have been useful because it is very simple and stable, but it doesn't seem to be supported.

Maxim Solodovnik · Answer 4 · Fri Jun 21 2019 15:16:37 GMT+0800 (China Standard Time)

To be fair I never try to run OM is such restricted environment :(
I'll try to reproduce your steps in will report back (most probably in the beginning of next week)

/usr/local/share/openmeetings/conf/Catalina/localhost is required by Tomcat, so I guess there should be some Tomcat specific env for this

SQLite support can be added, such support was never requested :)

yuri@FreeBSD · Answer 5 · Sat Jun 22 2019 03:53:27 GMT+0800 (China Standard Time)

To be fair I never try to run OM is such restricted environment :(

This requirement is natural once OM is installed as a package. All files that packages install are read-only by definition. All writable locations have to be configurable, which usually include:

config files location (/usr/local/etc/{pkg-name}.conf)
database location (/var/db/{pkg-name})
logs location (/var/log/{pkg-name})
cache location (/var/cache/{pkg-name})

The user installs a package with pkg install openmeetings. Once the package is installed, it would print the message to the user with this content:

======================================================================
You installed OpenMeetings: an open-source web conferencing platform.

It is recommended to run OpenMeetings as a service:
# sysrc openmeetings_enable="YES"
# service openmeetings start

You can also run OpenMeetings manually (not recommended) with the
command:
# su -m openmeetings -c openmeetings run

To access OpenMeetings please navigate to:
http://localhost:5080 or https://localhost:5443
======================================================================

This way the user would know what to do next.

Using properly designed packages is the easiest way how complex software can be installed. All I am doing is making the port for OM properly, as good as it is possible.

Imagine that some non-technical organization would like to use OM. Currently they need to hire somebody who would know how to build and configure OM. With the package - there is no need to hire people just for this.

Currently only Arch linux has the OM package: https://repology.org/project/openmeetings/versions And it isn't made properly, IMO. It runs OM as root, doesn't separate read-only from writable, etc.

Ideally, all systems should have packages for your software if your want people to use it easily, so it should look more like https://repology.org/project/tor/versions

Maxim Solodovnik · Answer 6 · Sun Jun 30 2019 13:54:26 GMT+0800 (China Standard Time)

Hello @yurivict,

sorry for the silence, was busy on some personal stuff
I tried to add support for SQLite DB,
It fails due to some incompatibilities,

Could you try latest 5.0.0-M2 build? (https://builds.apache.org/view/M-R/view/OpenMeetings/job/openmeetings/)

It will be released in a week or so

Maxim Solodovnik · Answer 7 · Tue Aug 13 2019 20:26:17 GMT+0800 (China Standard Time)

I believe everything should be OK for M2
Please reopen if still an issue