Ejabberd Configuration: Difference between revisions
m (add mod_ctlextra to list of modules to enable) |
(→Setting Up Shared Roster: Wikilink, not external.) |
||
(55 intermediate revisions by 22 users not shown) | |||
Line 1: | Line 1: | ||
{{ |
{{jabber}} |
||
{{Developers}} |
|||
{{TOCright}} |
|||
[[Category:Jabber]] |
|||
[[Category:Telepathy]] |
|||
[[Category:SchoolServer]] |
|||
'''These notes are old and deprecated -- ejabberd is installed and configured as part of the [[School Server]] installation.''' - (See this [http://www.mail-archive.com/server-devel@lists.laptop.org/msg02775.html discussion thread] for some guidance from 16 Sep 2009.) |
|||
The OLPC Jabber server at jabber.laptop.org is running ejabberd 1.1.3 with a few extra modules and patches. We're aiming to reduce the odd configuration and patches in favour of a self-contained server component which can be connected up (using [http://www.xmpp.org/extensions/xep-0114.html XEP-0114]) to any unmodified Jabber server to carry out OLPC's activity and buddy indexing/searching (see [[XMPP Extensions]]). We're not there yet, so in the mean time if you want to run your own server... |
|||
The OLPC Jabber server was trialling ejabberd 2.0 from SVN trunk to see if it aids stability (see [http://dev.laptop.org/ticket/5313 #5313]). We're aiming to reduce the odd configuration and patches in favour of a self-contained server component which can be connected up (using [http://www.xmpp.org/extensions/xep-0114.html XEP-0114]) to any unmodified Jabber server to carry out OLPC's activity and buddy indexing/searching (see [[XMPP Extensions]]). We're not there yet, so in the mean time if you want to run your own server... |
|||
== Patches == |
|||
We are also working on experimental support of [http://www.igniterealtime.org/projects/openfire/index.jsp Openfire]. See [[Openfire Configuration]] |
|||
XOs use an extension called PEP ([http://www.xmpp.org/extensions/xep-0163.html XEP-0163: Personal Eventing via PubSub]) to publish information about OLPC-specific buddy properties (key, colour, etc) and the activities people are taking part in. At the present time, [http://www.dtek.chalmers.se/~henoch/text/ejabberd-pep.html ejabberd's PEP support] comes from an external project, which enhances the existing mod_pubsub. It is stored in [https://svn.process-one.net/ejabberd-modules/ ejabberd-modules] SVN repository. |
|||
== Packages == |
|||
There is a backport of the work to 1.1.2 in pep/branches/1.1.2. The build system for this seemed pretty weird, it seems to involve lightly modified copies of files copied from the ejabberd source tree, so I turned it into a patch against the ejabberd source itself. |
|||
If you don't want to mess with patching your server, we are periodically generating snapshot binary packages of our modified Jabber server. If you use one of these packages you can skip the patching step below. Go [http://people.collabora.co.uk/~robot101/olpc-ejabberd/ here] to find the latest Fedora 7 packages (the Debian packages are a little outdated, apologies). |
|||
We also have a patch to the shared roster support so that already-connected clients are notified about new accounts which are registered after you connect (this happens a lot in development environments). There's also a patch which you may apply to add some extra features to the ejabberdctl command (see Tips below). |
|||
sudo yum install erlang fedora-usermgmt |
|||
You should apply all of these patches: |
|||
wget http://people.collabora.co.uk/~robot101/olpc-ejabberd/ejabberd-2.0.0-0.1.beta1.fc7.olpc.i386.rpm |
|||
sudo rpm -i ejabberd-...fc7.olpc.i386.rpm |
|||
* [http://people.collabora.co.uk/~robot101/olpc-ejabberd/shared_roster_push.diff shared_roster_push.diff] |
|||
* [http://people.collabora.co.uk/~robot101/olpc-ejabberd/ejabberdctl-extra.diff ejabberdctl-extra.diff] |
|||
