WACS: Installation

Requirements
Obtaining WACS
Installation

Easy Installation
Manual Installation

Troubleshooting

Special Notes About SELinux

Requirements

In order to install WACS, you will ideally have the following available (the easyinstall script will attempt to handle appropriate software installations for you):

a server running a recent version of Linux/Unix with:
- at least 256MB of RAM (512MB or more preferred)
- a *LOT* of hard disc space available
- connection to a suitable home network
- the system administrator (root) password
a suitable web server (apache 2.2 is ideal)
a recent version of perl (perl 5.8 is ideal) and the following modules from CPAN (www.cpan.org):
- Perl DBI - generic database routines
- Perl DBD - database driver module for appropriate database eg DBD::Oracle for Oracle 10g.
- XML::Simple - XML parser library
- Data::Dumper - data structure debug module
- File::Basename - file name demangler
- Authen::SimplePam - perl and PAM authentication backend
php is also used by the htmlbones stuff, but not much (as yet).
a relational database (Oracle 10g or MySQL 5 are actively supported, most others with a perl DBI interface should work).

However, perl is a flexible and portable system and any system that can offer a working web server and Perl-DBI interface to a suitable database should be usable. If someone wants to make this work for Windows, we'd welcome the patches back into the SVN tree.

Obtaining WACS

WACS is obtainable from sourceforge where it is known as WACSip because of a name clash with a different package. The sourceforge site contains the latest code, documentation, news articles, mailing list details and even some screenshots. The URL is http://wacsip.sourceforge.net. You can obtain WACS either by downloading one of the official releases or by pulling the very latest "bleeding edge" version from the Subversion repository. We do not use the older CVS version control system at all; WACS is a new project so it was started fresh under Subversion (svn).

To get the latest official release, go to the sourceforge project page and click on download. If the latest release is 0.5alpha, then download wacs-0.5alpha.tar.gz. Once downloaded, save it somewhere appropriate for unpacking - the installation will work without the archive, although there are sample configs and docuentation files which are not installed anywhere. If for instance you've decided to keep wacs in an "src/wacs" directory of your home directory and your web browser has placed the downloaded file on your Desktop, do:

% cd
% mkdir -p src/wacs
% cd src/wacs
% tar -xzvf ~/Desktop/wacs-0.5alpha.tar.gz
x wacs-0.5/README
[...]
% cd wacs-0.5

and from there follow one or other of the installation instructions below.

To get the very latest version from the sourceforge subversion repository, do the following:

% cd
% mkdir -p src/wacs
% cd src
% svn co https://svn.sourceforge.net/svnroot/wacsip/trunk wacs
[...]
% cd wacs

and then follow the installation instructions as appropriate.

Installation

There are basically two installation options, easy or manual. The easy install option should work "out of the box" on Fedora Core 5 and 6, if using the standard locations for the apache web server and mysql. On other distributions or if you've changed locations from the defaults, it'll probably fail over dumb things like the names of the packages or the way they are installed. It should be easy enough to fix it up for other OS releases if people feed back the errors they encounter. The manual install procedure is pretty lengthy but details all the necessary steps to do a complete install. You will have to follow this procedure if you are using a platform other than the one for which the easy install script was prepared.

Easy Install

EasyInstall should be just that, but probably won't be. An installer is a complex thing and depends heavily on the environment around it. If you're running Fedora Core 5 or Fedora Core 6 and accept all the defaults, there is a reasonable chance it'll work. If you're running an older release with either MySQL < 5.0 or Apache < 2.2, you may well have problems... On other RPM-based distributions with the yum updater (SuSE, CENTOS, RHEL) you're in with a chance of it working, or at the very least installing most of the necessary infrastructure for you. Other non-RPM based distributions will almost certainly fail, but if you feed back the error messages, we'll have a go at fixing it.

To run easyinstall, become the super user (root) and issue the following commands:

# cd unpack_location/install
# ./easyinstall

and follow the onscreen prompts. At the end of the package configuration questions, you will be shown your answers and asked for comfirmation; if you answer n for no, you'll be asked the questions again. After that, once the installation phase starts, if you make a mistake in answering a question press <CTRL>-C to abort and start again.

Once you've done that you will need to add some model details and content to the server. There's a step-by-step guide on how to do this in the next section, getting started, and a more detailed discussion of the addmodel, addassoc and generate commands used for this in the page on console tools.

