SystemD service for Orchesto
In order to run Orchesto as an instance on an unattended service, it is desirable to have a method for supervising and controlling the Orchesto process. In this section, we will elaborate on how this can be achieved on Linux OS.
Install a systemd enabled Orchesto instance from scratch
Summary
- Install a postgres database
- Manually copy the binaries to the correct location
- Create a user for running the systemd service orchesto
- Setup up the systemd service to start at boot
Optional additions:
- Configure SSL/TLS
- Redirect log output to a specific log file
Install a postgress database for the Orcehsto gateway
- The installation of a databasei for Orchesto is covered in the Postgress installation document
- The database can be run native in the same host, another neigbouring host or in a docker container
Install the Orchesto binaries and create a systemd service
Centos / Redhat / Fedora / Ubuntu
Create a user
Create a user running the daemon.
sudo useradd -m -s /bin/bash orchesto
Create a password
Create a temporary password for the orchesto user.
sudo passwd orchesto
Create a directory
Create a directory for the Orchesto configuration files.
sudo mkdir /home/orchesto/.orchesto
sudo chown orchesto:orchesto /home/orchesto/.orchesto
Download binaries
Download and unpack the Orchesto binaries as below, setting the owner to root:root and _ACL to 0755.
sudo chown root:root <path>orchesto
sudo chmod 755 <path>orchesto
sudo chown root:root <path>orctl
sudo chmod 755 <path>orctl
File path
File location path for Centos / Redhat:
/usr/local/sbin/orchesto
/usr/local/bin/orctl
Prepare directory for the write-back cache
Prepare a directory for the write-back cache (WBC). Should be large enough for uploads, and preferable on a RAID disk.
sudo mkdir /home/orchesto/wbc
sudo chown orchesto: /home/orchesto/wbc
sudo chmod 740/home/orchesto/wbc
Create a postgres DSN file
Create a postgres DSN file, holding the connection parameters to the Postgres server.
-
Create a file /home/orchesto/.orchesto/postgres-dsn.conf
postgres://orchesto:SecretPassword@localhost:5432/orchesto?sslmode=disable
with the following meaning#dbType:dbUser:password:hostname:port:database-name:sslmode
-
Change ACL and file mode
chown orchesto: /home/orchesto/.orchesto/postgres-dsn.conf
chmod 640 /home/orchesto/.orchesto/postgres-dsn.conf
Note
The license activation code is collected from the Orchesto Customer Portal
Start Orchesto
Start Orchesto manually logged in as the orchesto user. This will create the required config file structure in ~/.orchesto, connect to the license server and create the database table in the Orchesto database.
su - orchesto
/usr/local/sbin/orchesto --listen=:9090 --conf-path /home/orchesto/.orchesto --fs-lockdown --wbc /home/orchesto/wbc --dsn-file /home/orchesto/.orchesto/postgres-dsn.conf --activate /home/orchesto/.orchesto/license.json --accept-eula
Stop the server
Stop the server with CTRL-C and exit the Orchesto login shell.
CTRL-C
exit
Change the Orchesto user
Change the Orchesto user to disallow login.
sudo usermod orchesto -s /sbin/nologin
Create a config file
Create a config file, holding the CLI start parameters for a systemd service named orchesto, and add start flags as required.
Note
Additional flags might be required in the Orchesto systemd config, such as:
--activate path/to/license.json
This flag is mandatory
--accept-le-sa
--vault-config <path-to-file>
Edit config
Edit the startup config file.
sudo vim /etc/orchesto.conf
#FLAGS:
# --listen value Listen to address:port. An address may also be a hostname. Overrides listen value in config file.
# --conf-path value, -c value Path to configuration directory. (default: "/root/.orchesto")
# --dsn-file value File containing PostgreSQL DSN that specifies the database to connect to (e.g postgres://user@localhost:5432/database)
# --wbc value Path to write cache directory
# --accept-eula Accept the orchesto EULA
# --create-certificates Create self issued endpoint certificates in the configuration directory. Will not overwrite existing certificate files. Ignored if --hostnames is used.
# --hostnames value Comma separated list of hostnames. Orchesto will use Let's Encrypt to automatically obtain and refresh certificates for
# these hostnames (instead of certificate in config dir).
# --accept-le-sa Accept current Let's Encrypt Subscriber Agreement, required to get automatically managed HTTPS certificates from Let's Encrypt.
# --version Print application version
# --fs-lockdown Prevent the addition of new File System backends.
# --disable-fs-lockdown Disable the File System lockdown.
# --activate value Activate orchesto with a product license JSON file.
# --deactivate Deactivate the current orchesto product license and exit.
# --auto-deactivate Deactivate the current license when the product exits.
# --renew Renew the lease on the current license.
# --license Print the current product license details and exit.
# --vault-config value Path to JSON file containing vault settings.
# --help, -h show help
#
OPTIONS=\
--accept-eula \
--listen=:9090 \
--dsn-file /home/orchesto/.orchesto/postgres-dsn.conf \
--wbc /home/orchesto/wbc \
--conf-path /home/orchesto/.orchesto
Create SystemD
Create the systemd service definition file.
sudo vim /etc/systemd/system/orchesto.service
[Unit]
Description=orchesto Service
After=network.target
[Service]
Type=simple
User=orchesto
ExecStart=/usr/local/sbin/orchesto $OPTIONS
EnvironmentFile=/etc/orchesto.conf
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=orchesto
Restart=on-abort
[Install]
WantedBy=multi-user.target
Enable the orchesto.service
Enable the orchesto.service.
sudo systemctl daemon-reload
sudo systemctl enable orchesto
Set listening port
Open the firewall to the listening port.
-
Firewalld in Redhat / Centos
sudo firewall-cmd --add-port 9090/tcp --permanent
sudo firewall-cmd --add-port 9090/tcp
-
ufw in Ubuntu/ Debian
sudo ufw allow 9090/tcp
Start the service
Note
The first time the service is started, there is an autologin to Orchesto, where the login credentials for the admin account is displayed i the Web GUI. Take a note of the credentials for future login requests.
sudo systemctl start orchesto.service
sudo systemctl status orchesto.service
to see the login credentials
Log files
Check the log files (deafult location).
tail -f /var/log/messages
Access Orchesto
Access Orchesto using http://<fqdn>:9090
or http://<ipaddress>:9090
Enhancing the redundancy
Add TSL certificates
There are two methods available, add self signed TLS certificates (for testing purpose), using the start flag --auto-tls, or use an externally signed certificate. See the Chapter "How to setup TLS".
Change log output to a separate file
Orchesto have two means of logging, Console and File.
When running Orchesto as a systemd service, as described above, the Console output is redirected to /var/log/messages.
In the Orchesto web-gui, System-Logging, it is possible to disable / enable the console logging, and to add separate file logging.
Since Orchesto is running as the user "orchesto", the file path for the file log must be writable by the user orchesto.
Example: Defining /home/orchesto will create a log file /home/orchesto/orchesto.log.