You can also download [http://people.collabora.co.uk/~robot101/olpc-ejabberd/ejabberd.cfg a configuration file (ejabberd.cfg)] with the changes outlined below already made. You'll just need to change the hostname and the admin account name. The hostname must be a fully qualified domain name. Be careful when adding host names not to add a line break --- it will crash ejabberd in a cryptic way. |
|||
For those running Debian, there are also packages available [http://people.collabora.co.uk/~robot101/olpc-ejabberd/ here]. |
|||
Don't forget to set up the service to turn on after a reboot: |
|||
sudo /sbin/chkconfig --level 345 ejabberd on |
|||
If you want to use the Fedora package with Fedora 8, you'll need to downgrade your Erlang to [http://koji.fedoraproject.org/koji/buildinfo?buildID=14206 R11B-5.3] ([http://rpm.pbone.net/index.php3/stat/4/idpl/5312940/com/erlang-R11B-5.3.fc8.i386.rpm.html mirror]) because the RPM above is built against erlang R11 on Fedora 7. |
|||
Recent Debian based distro have all the needed patch in their ejabberd's package. See [http://wiki.laptop.org/go/Installing_ejabberd/deb this page] for details. |
|||
== Source == |
|||
We are currently trialling SVN trunk of ejabberd on jabber.laptop.org, which can be obtained with: |
|||
svn co http://svn.process-one.net/ejabberd/trunk |
|||
== Patches == |
|||
We have a patch to the shared roster support so that already-connected clients are notified about new accounts which are registered after you connect (this happens a lot in development environments), and also patches to add support for @recent@ and @online@ shared roster groups. You should apply these patches in order: |
|||
* [http://people.collabora.co.uk/~robot101/olpc-ejabberd/shared_roster_push2.diff shared_roster_push2.diff] |
|||
* [http://people.collabora.co.uk/~robot101/olpc-ejabberd/shared_roster_recent.diff shared_roster_recent.diff] |
|||
* [http://people.collabora.co.uk/~robot101/olpc-ejabberd/shared_roster_online.diff shared_roster_online.diff] |
|||
There's also a mod_ctlextra patch which you may apply to add some extra features to the ejabberdctl command (see Tips below): |
|||
* [http://people.collabora.co.uk/~robot101/olpc-ejabberd/mod_ctlextra.diff mod_ctlextra.diff] |
|||
== Configuration == |
== Configuration == |
||
Many of the changes to the default ejabberd configuration described in this section can be obtained by using [http://people.collabora.co.uk/~robot101/olpc-ejabberd/ejabberd.cfg collabora's example configuration file (ejabberd.cfg)] |
|||
As well as normal ejabberd configuration (setting your hostname and configuring an admin user), you must enable the following modules in the configuration file: |
|||
See [http://wiki.laptop.org/go/XS_Installing_Software#Basic_ejabberd_Configuration XS Installing Software: Basic ejabberd Configuration] |
|||
=== Enable Modules === |
|||
You must enable the following modules in the configuration file: |
|||
* mod_caps |
* mod_caps |
||
* mod_muc |
* mod_muc |
||
* mod_pubsub |
* mod_pubsub |
||
* mod_ctlextra |
* mod_ctlextra ''No longer needed ?'' |
||
'''Note that PEP fails in very cryptic ways if mod_caps is not enabled.''' |
'''Note that PEP fails in very cryptic ways if mod_caps is not enabled.''' |
||
=== MUC === |
|||
The default MUC configuration is to assume that conference.yourserver is a valid hostname. This isn't actually important for the XOs, but it must exist from the perspective of the server. You could put it into <tt>/etc/hosts</tt> for example. |
The default MUC configuration is to assume that conference.yourserver is a valid hostname. This isn't actually important for the XOs, but it must exist from the perspective of the server. You could put it into <tt>/etc/hosts</tt> for example. |
||
=== Disable S2S === |
|||
Currently the XOs don't do a very good job with authorisation because they assume that only other XOs eg from the same school will be connected to the server, and "all see all" is an acceptable policy. For Internet-connected servers, it's best to disable "s2s" (server to server) connections to avoid people from outside connecting in and breaking this assumption. Change: |