Manual Install

Obviously this is a big task, and there will hopefully be better documentation in due course, but here is the basic bones of what needs to be done.

check the web server is working, install the barebones WACS index pages from the htmlbones directory of the distribution into your web tree and check you can see it. On a default Fedora Core 5 installation, this would be done with:
```
# cd unpack_location
# mkdir /var/www/html/wacs
# cp -rp htmlbones/* /var/www/html/wacs
#
```
For the perl modules, first check whether your operating system distribution includes them - Fedora Core 5 had packages called perl-DBI and perl-DBD-MySQL - so these could be simply installed with yum install perl-DBI and yum install perl-DBD-MySQL. The next easiest way to install the necessary perl modules, if they are not already present, is to use the cpan command. This can typically be done with:
```
# cpan install XML::Simple
# cpan install Data::Dumper
# cpan install File::Basename
# cpan install Authen::SimplePam
#
```
install the Wacs.pm perl module into the site_perl directory of your system - change the 5.8.8 to whatever your current version of perl is. [NB: note the change of case of the first letter of the perl module name from wacs.pm to Wacs.pm]:
```
# cd unpack_location
# cp modules/wacs.pm /usr/lib/perl5/site_perl/5.8.8/Wacs.pm
#
```
install the wacs PAM (Plugable Authentication Modules) configuration into the /etc/pam.d directory. Please note that due to the way that PAM works, if your system uses shadow passwords (in the /etc/shadow file), you will need to grant read access to the /etc/shadow file to the apache web server so it can authenticate normal users. Please see the security section for more information. Create the /var/run/wacs directory where the dynamic leases files are stored and change it's ownership to apache (or whatever your web server user is).
```
# cp unpack_location/security/wacs.pam /etc/pam.d/wacs
# chown root.root /etc/pam.d/wacs
# chmod 644 /etc/pam.d/wacs
# chgrp apache /etc/shadow
# chmod g+r /etc/shadow
# mkdir /var/run/wacs
# chown apache.apache /var/run/wacs
#
```
NOTE: if you run selinux (Security Enhanced Linux) on Fedora Core or Redhat (or another future distro that includes it), you will need to give apache privilege to read the /var/run/wacs directory - this can be done by changing the context of the directories and files. The commands to do this are:
```
# chcon system_u:object_r:httpd_sys_content_t /var/run/wacs
# chcon -R system_u:object_r:httpd_sys_content_t /var/run/wacs/*
# 
```
If the leases file does not exist when you first do this and you encounter problems, try using the second of these two commands again.

install the wacs application programs into the cgi-bin tree:

# cd unpack_location
# cp index/wacs* models/wacs* presentation/wacs* /var/www/cgi-bin/
# cp retrieval/wacs* search/wacs* tag/wacs* /var/www/cgi-bin/
# cp security/wacs* manage/wacs* /var/www/cgi-bin/
# chmod 755 /var/www/cgi-bin/wacs*
#

copy the applications that are just duplicate versions of existing commands and change the appropriate mode variables:

# cd /var/www/cgi-bin
# cp wacsmodelpage wacsmpthumbs
# editor wacsmpthumbs
# cp wacsimgcats wacsvidcats
# editor wacsvidcats
# cp wacsimgcats wacsphotcats
# editor wacsphotcats
# cp wacsimglist wacsvidlist
# editor wacsvidlist
# cp wacsnewsets wacsnewvideo
# editor wacsnewvideo
#

edit the file and change the mode variable (thumbsmode in this case). Repeat this process for wacsimgcats becomes wacsvidcats and wacsphotcats, and so on. At the end, make sure all of the copies are executable:

# cd /var/www/cgi-bin
# chmod 755 wacs*

install the configuration file, wacs.cfg into a suitable location such as /etc/wacs.d or /usr/local/etc/wacs.d. Edit this file and make sure the key settings are right for your server, specifically the location of the image files, the location of the video files and the server name in the URLs. You will also need settings for the database user name and password you intend to use, and the environment and path locations needed for the database system you are using. For more information, see the next section on the configuration file.
create a suitable permanent access control list in the configuration directory choosen above, the supplied wacs.acl should provide a suitable template. This step can be skipped if you're only ever going to use lease-based access with logins. For more information on the format of the access control lists, please set the security section.

create a suitable owner account for the wacs data tables in your database system. The instructions here cover doing this for both MySQL and Oracle 10g, in that order:

With MySQL 5.1, this would be done with:

% mysql --user=root
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 17 to server version: 5.0.22

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create database wacs;

mysql> create user 'wacs'@'myserver' identified by 'wacs';

mysql> create user 'wacs'@'localhost' identified by 'wacs';

mysql> grant all on wacs.* to wacs;

mysql> commit;

mysql> flush privileges;

mysql> quit

With Oracle 10g, this would be something like:

% sqlplus

SQL*Plus: Release 10.1.0.3.0 - Production on Fri Sep 29 14:53:56 2006

Copyright (c) 1982, 2004, Oracle.  All rights reserved.

Enter user-name: system
Password: *******

Connected to:
Oracle Database 10g Release 10.1.0.3.0 - 64bit Production

SQL> create user wacs identified by wacs;

User created.

SQL> grant connect, resource to wacs;

Grant succeeded.

SQL> alter user wacs default tablespace main quota unlimited on main;

User altered.

SQL> commit;

Commit complete.

SQL> quit
Disconnected from Oracle Database 10g Release 10.1.0.3.0 - 64bit Production

Of course there is a huge amount of variance in how any given database is installed, so you will need some knowledge about your installation. For instance, your main tablespace may not be called "main" as it is in the example.

login as the database user just created and run the table create SQL script from the creation directory of the wacs distribution. These scripts are called by a single creation script, the one for oracle is called create_oracle.sql, the one for MySQL is called create_mysql.sql.

