Installing LedgerSMB 1.12

Submitted by ehu on

Installation from tarballs

This page contains the comprehensive version with the installation instructions for LedgerSMB 1.12 targetting a production installation from release tarballs and deals with these steps:

  • Installing the LedgerSMB Perl module dependencies
  • Configuring the PostgreSQL server
  • Configuring a webserver (reverse proxy)
  • Configuring LedgerSMB

If you already have all of the above, please proceed to the "Preparing for first use" guide.

These are not the Quick start instructions, but instructions for setting up a full, secure production system. Also, please note that if you're in a position to use LedgerSMB's Docker images, or packages for your Unix/Linux distribution, using those will be far quicker and easier than following the instructions below.

More detailed step by step example instructions for a native install are provided in the LedgerSMB Book Installation Appendix.

System requirements

Requirements for both server and client are documented on the system requirements page.

Unpacking the release tarball

According to the Filesystem Hierarchy Standard, both /usr/local/ledgersmb and /opt/ledgersmb could be chosen as install locations. Unpack the tarball by running (as "root" user):

# tar xf ledgersmb-1.12.x.tar.gz --directory /usr/local/

Installing the LedgerSMB Perl module dependencies

The instructions below assume all dependencies will be installed from CPAN. It is possible to install most modules from distribution repositories; installing those before running the cpanm command below, will reduce the installation done by this command. The Docker image can be consulted for an example.

# Installation of LedgerSMB Perl dependencies from CPAN
cpanm --quiet --notest --with-feature=starman --installdeps /usr/local/ledgersmb/

Then, there are a number of features which need additional modules.
The above command includes the Starman Feature which is required for most installations.
The modules required for each feature can be installed by appending "--with-feature=<feature-name>" to the above command line.

These features are supported:

Feature Description
latex-pdf-ps Enable PDF and PostScript output
Note: In order to make use of this functionality, the server must also have 'latex' or 'xelatex' installed. On many distributions, these packages are called 'texlive-latex' and 'texlive-tetex' respectively.
starman Starman Perl/PSGI (standalone) web server
openoffice OpenOffice.org document output
xls Microsoft Excel output
edi (EXPERIMENTAL) X12 EDI support

 

# Installation of LedgerSMB Perl dependencies directly from CPAN
# With Starman and PDF & Postscript output

cpanm --quiet --notest --with-feature=starman --with-feature=latex-pdf-ps \
--installdeps /usr/local/ledgersmb/

Configuring the PostgreSQL server

There are only two requirements for the PostgreSQL database server. This section instructs how to configure an pre-installed PostgreSQL installation to meet those requirements. It's assumed that the LedgerSMB server and PostgreSQL are being run on the same system. The requirements to meet are:

  1. A database administrator user (in PostgreSQL called a 'role') for creation and administration of LedgerSMB company databases
  2. Authorization setup so the database administrator can log into the database through LedgerSMB's 'setup.pl' program

Creating the company database administrator account

The database administrator user account needs to have at the bare minimum:

  • The right to create databases (CREATEDB)
  • The right to create roles (CREATEROLE)
  • The right to log in (LOGIN)
  • A password to authenticate logins

The following command issued as root user, creates a user named "lsmb_dbadmin" (which isn't a super user):

# su - postgres -c 'createuser -S -d -r -l -P lsmb_dbadmin'
Enter password for new role: ************
Enter it again: ************

Configuring database access rights

PostgreSQL takes its access configuration through a file called 'pg_hba.conf'. The location of this file may differ per distribution:

  • Debian derivatives: /etc/postgresql/<version>/<cluster>/pg_hba.conf
  • RedHat derivatives: /var/lib/pgsql/<version>/data/pg_hba.conf

On most systems, this file has four effective lines:

local   all             postgres                                peer
local   all             all                                     peer
host    all             all             127.0.0.1/32            peer
host    all             all             ::1/128                 peer

These lines mean that each system user can connect to the database system with an equally named database user; the connecting source doesn't make a difference: unix and TCP/IP sockets have the same configuration.

The LedgerSMB software needs to be able to connect to the database system as 'lsmb_dbadmin' or as a LedgerSMB user, not as the user that runs the server process. The new content should look like:

local   all             postgres                         peer
local   all             all                              peer
host    all             postgres         127.0.0.1/32     reject
host    all             postgres        ::1/128      reject
host    postgres,template0,template1   lsmb_dbadmin         127.0.0.1/32     md5
host    postgres,template0,template1   lsmb_dbadmin         ::1/128      md5
host    postgres,template0,template1   all          127.0.0.1/32     reject
host    postgres,template0,template1   all          ::1/128      reject
host    all             all             127.0.0.1/32     md5
host    all             all             ::1/128          md5

This configuration takes advantage of the fact that each connection method (unix sockets vs TCP/IP sockets/addresses) can be separately configured. While the default connection method of the 'psql' tool is to connect over the 'local' (unix socket method), the default connection method for LedgerSMB is to use 'localhost' (127.0.0.1/32 or ::1/128).

The above configuration means that the user 'postgres' can't be used any longer to connect from 'localhost', no user can connect to the 'postgres' database through 'localhost' [reject] and all other combinations of users and database names need password authentication [md5].

Notes:

  1. PostgreSQL matches the lines first to last and uses the first matching line, so the order of the lines is very importance.
  2. For more information about the pg_hba.conf configuration options, see the PostgreSQL pg_hba.conf documentation
  3. The databases 'template1' and 'template0' are system databases available in every cluster; this configuration blocks those for access from LedgerSMB as well.