|||
{5269, ejabberd_s2s_in, [{shaper, s2s_shaper}, |
|||
{max_stanza_size, 131072}]}, |
|||
To: |
|||
% {5269, ejabberd_s2s_in, [{shaper, s2s_shaper}, |
|||
% {max_stanza_size, 131072}]}, |
|||
You should also explicitly disable outgoing s2s connections like this: |
|||
{s2s_default_policy, deny}. |
|||
As a trivial optimisation, you can also edit the configuration of mod_disco to stop clients calling out to users.jabber.org, which will always fail because s2s is disabled. Change: |
|||
{mod_disco, [{extra_domains, ["users.jabber.org"]}]}, |
|||
To: |
|||
{mod_disco, []}, |
|||
=== Enable Old-Style SSL === |
|||
In ejabberd 2.0, old-style SSL connections on port 5223 are disabled by default. The XOs have an old version of loudmouth which does not support TLS, but old-style SSL is still used so that we can benefit from in-band DEFLATE compression (see [http://dev.laptop.org/ticket/4936 #4936]). Make sure that support for port 5223 is enabled by uncommenting (delete the %%s) the following in the {listen} section: |
|||
{5223, ejabberd_c2s, [ |
|||
{access, c2s}, |
|||
{shaper, c2s_shaper}, |
|||
tls, {certfile, "/etc/ejabberd/ejabberd.pem"}, |
|||
{max_stanza_size, 65536} |
|||
]}, |
|||
=== Raising The Limits === |
|||
Until a few constants are tweaked (see [http://dev.laptop.org/ticket/5018 #5018]), the XOs send larger than normal stanzas through the server, which triggers a maximum stanza size limit and can make the jabber server disconnect you eg when inserting an image into a shared document. To fix this, we raise the maximum stanza limit. Change: |
|||
{max_stanza_size, 65536}, |
|||
To: |
|||
{max_stanza_size, 524288} |
|||
In both the port 5222 and port 5223 ejabberd_c2s listen stanzas. |
|||
You can also aid interactivity by allowing the clients to send data at a faster rate by changing: |
|||
{access, c2s_shaper, [{none, admin}, |
|||
{normal, all}]}. |
|||
To: |
|||
{access, c2s_shaper, [{none, admin}, |
|||
{fast, all}]}. |
|||
=== Enable IPv6 === |
|||
IPv6 connectivity should be enabled by adding the 'inet6' keyword to the port configuration in the {listen} section. For example, change: |
|||
{5222, ejabberd_c2s, [ |
|||
{access, c2s}, |
|||
{shaper, c2s_shaper}, |
|||
{max_stanza_size, 524288} |
|||
]}, |
|||
To: |
|||
{5222, ejabberd_c2s, [ |
|||
inet6, |
|||
{access, c2s}, |
|||
{shaper, c2s_shaper}, |
|||
{max_stanza_size, 524288} |
|||
]}, |
|||
Do this for all of the items in the {listen} section: ejabberd_c2s on port 5222, ejabberd_c2s on port 5223, and ejabberd_http on port 5280. |
|||
=== Allow inband registration === |
|||
To allow clients to create jabber accounts on the server change |
|||
{access, register, [{deny, all}]}. |
|||
to |
|||
{access, register, [{allow, all}]}. |
|||
=== Disable account registration restriction === |
|||
By default, ejabberd doesn't allow to create successively more than one account from the same IP. If you want to disable this restriction (mainly for test purpose) add this line |
|||
{registration_timeout, infinity}. |
|||
== Register an Admin User == |
|||
See [http://wiki.laptop.org/go/XS_Installing_Software#Basic_ejabberd_Configuration XS Installing Software: Basic ejabberd Configuration] |
|||
== Setting Up Shared Roster == |
== Setting Up Shared Roster == |
||
Line 34: | Line 148: | ||
'''You must perform this step by logging in to ejabberd's web admin interface, or your XOs will never see any buddies.''' |
'''You must perform this step by logging in to ejabberd's web admin interface, or your XOs will never see any buddies.''' |
||
See [[XS Installing Software#Setup_Shared_Roster_Groups_for_ejabberd|XS Installing Software: Setup Shared Roster Groups for ejabberd]]. |
|||
Log in as your ejabberd's administrative user on the web admin interface at http://yourserver:5280/admin/ and select Virtual Hosts, then your server hostname, then Shared Roster. Add a group called Everybody with the following settings: |
