Installation

Supported platforms

Canopy is officially supported on the following operating systems:

Operating System

Version

Notes

Ubuntu Linux (Highly recommended)

18.04/20.04/22.94 LTS

64-bit

RedHat Enterprise Linux/Oracle Enterprise Linux/CentOS

v7.3+/Stream v8.0+

64-bit

The following key dependencies on Linux based operating systems are noted:

Key Dependency

Description

PostgreSQL 9.6+

Database server for storing/processing Canopy data. Note that certain database servers may require more resources.

nginx 1.x or Apache 2.4/2.5

Front-end web server for serving the Canopy user interface.

RabbitMQ Server 3.x

Back-end service for processing Canopy related tasks using the Celery framework.

OpenJDK 8 JRE or Oracle Java 8

Java library for document generation.

Overview

The following high level steps need to be completed for a Canopy installation:

  1. Install the Canopy and Canopy document server packages (See Platform installation guides section below)

  2. Configure the Canopy database, reverse proxy, initial user, etc. (See Configuration section)

For upgrades see Upgrading

Platform installation guides

Install on Ubuntu 18.04/20.04/22.04

Canopy

As root:

  1. Install Canopy packages:

    apt install -f ./canopy_3.1.0_amd64.deb
    
  2. Copy your Canopy license file to /etc/canopy/license. Canopy will output your license details at the top each time you run canopy-manage. This allows you to easily verify if the license is installed properly and if its still valid.

  3. Setup a database and reverse proxy via steps in the Configuration section.

Canopy Document Server

As root:

  1. Install Java 8:

    apt install openjdk-8-jre
    
  2. Install Canopy Docserver package:

    apt install -f ./canopy-docserver_0.0.11_amd64.deb
    
  3. Restart Docserver services:

    systemctl restart canopy-docserver
    

Install on RHEL 7, Oracle EL 7 and CentOS 7

Canopy

As root:

  1. Install libtidy5 (available on our Client Portal):

    yum install ./libtidy5-5.2.0-2.3.x86_64.rpm
    
  2. Install rabbitmq-server package:

    1. On Centos you can install the epel-release package and the Canopy installation will source the correct dependencies.

    2. On RHEL/OEL you can either install epel-release or install rabbitmq-server 3.x from https://www.rabbitmq.com/install-rpm.html#downloads and install their Erlang distribution from https://github.com/rabbitmq/erlang-rpm/releases

  3. Install Canopy:

    yum install ./canopy-3.1.0-1.el7.centos.x86_64.rpm
    
  4. Copy your Canopy license file to /etc/canopy/license. Canopy will output your license details at the top each time you run canopy-manage. This allows you to easily verify if the license is installed properly and if its still valid.

  5. Setup a database and reverse proxy via steps in the Configuration section.

Install on RHEL 8, Oracle EL 8 and CentOS Stream 8

Canopy

As root:

  1. Install libtidy package:

    1. On Centos you can install the epel-release package and the Canopy installation will source the correct dependencies.

    2. On RHEL/OEL you can either install epel-release or install ./libtidy-5.6.0-5.el8.x86_64 as provided by Checksec via our Client Portal.

  2. Install rabbitmq-server package:

    1. On Centos you can install the epel-release package and the Canopy installation will source the correct dependencies.

    2. On RHEL/OEL you can either install epel-release or install rabbitmq-server 3.x from https://www.rabbitmq.com/install-rpm.html#downloads and install their Erlang distribution from https://github.com/rabbitmq/erlang-rpm/releases

  3. Install Canopy:

    yum install ./canopy-3.6.0.el8.centos.x86_64.rpm
    
  4. Copy your Canopy license file to /etc/canopy/license. Canopy will output your license details at the top each time you run canopy-manage. This allows you to easily verify if the license is installed properly and if its still valid.

  5. Setup a database and reverse proxy via steps in the Configuration section.

Canopy Document Server

  1. Install OpenJDK 8 JRE or Oracle Java 8:

    yum install java-1.8.0-openjdk.x86_64
    
  2. Install Canopy Docserver:

    yum install ./canopy-docserver-0.0.12-1.el7.centos.x86_64.rpm
    
  3. Restart Docserver services:

    systemctl restart canopy-docserver
    

Example sources for packages

  • epel-release can be sourced from Fedora.