After reconfiguring pg_hba.conf, the PostgreSQL service needs to be restarted. this works with one of the following commands (depending on your distribution):

# restarting postgresql service (as root)
# service postgresql restart
# - or -:
$ service postgresql-<version> restart

Verifying database access

To verify access for the database admin user 'lsmb_dbadmin', an accessible database - not named 'postgres', 'template0' or 'template1' - is required. On new installs, these are the only databases. So the next example creates one. Here's how to verify the setup:

# Verify access configuration (run as root)
$ su - postgres -c 'createdb lsmb_access_test_db'
$ psql -h localhost -U lsmb_dbadmin -d lsmb_access_test_db -c "select version()"
PostgreSQL 17.2 <--- this line indicates success("17.2" is just an example version number)
$ su - postgres -c 'dropdb lsmb_access_test_db'

Configuring a web server

Regardless of your web server setup, configuration of an "application server" is required. The application server used with LedgerSMB can be any PSGI compatible server. The default application server is Starman, which is widely considered the fastest available. The Starman server process lives behind a reverse proxy. While Starman deals specifically with those HTTP requests which require "application logic", all other requests (mostly static content, such as images or CSS) are dealt with by the proxy.

Configuring the Starman application server

Depending on the distribution and the installed init system, a startup script/config needs to be installed; the following are supported:

  • SysV init script
  • OpenRC init script
  • Systemd configuration

The following common setup is required regardless of the init system used to manage services on the target server.

To support privilege separation, the Starman server should be running as a user which meets these criteria:

  • Not the same user as the web server
  • Does not have write access to the LedgerSMB directories

To that extent, identify an existing (unused) system user, or create one with this command:

# create 'ledgersmb' user for Starman server to run
$ useradd -d /non-existent -r -U -c "LedgerSMB/Starman service system user" ledgersmb

Configuring systemd for Starman

In the directory doc/conf/systemd/ from the tarball, there is a preconfigured systemd service file, which needs to be copied into place. In case you decided to install dependencies into a local::lib managed directory, the service file needs to be edited to set a PERL5LIB environment variable before you can successfully start the service.

# 'copy' systemd service configuration, enable and start
$ sed -e "s#WORKING_DIR#$PWD#" doc/conf/systemd/ledgersmb_starman.service \
| sudo tee /etc/systemd/system/ledgersmb-starman.service
$ sudo systemctl daemon-reload

$ sudo systemctl enable ledgersmb-starman
$ sudo systemctl start ledgersmb-starman

Note that the above assumes that the commands are being run from the root of the unpacked tarball. It also assumes that the tarball has been unpacked at its installation path.

To verify that the service started up correctly, run:

# verify that the Starman/LedgerSMB server started correctly
$ sudo systemctl status ledgersmb-starman.service
$ sudo journalctl -u ledgersmb-starman.service --since="today" -l -e

Configuring a reverse proxy

For a quick test-run or demo setup running on localhost only, configuration of a proxy isn't mandatory. However, for a production setup with LedgerSMB being network or even web-exposed, it's ill-advised to run without the reverse proxy for - at least - the following reasons:

  • The proxy can serve static content [much] more efficiently (performance)
  • The proxy can support HTTP/2 which multiplexes requests (performance)
  • The proxy guards Starman against public exposure (security)
  • The proxy adds TLS (security)

With TLS certificates being completely free these days through Let's Encrypt, and only a few dollars for the simplest of certificates from commercial vendors, there's really no reason not to secure traffic to the server. Further documentation below assumes you have such a certificate. As for getting Let's Encrypt certificates, use their Getting Started guide.

For simplicity, only the configuration of nginx as a reverse proxy is documented here.

Configuring nginx

The tarball contains an example virtual host configuration file to set up a reverse proxy with nginx. It needs to be included in the 'http { }' block in your nginx configuration. On Debian derived systems, this is done by copying the file to /etc/nginx/sites-available/ledgersmb.conf. On RedHat/Fedora derivatives, the copying goes to /etc/nginx/conf.d/ledgersmb.conf. After editing the file, replacing the following variables:


  • Same replacement as before
  • SSL_CERT_FILE
    Should be where your certificate file is stored; probably /etc/certs/your_host.example.com.pem
  • SSL_KEY_FILE
    Probably the same as the SSL_CERT_FILE, but with '.key' extension
  • YOUR_SERVER_NAME
    If nothing else, should be replaced by the output of the command 'hostname -f'

NOTE: by default snakeoil certificates will be used by at least our nginx sample config files.
These certificates are locally created and will normally require your browser clients to accept a "major risk" warning before they can be used.

On Debian derivatives, activate this file after it has been edited, using:

# On Debian/Ubuntu/Mint activate the virtual host
$ ln -s /etc/nginx/sites-available/ledgersmb.conf /etc/nginx/sites-enabled/

On RedHat/Fedora derivatives, no symlinking is necessary: the configuration is active immediately. Now, verify that the configuration is acceptable:

# (Re)start nginx service to make nginx reconfigure itself and validate configuration
$ sudo service nginx restart
# or, on systemd-based Linux distributions
$ sudo systemctl restart nginx

Configuring LedgerSMB

The tarball has a default LedgerSMB configuration file doc/conf/ledgersmb.yaml. Install the configuration file with:

# Install the default ledgersmb.conf configuration file
$ cp doc/conf/ledgersmb.yaml ledgersmb.yaml

That is it.

Configuring E-mail

In case the in-app e-mail feature is going to be used, check the values in the [mail] section and optionally adjust for the mail setup of the target system.

Next steps

Now follow the instructions in the "Prepare LedgerSMB for first use" guide.

Topic
Release