|||
* Name: Everybody |
|||
* Members: @all@ |
|||
* Displayed Groups: Everybody |
|||
See [http://ejabberd.jabber.ru/shared-roster-all here] for |
See [http://ejabberd.jabber.ru/shared-roster-all here] for additional information. |
||
== Setting up a key == |
|||
See [http://dev.laptop.org/ticket/5834 Trac #5834] for a problem which cropped up in recent releases. Until it is fixed, you will have to take the following steps after installing the RPM but before starting the server: |
|||
openssl req -newkey rsa:1024 -keyout ejabberd.pem -nodes -x509 -days 3650 -out ejabberd.cer |
|||
echo "" >> ejabberd.pem |
|||
cat ejabberd.cer >> ejabberd.pem |
|||
sudo cp ejabberd.pem /etc/ejabberd/ejabberd.pem |
|||
sudo chown ejabberd:ejabberd /etc/ejabberd/ejabberd.pem |
|||
sudo chmod 400 /etc/ejabberd/ejabberd.pem |
|||
== Tips == |
== Tips == |
||
Every time you flash an XO, it will generate a new key and hence register a new account on the server. This can lead to quite a lot of accounts floating around on the server, so you get more and more irrelevant users which will never be used again. If you applied the mod_ctlextra patch, you may use <tt>ejabberdctl delete-older-users 30</tt> to delete users who havn't logged in for a month, for example. Note that this will probably also delete your admin account because you're unlikely to ever log into it using a Jabber client, but you can re-add it with <tt>ejabberdctl register yourserver admin password</tt>. |
Every time you flash an XO, it will generate a new key and hence register a new account on the server. This can lead to quite a lot of accounts floating around on the server, so you get more and more irrelevant users which will never be used again. If you applied the mod_ctlextra patch, you may use <tt>ejabberdctl delete-older-users 30</tt> to delete users who havn't logged in for a month, for example. Note that this will probably also delete your admin account because you're unlikely to ever log into it using a Jabber client, but you can re-add it with <tt>ejabberdctl register yourserver admin password</tt>. Note that unfortunately, the behaviour of the ejabberdctl command differs according to which distribution you use... on Fedora it seems to also require a first argument of your node name, which is usually your hostname. |
||
Some other random tips: |
|||
* In recent builds (recent as of March, 2008), you need to explicitly tell the laptop to register with the Jabber server. It uses the server named in ~olpc/.sugar/default/config. The easiest way to set a jabber server is with sugar-control-panel, as shown on the [[Jabber]] page. |
|||
* If the laptop has registered with a Jabber server, the [[Presence Service]] process on the laptop tries to connect to it periodically. If connection fails, mesh collaboration is used instead. |
|||
* See [[Schoolserver Testing#Laptop Registration]] and [[School Identity Manager]] for more details about the process. |
|||
== Troubleshooting == |
|||
Ejabberd tends to break if you change your hostname anywhere |
|||
''RPC failed on the node register@schoolserver: nodedown'' |
|||
You may get this error if you change your hostname |
|||
Try the following to fix ejabberd, basically reinstall it |
|||
/etc/init.d/ejabberd stop |
|||
killall epmd |
|||
rm -rf /var/lib/ejabberd |
|||
rpm -e --nodeps ejabberd |
|||
yum install ejabberd |
|||
Fix config files -- /etc/ejabberd/ejabberd.cfg |
|||
Make sure you can ping your fully qualified domain name |
|||
--- BryanWB |
|||
See [http://wiki.laptop.org/go/XS_Installing_Software#Troubleshooting XS Installing Software: Troubleshooting] for additional troubleshooting resources. |
Latest revision as of 06:40, 11 May 2010
These notes are old and deprecated -- ejabberd is installed and configured as part of the School Server installation. - (See this discussion thread for some guidance from 16 Sep 2009.)
