Installation¶
Supported platforms¶
Canopy is officially supported on the following operating systems:
Operating System |
Version |
Notes |
---|---|---|
Ubuntu Linux (Highly recommended) |
18.04/20.04/22.94 LTS |
64-bit |
RedHat Enterprise Linux/Oracle Enterprise Linux/CentOS |
v7.3+/Stream v8.0+ |
64-bit |
The following key dependencies on Linux based operating systems are noted:
Key Dependency |
Description |
---|---|
PostgreSQL 9.6+ |
Database server for storing/processing Canopy data. Note that certain database servers may require more resources. |
nginx 1.x or Apache 2.4/2.5 |
Front-end web server for serving the Canopy user interface. |
RabbitMQ Server 3.x |
Back-end service for processing Canopy related tasks using the Celery framework. |
OpenJDK 8 JRE or Oracle Java 8 |
Java library for document generation. |
Overview¶
The following high level steps need to be completed for a Canopy installation:
Install the Canopy and Canopy document server packages (See Platform installation guides section below)
Configure the Canopy database, reverse proxy, initial user, etc. (See Configuration section)
For upgrades see Upgrading
Platform installation guides¶
Install on Ubuntu 18.04/20.04/22.04¶
Canopy¶
As root:
Install Canopy packages:
apt install -f ./canopy_3.1.0_amd64.deb
Copy your Canopy license file to
/etc/canopy/license
. Canopy will output your license details at the top each time you run canopy-manage. This allows you to easily verify if the license is installed properly and if its still valid.Setup a database and reverse proxy via steps in the Configuration section.
Canopy Document Server¶
As root:
Install Java 8:
apt install openjdk-8-jre
Install Canopy Docserver package:
apt install -f ./canopy-docserver_0.0.11_amd64.deb
Restart Docserver services:
systemctl restart canopy-docserver
Install on RHEL 7, Oracle EL 7 and CentOS 7¶
Canopy¶
As root:
Install libtidy5 (available on our Client Portal):
yum install ./libtidy5-5.2.0-2.3.x86_64.rpm
Install
rabbitmq-server
package:On Centos you can install the
epel-release
package and the Canopy installation will source the correct dependencies.On RHEL/OEL you can either install
epel-release
or installrabbitmq-server
3.x from https://www.rabbitmq.com/install-rpm.html#downloads and install their Erlang distribution from https://github.com/rabbitmq/erlang-rpm/releases
Install Canopy:
yum install ./canopy-3.1.0-1.el7.centos.x86_64.rpm
Copy your Canopy license file to
/etc/canopy/license
. Canopy will output your license details at the top each time you run canopy-manage. This allows you to easily verify if the license is installed properly and if its still valid.Setup a database and reverse proxy via steps in the Configuration section.
Install on RHEL 8, Oracle EL 8 and CentOS Stream 8¶
Canopy¶
As root:
Install
libtidy
package:On Centos you can install the
epel-release
package and the Canopy installation will source the correct dependencies.On RHEL/OEL you can either install
epel-release
or install./libtidy-5.6.0-5.el8.x86_64
as provided by Checksec via our Client Portal.
Install
rabbitmq-server
package:On Centos you can install the
epel-release
package and the Canopy installation will source the correct dependencies.On RHEL/OEL you can either install
epel-release
or installrabbitmq-server
3.x from https://www.rabbitmq.com/install-rpm.html#downloads and install their Erlang distribution from https://github.com/rabbitmq/erlang-rpm/releases
Install Canopy:
yum install ./canopy-3.6.0.el8.centos.x86_64.rpm
Copy your Canopy license file to
/etc/canopy/license
. Canopy will output your license details at the top each time you run canopy-manage. This allows you to easily verify if the license is installed properly and if its still valid.Setup a database and reverse proxy via steps in the Configuration section.