Configuration

As root:

  1. Setup PostgreSQL:

    canopy-setup postgresql
    
  2. Setup nginx:

    canopy-setup nginx
    

    Optional if you intend to configure your own reverse proxy.

    Note

    Apache users see the Apache configuration section.

    1. (RHEL) (Optional) Configure firewall access. The following commands would open up ports 80 and 443:

      firewall-cmd --zone=public --add-service=https --permanent
      firewall-cmd --zone=public --add-service=https
      firewall-cmd --zone=public --add-service=http --permanent
      firewall-cmd --zone=public --add-service=http
      
    2. (RHEL) (Optional) Enable the SELinux httpd_can_network_connect option so that the reverse proxy may connect to Canopy:

      setsebool -P httpd_can_network_connect 1
      
  3. Initialise database (schema and initial data):

    canopy-manage setupdb --prod
    
  4. Create an initial admin user:

    canopy-manage createsuperuser
    
  5. Configure systemd persistent logging (see the Logging configuration section).

Once the database has been set up and the admin user created, restart the Canopy services:

systemctl restart canopy canopy-celery

In order for links to be generated correctly, the EXTERNAL_BASE_URL setting should be updated in /etc/canopy/canopy.ini to the URL that your users will use to access this Canopy instance.

Logging configuration

Canopy uses systemd for logging but by default most Linux distributions do not persist systemd logs. The following commands will configure systemd/journald to persist its logs to disk:

mkdir /var/log/journal
systemctl restart systemd-journald

If systemd is not configured to persist logs then they will not survive reboots.

Additionally one should adjust the default rate limit for logging as there might be times when Canopy emits large bursts of logs.

In /etc/systemd/journald.conf, set the following:

RateLimitBurst=0  # Disable rate limiting

and reload journald:

systemctl restart systemd-journald

Please see man journald.conf or https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information on how to configure logging.

Apache configuration

Required modules

The following Apache modules are required, over and above what is installed by default:

  • ssl

  • proxy

  • proxy_http

  • headers

  • rewrite

  • deflate

An example Apache config is provided in /opt/checksec/canopy/sample_configs/apache.conf.

Debugging

Check if services are running:

systemctl status canopy canopy-celery canopy-docserver

Restart services:

systemctl restart canopy canopy-celery canopy-docserver

Get a service’s logs:

journalctl -xe -u canopy

Follow a service’s logs:

journalctl -xe -f -u canopy

Get logs for all services for today:

journalctl -u canopy -u canopy-celery -u canopy-docserver --since today

Upgrading

Although the upgrade process is the same for minor and patch releases of Canopy, it is advised to perform backup prior to minor release updates.

Patch release upgrades (e.g. upgrading from 3.2.3 to 3.2.4) are designed to be low risk and our release notes will contain anything you should be aware of. Downgrading to a lower patch release of the same minor version is usually supported.

Minor release upgrades (e.g. upgrading from 3.2.3 to 3.3.0) are inherently more risky as we use them to perform schema changes to the database and other migrations.

Warning

Downgrading to a lower minor release is not supported and backups are highly recommended.

See Backups and recovery on how to perform backups.

As the root user:

  1. Install new package via apt/yum. Make sure to check the output of the package installation process to see if there are any errors.

  2. Restart services:

    systemctl restart canopy canopy-celery canopy-docserver
    

Note

If Canopy, or any of its services, fail to start after an upgrade then the first place to look are the service logs:

journalctl -e -u canopy -u canopy-celery -u canopy-docserver

Check the logs for any obvious errors that might indicate failure. If the upgrade process failed to migrate the database schema, or perform other maintenance tasks, then there will be errors stating this with the actions to take.

Warning

The database must be accessible during the upgrade. If it is not, critical migrations will not be applied.

The migrations can be manually executed prior to restarting the services by running the postinstall command:

canopy-manage postinstall