The OLPC Jabber server was trialling ejabberd 2.0 from SVN trunk to see if it aids stability (see #5313). We're aiming to reduce the odd configuration and patches in favour of a self-contained server component which can be connected up (using XEP-0114) to any unmodified Jabber server to carry out OLPC's activity and buddy indexing/searching (see XMPP Extensions). We're not there yet, so in the mean time if you want to run your own server...
We are also working on experimental support of Openfire. See Openfire Configuration
Packages
If you don't want to mess with patching your server, we are periodically generating snapshot binary packages of our modified Jabber server. If you use one of these packages you can skip the patching step below. Go here to find the latest Fedora 7 packages (the Debian packages are a little outdated, apologies).
sudo yum install erlang fedora-usermgmt wget http://people.collabora.co.uk/~robot101/olpc-ejabberd/ejabberd-2.0.0-0.1.beta1.fc7.olpc.i386.rpm sudo rpm -i ejabberd-...fc7.olpc.i386.rpm
You can also download a configuration file (ejabberd.cfg) with the changes outlined below already made. You'll just need to change the hostname and the admin account name. The hostname must be a fully qualified domain name. Be careful when adding host names not to add a line break --- it will crash ejabberd in a cryptic way.
Don't forget to set up the service to turn on after a reboot:
sudo /sbin/chkconfig --level 345 ejabberd on
If you want to use the Fedora package with Fedora 8, you'll need to downgrade your Erlang to R11B-5.3 (mirror) because the RPM above is built against erlang R11 on Fedora 7.
Recent Debian based distro have all the needed patch in their ejabberd's package. See this page for details.
Source
We are currently trialling SVN trunk of ejabberd on jabber.laptop.org, which can be obtained with:
svn co http://svn.process-one.net/ejabberd/trunk
Patches
We have a patch to the shared roster support so that already-connected clients are notified about new accounts which are registered after you connect (this happens a lot in development environments), and also patches to add support for @recent@ and @online@ shared roster groups. You should apply these patches in order:
There's also a mod_ctlextra patch which you may apply to add some extra features to the ejabberdctl command (see Tips below):
Configuration
Many of the changes to the default ejabberd configuration described in this section can be obtained by using collabora's example configuration file (ejabberd.cfg)
See XS Installing Software: Basic ejabberd Configuration
Enable Modules
You must enable the following modules in the configuration file:
- mod_caps
- mod_muc
- mod_pubsub
- mod_ctlextra No longer needed ?
Note that PEP fails in very cryptic ways if mod_caps is not enabled.
MUC
The default MUC configuration is to assume that conference.yourserver is a valid hostname. This isn't actually important for the XOs, but it must exist from the perspective of the server. You could put it into /etc/hosts for example.
Disable S2S
Currently the XOs don't do a very good job with authorisation because they assume that only other XOs eg from the same school will be connected to the server, and "all see all" is an acceptable policy. For Internet-connected servers, it's best to disable "s2s" (server to server) connections to avoid people from outside connecting in and breaking this assumption. Change:
{5269, ejabberd_s2s_in, [{shaper, s2s_shaper}, {max_stanza_size, 131072}]},
To:
% {5269, ejabberd_s2s_in, [{shaper, s2s_shaper}, % {max_stanza_size, 131072}]},
You should also explicitly disable outgoing s2s connections like this:
{s2s_default_policy, deny}.
As a trivial optimisation, you can also edit the configuration of mod_disco to stop clients calling out to users.jabber.org, which will always fail because s2s is disabled. Change:
{mod_disco, [{extra_domains, ["users.jabber.org"]}]},
To:
{mod_disco, []},
Enable Old-Style SSL
In ejabberd 2.0, old-style SSL connections on port 5223 are disabled by default. The XOs have an old version of loudmouth which does not support TLS, but old-style SSL is still used so that we can benefit from in-band DEFLATE compression (see #4936). Make sure that support for port 5223 is enabled by uncommenting (delete the %%s) the following in the {listen} section:
{5223, ejabberd_c2s, [ {access, c2s}, {shaper, c2s_shaper}, tls, {certfile, "/etc/ejabberd/ejabberd.pem"}, {max_stanza_size, 65536} ]},
Raising The Limits
Until a few constants are tweaked (see #5018), the XOs send larger than normal stanzas through the server, which triggers a maximum stanza size limit and can make the jabber server disconnect you eg when inserting an image into a shared document. To fix this, we raise the maximum stanza limit. Change:
{max_stanza_size, 65536},
To:
{max_stanza_size, 524288}
In both the port 5222 and port 5223 ejabberd_c2s listen stanzas.