To run this on MySQL 5.1 using the account created in the step above, you would do the following:

% cd unpack_location/creation
% mysql --user=wacs --password=wacs wacs < create_mysql
[...]
%

To run this on Oracle 10g using the account created in the step above, you would do the following:

% cd unpack_location/creation
% sqlplus wacs/wacs @create_oracle

SQL*Plus: Release 10.1.0.2.0 - Production on Fri Oct 6 19:11:41 2006

Copyright (c) 1982, 2004, Oracle.  All rights reserved.


Connected to:
Oracle Database 10g Release 10.1.0.3.0 - 64bit Production

WACS Database Table Creation Script for Oracle

Commencing Table Creation:

  1. Photographer


Table created.

  2. Sets


Table created.

  3. Models


Table created.

  4. Assoc


Table created.

  5. Idmap


Table created.

  6. Download


Table created.

  7. Tag


Table created.

Tables Created - Committing Changes


Commit complete.

Completed.

Disconnected from Oracle Database 10g Release 10.1.0.3.0 - 64bit Production
%

The final step is to install the tools scripts into a suitable directory, normally this would be /usr/local/bin, but it could be put within the wacs tree if desired. /usr/local/bin is usually in the default path for all the shells and thus available to user accounts without further work. To install, do:
```
# cd unpack_location/tools
# cp -p * /usr/local/bin
#
```
If you want to put it somewhere else, within the wacs home area would be fine, somewhere like /home/wacs/bin, but you will then need to add that directory to the path of your shell. For the C-shell, you would add set path=(/home/wacs/bin $path) into the .cshrc file in the home directory of your own account and those of other people who might be adding contents to the wacs server. For the Bourne style shells (sh,bash,etc), you would need to add PATH=/home/wacs/bin:$PATH and export PATH to the .profile or .bashrc files in the home directories. Once added, depending on the shell, you may need to type rehash to rescan the path for the new commands.

Troubleshooting

Obviously we hope the installation script will create a running installation for you, but there will no doubt be occasions when it does not. Before seeking help via the mailing lists and other resources on the sourceforge site, there are some things you should clarify. The first of these is to confirm what the status of the various subsystems are. Here's a quick check list:

Is there an error being reported?
1. Check the apache web server log file in /var/log/httpd/myserver-errorlog
2. Check the system messages in /var/log/messages
3. Check the output from the kernel by running dmesg (a common cause of trouble is the SELinux security mechanism, an avc_denied message in the output of dmesg is a solid clue to this - see comments below on SELinux)
Is the web server running?
1. If you point a web browser at the top level URL of your server, do you get a web page back, be it a distribution-supplied test page or previous pages you placed there?
2. Can you get the wacs main page? (http://myserver/wacs/)
3. Can you get any response from the WACS cgi-bin programs, even so much as a coloured background to a blank screen? (http://myserver/cgi-bin/wacsnewmodels)
4. Is there an httpd process running? (ps wax | grep httpd)
5. Is the HTTPD set to start automatically? (chkconfig --list httpd)
Is the database server running?
1. See if you can connect using the SQL monitor - called mysql for MySQL, sqlplus for Oracle 10g.
2. Check for the database processes running - mysqld for MySQL, a whole cluster of oracle* and ora_* processes for Oracle 10g.

Special Notes About SELinux

SELinux is an enhancement to Linux that allows potentially vulnerable services (like an internet-exposed web server) to be operated on a basis where each action the program tries to take needs to be explicitly allowed, rather than the normal allowed unless denied approach of most Unix environments. As such SELinux presents a whole new group of challenges for getting WACS to work, because we have to extend the ruleset as to what is allowed and what is not. It can be done, but it will take work and some experimentation. Whereever we have not used the Operating System supplied packages (Web Server, Database, etc), we're going to have to add those rules. The first thing to check is whether SELinux is enabled - to do this, type:

% sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 20
Policy from config file:        targeted
%

If it's either disabled, or is enabled but with a current mode of permissive, it's not actualling going to be causing us a problem right now. If it is enabled and enforcing, we've got to work on it. The web server process needs a security context of httpd_sys_content_t to be present on any directory it needs to access, so the first step is to add this context to each directory (outside of the normal ones) that it is likely to access. This is done with the chcon commands shown above in the manual install section - example:

# chcon system_u:object_r:httpd_sys_content_t /var/run/wacs
#

In addition to the directory gaining the httpd_sys_content_t security context, any pre-existing files will also need the same, so this can be done with:

# chcon -R system_u:object_r:httpd_sys_content_t /var/run/wacs/*
#

To inspect the security context of a file or directory, you use the -Z option to the ls command:

# ls -Z /var/run/wacs/
-rw-r--r--  apache apache system_u:object_r:httpd_var_run_t leases.acl
#

While the easyinstall script does try to set these for all the areas the web server might go (/var/run/wacs, /etc/wacs.d and the files area /home/wacs/*), any problems which are causing avc_denied messages in the dmesg output are most likely down to this issue.

Next Section: Getting Started
Back to WACS Documentation Index