Canopy Document Server¶
Install OpenJDK 8 JRE or Oracle Java 8:
yum install java-1.8.0-openjdk.x86_64
Install Canopy Docserver:
yum install ./canopy-docserver-0.0.12-1.el7.centos.x86_64.rpm
Restart Docserver services:
systemctl restart canopy-docserver
Example sources for packages¶
epel-release
can be sourced from Fedora.
Configuration¶
As root:
Setup PostgreSQL:
canopy-setup postgresql
Setup nginx:
canopy-setup nginx
Optional if you intend to configure your own reverse proxy.
Note
Apache users see the Apache configuration section.
(RHEL) (Optional) Configure firewall access. The following commands would open up ports 80 and 443:
firewall-cmd --zone=public --add-service=https --permanent firewall-cmd --zone=public --add-service=https firewall-cmd --zone=public --add-service=http --permanent firewall-cmd --zone=public --add-service=http
(RHEL) (Optional) Enable the SELinux
httpd_can_network_connect
option so that the reverse proxy may connect to Canopy:setsebool -P httpd_can_network_connect 1
Initialise database (schema and initial data):
canopy-manage setupdb --prod
Create an initial admin user:
canopy-manage createsuperuser
Configure systemd persistent logging (see the Logging configuration section).
Once the database has been set up and the admin user created, restart the Canopy services:
systemctl restart canopy canopy-celery
In order for links to be generated correctly, the EXTERNAL_BASE_URL
setting should be updated in /etc/canopy/canopy.ini
to the URL that
your users will use to access this Canopy instance.
Logging configuration¶
Canopy uses systemd for logging but by default most Linux distributions do not persist systemd logs. The following commands will configure systemd/journald to persist its logs to disk:
mkdir /var/log/journal
systemctl restart systemd-journald
If systemd is not configured to persist logs then they will not survive reboots.
Additionally one should adjust the default rate limit for logging as there might be times when Canopy emits large bursts of logs.
In /etc/systemd/journald.conf, set the following:
RateLimitBurst=0 # Disable rate limiting
and reload journald:
systemctl restart systemd-journald
Please see man journald.conf or https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information on how to configure logging.
Apache configuration¶
Required modules¶
The following Apache modules are required, over and above what is installed by default:
ssl
proxy
proxy_http
headers
rewrite
deflate
An example Apache config is provided in
/opt/checksec/canopy/sample_configs/apache.conf
.
Debugging¶
Check if services are running:
systemctl status canopy canopy-celery canopy-docserver
Restart services:
systemctl restart canopy canopy-celery canopy-docserver
Get a service’s logs:
journalctl -xe -u canopy
Follow a service’s logs:
journalctl -xe -f -u canopy
Get logs for all services for today:
journalctl -u canopy -u canopy-celery -u canopy-docserver --since today
Upgrading¶
Although the upgrade process is the same for minor and patch releases of Canopy, it is advised to perform backup prior to minor release updates.
Patch release upgrades (e.g. upgrading from 3.2.3 to 3.2.4) are designed to be low risk and our release notes will contain anything you should be aware of. Downgrading to a lower patch release of the same minor version is usually supported.
Minor release upgrades (e.g. upgrading from 3.2.3 to 3.3.0) are inherently more risky as we use them to perform schema changes to the database and other migrations.
Warning
Downgrading to a lower minor release is not supported and backups are highly recommended.
See Backups and recovery on how to perform backups.
As the root user:
Install new package via apt/yum. Make sure to check the output of the package installation process to see if there are any errors.
Restart services:
systemctl restart canopy canopy-celery canopy-docserver
Note
If Canopy, or any of its services, fail to start after an upgrade then the first place to look are the service logs:
journalctl -e -u canopy -u canopy-celery -u canopy-docserver
Check the logs for any obvious errors that might indicate failure. If the upgrade process failed to migrate the database schema, or perform other maintenance tasks, then there will be errors stating this with the actions to take.
Warning
The database must be accessible during the upgrade. If it is not, critical migrations will not be applied.
The migrations can be manually executed prior to restarting the services by running the postinstall command:
canopy-manage postinstall