You can also aid interactivity by allowing the clients to send data at a faster rate by changing:
{access, c2s_shaper, [{none, admin}, {normal, all}]}.
To:
{access, c2s_shaper, [{none, admin}, {fast, all}]}.
Enable IPv6
IPv6 connectivity should be enabled by adding the 'inet6' keyword to the port configuration in the {listen} section. For example, change:
{5222, ejabberd_c2s, [ {access, c2s}, {shaper, c2s_shaper}, {max_stanza_size, 524288} ]},
To:
{5222, ejabberd_c2s, [ inet6, {access, c2s}, {shaper, c2s_shaper}, {max_stanza_size, 524288} ]},
Do this for all of the items in the {listen} section: ejabberd_c2s on port 5222, ejabberd_c2s on port 5223, and ejabberd_http on port 5280.
Allow inband registration
To allow clients to create jabber accounts on the server change
{access, register, [{deny, all}]}.
to
{access, register, [{allow, all}]}.
Disable account registration restriction
By default, ejabberd doesn't allow to create successively more than one account from the same IP. If you want to disable this restriction (mainly for test purpose) add this line
{registration_timeout, infinity}.
Register an Admin User
See XS Installing Software: Basic ejabberd Configuration
You must perform this step by logging in to ejabberd's web admin interface, or your XOs will never see any buddies.
See XS Installing Software: Setup Shared Roster Groups for ejabberd.
See here for additional information.
Setting up a key
See Trac #5834 for a problem which cropped up in recent releases. Until it is fixed, you will have to take the following steps after installing the RPM but before starting the server:
openssl req -newkey rsa:1024 -keyout ejabberd.pem -nodes -x509 -days 3650 -out ejabberd.cer echo "" >> ejabberd.pem cat ejabberd.cer >> ejabberd.pem sudo cp ejabberd.pem /etc/ejabberd/ejabberd.pem sudo chown ejabberd:ejabberd /etc/ejabberd/ejabberd.pem sudo chmod 400 /etc/ejabberd/ejabberd.pem
Tips
Every time you flash an XO, it will generate a new key and hence register a new account on the server. This can lead to quite a lot of accounts floating around on the server, so you get more and more irrelevant users which will never be used again. If you applied the mod_ctlextra patch, you may use ejabberdctl delete-older-users 30 to delete users who havn't logged in for a month, for example. Note that this will probably also delete your admin account because you're unlikely to ever log into it using a Jabber client, but you can re-add it with ejabberdctl register yourserver admin password. Note that unfortunately, the behaviour of the ejabberdctl command differs according to which distribution you use... on Fedora it seems to also require a first argument of your node name, which is usually your hostname.
Some other random tips:
- In recent builds (recent as of March, 2008), you need to explicitly tell the laptop to register with the Jabber server. It uses the server named in ~olpc/.sugar/default/config. The easiest way to set a jabber server is with sugar-control-panel, as shown on the Jabber page.
- If the laptop has registered with a Jabber server, the Presence Service process on the laptop tries to connect to it periodically. If connection fails, mesh collaboration is used instead.
- See Schoolserver Testing#Laptop Registration and School Identity Manager for more details about the process.
Troubleshooting
Ejabberd tends to break if you change your hostname anywhere
RPC failed on the node register@schoolserver: nodedown
You may get this error if you change your hostname
Try the following to fix ejabberd, basically reinstall it
/etc/init.d/ejabberd stop killall epmd rm -rf /var/lib/ejabberd rpm -e --nodeps ejabberd yum install ejabberd Fix config files -- /etc/ejabberd/ejabberd.cfg Make sure you can ping your fully qualified domain name --- BryanWB
See XS Installing Software: Troubleshooting for additional troubleshooting resources.