SystemD service for Orchesto

In order to run Orchesto as an instance on an unattended service, it is desirable to have a method for supervising and controlling the Orchesto process. In this section, we will elaborate on how this can be achieved on Linux OS.

Install a systemd enabled Orchesto instance from scratch

Summary

Install a postgres database
Manually copy the binaries to the correct location
Create a user for running the systemd service orchesto
Setup up the systemd service to start at boot

Optional additions:

Configure SSL/TLS
Redirect log output to a specific log file

Install a postgress database for the Orcehsto gateway

The installation of a databasei for Orchesto is covered in the Postgress installation document
The database can be run native in the same host, another neigbouring host or in a docker container

Install the Orchesto binaries and create a systemd service

Centos / Redhat / Fedora / Ubuntu

Create a user

Create a user running the daemon. sudo useradd -m -s /bin/bash orchesto

Create a password

Create a temporary password for the orchesto user. sudo passwd orchesto

Create a directory

Create a directory for the Orchesto configuration files. sudo mkdir /home/orchesto/.orchesto sudo chown orchesto:orchesto /home/orchesto/.orchesto

Download binaries

Download and unpack the Orchesto binaries as below, setting the owner to root:root and _ACL to 0755. sudo chown root:root <path>orchesto sudo chmod 755 <path>orchesto sudo chown root:root <path>orctl sudo chmod 755 <path>orctl

File path

File location path for Centos / Redhat: /usr/local/sbin/orchesto /usr/local/bin/orctl

Prepare directory for the write-back cache

Prepare a directory for the write-back cache (WBC). Should be large enough for uploads, and preferable on a RAID disk. sudo mkdir /home/orchesto/wbc sudo chown orchesto: /home/orchesto/wbc sudo chmod 740/home/orchesto/wbc

Create a postgres DSN file

Create a postgres DSN file, holding the connection parameters to the Postgres server.

Create a file /home/orchesto/.orchesto/postgres-dsn.conf postgres://orchesto:SecretPassword@localhost:5432/orchesto?sslmode=disable with the following meaning #dbType:dbUser:password:hostname:port:database-name:sslmode
Change ACL and file mode chown orchesto: /home/orchesto/.orchesto/postgres-dsn.conf chmod 640 /home/orchesto/.orchesto/postgres-dsn.conf

Note

The license activation code is collected from the Orchesto Customer Portal

Start Orchesto

Start Orchesto manually logged in as the orchesto user. This will create the required config file structure in ~/.orchesto, connect to the license server and create the database table in the Orchesto database. su - orchesto

/usr/local/sbin/orchesto --listen=:9090 --conf-path /home/orchesto/.orchesto --fs-lockdown --wbc /home/orchesto/wbc --dsn-file /home/orchesto/.orchesto/postgres-dsn.conf --activate /home/orchesto/.orchesto/license.json --accept-eula

Stop the server

Stop the server with CTRL-C and exit the Orchesto login shell. CTRL-C exit

Change the Orchesto user

Change the Orchesto user to disallow login. sudo usermod orchesto -s /sbin/nologin

Create a config file

Create a config file, holding the CLI start parameters for a systemd service named orchesto, and add start flags as required.

Note

Additional flags might be required in the Orchesto systemd config, such as:

--activate path/to/license.json This flag is mandatory --accept-le-sa --vault-config <path-to-file>

Edit config

Edit the startup config file. sudo vim /etc/orchesto.conf

    #FLAGS:
    #  --listen value               Listen to address:port. An address may also be a hostname. Overrides listen value in config file.
    #  --conf-path value, -c value  Path to configuration directory. (default: "/root/.orchesto")
    #  --dsn-file value             File containing PostgreSQL DSN that specifies the database to connect to (e.g postgres://user@localhost:5432/database)
    #  --wbc value                  Path to write cache directory
    #  --accept-eula                Accept the orchesto EULA
    #  --create-certificates        Create self issued endpoint certificates in the configuration directory. Will not overwrite existing certificate files. Ignored if --hostnames is used.
    #  --hostnames value            Comma separated list of hostnames. Orchesto will use Let's Encrypt to automatically obtain and refresh certificates for 
    # these hostnames (instead of certificate in config dir).
    #  --accept-le-sa               Accept current Let's Encrypt Subscriber Agreement, required to get automatically managed HTTPS certificates from Let's Encrypt.
    #  --version                    Print application version
    #  --fs-lockdown                Prevent the addition of new File System backends.
    #  --disable-fs-lockdown        Disable the File System lockdown.
    #  --activate value             Activate orchesto with a product license JSON file.
    #  --deactivate                 Deactivate the current orchesto product license and exit.
    #  --auto-deactivate            Deactivate the current license when the product exits.
    #  --renew                      Renew the lease on the current license.
    #  --license                    Print the current product license details and exit.
    #  --vault-config value         Path to JSON file containing vault settings.
    #  --help, -h                   show help
    #
    OPTIONS=\
    --accept-eula \
    --listen=:9090 \
    --dsn-file /home/orchesto/.orchesto/postgres-dsn.conf \
    --wbc /home/orchesto/wbc \
    --conf-path /home/orchesto/.orchesto

Create SystemD

Create the systemd service definition file. sudo vim /etc/systemd/system/orchesto.service

[Unit]
Description=orchesto Service
After=network.target

[Service]
Type=simple
User=orchesto
ExecStart=/usr/local/sbin/orchesto $OPTIONS
EnvironmentFile=/etc/orchesto.conf
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=orchesto
Restart=on-abort

[Install]
WantedBy=multi-user.target

Enable the orchesto.service

Enable the orchesto.service. sudo systemctl daemon-reload sudo systemctl enable orchesto

Set listening port

Open the firewall to the listening port.

Firewalld in Redhat / Centos sudo firewall-cmd --add-port 9090/tcp --permanent sudo firewall-cmd --add-port 9090/tcp
ufw in Ubuntu/ Debian sudo ufw allow 9090/tcp

Start the service

Note

The first time the service is started, there is an autologin to Orchesto, where the login credentials for the admin account is displayed i the Web GUI. Take a note of the credentials for future login requests.

sudo systemctl start orchesto.service sudo systemctl status orchesto.service to see the login credentials

Log files

Check the log files (deafult location). tail -f /var/log/messages

Access Orchesto

Access Orchesto using http://<fqdn>:9090 or http://<ipaddress>:9090

Enhancing the redundancy

Add TSL certificates

There are two methods available, add self signed TLS certificates (for testing purpose), using the start flag --auto-tls, or use an externally signed certificate. See the Chapter "How to setup TLS".

Change log output to a separate file

Orchesto have two means of logging, Console and File.
When running Orchesto as a systemd service, as described above, the Console output is redirected to /var/log/messages.
In the Orchesto web-gui, System-Logging, it is possible to disable / enable the console logging, and to add separate file logging. Since Orchesto is running as the user "orchesto", the file path for the file log must be writable by the user orchesto.

Example: Defining /home/orchesto will create a log file /home/orchesto/orchesto.log.