Оглавление | ||
---|---|---|
|
Operating system installation
This section describes operating system installation, as well as necessary and additional packages installation. The ECSS-10 system version 3.14 is running under Ubuntu Server 18.04.x LTS 64bit.
Preliminary requirements
- Installation bootable media with operating system distribution;
- Prepared server with updated BIOS, ILO (if available), connected network for Internet access;
- In BIOS, USB Flash or CD/DVD is set as first priority for downloading from the installation media;
- Sufficient volume of disk space and memory in accordance with the project.
Якорь | ||||
---|---|---|---|---|
|
To install the OS, do the following:
After downloading from the installation media, select "Install Ubuntu Server".
Select system language and keyboard layout.
Configuring network interfaces
Configure network interface for the Internet connection:
Creating disk partitions
Select "Custom storage layout":
Next, create additional sections in LVM group in accordance with Table 1.
Table 1 — Option of placing information in the file system on physical media for servers
Якорь | ||||
---|---|---|---|---|
|
...
Example of creating partitions for 200Gb disk:
Якорь | ||||
---|---|---|---|---|
|
The "hostname" parameter must be configured in the system servers.
...
Подсказка |
---|
If using a single server, recommended hostname value is ecss1; At cluster system installation, value for the first server is ecss1, for the second — ecss2. |
OpenSSH server installation
At the end of the OS installation, you will be prompted to install additional software for remote connection — you need to install OpenSSH server.
Якорь | ||||
---|---|---|---|---|
|
Swap file In Ubuntu 18.04 is located in root directory — /swap. img.
...
Блок кода |
---|
sudo swapoff -a sudo rm /swap.img |
Якорь | ||||
---|---|---|---|---|
|
When installing Ubuntu-18.04, setting a time zone is not prompted.
Блок кода |
---|
sudo timedatectl set-timezone Asia/Novosibirsk |
Checking operating system installation
Basically system checking is about correctness of creating disk partitions and SSH access availability.
...
- <user> — user name specified during installation;
- <IP_ecss> — IP address of the host specified during installation.
Якорь | ||||
---|---|---|---|---|
|
The domain name of the ecss1 host must correspond to the address 127.0.1.1. You also need to register the ecss2 host address. To do this, you need to register the IP addresses of ecss hosts in the /etc/hosts file.
...
Без форматирования |
---|
127.0.0.1 localhost 127.0.1.1 ecss2 192.168.1.21 ecss1 |
Configuring network interfaces
Якорь | ||||
---|---|---|---|---|
|
Примечание |
---|
On ECSS servers addresses obtaining via DHCP on network interfaces is not allowed! |
Network settings must be performed using Netplan.
Example:
Configure a server with 4 network interfaces with channel aggregation (802.3ad) and necessary VLANs. There is a gateway for Internet access — 192.168.1.203
...
To apply new network settings, run the netplan apply command. No network or system restart is required.
OS updating and necessary software installation
Якорь | ||||
---|---|---|---|---|
|
System update
Якорь | ||||
---|---|---|---|---|
|
Adding ELTEX repository:
Без форматирования |
---|
sudo sh -c "echo 'deb [arch=amd64] http://archive.eltex.org/ssw/bionic/3.14 stable main extras external' > /etc/apt/sources.list.d/eltex-ecss10-stable.list" |
...
Без форматирования |
---|
sudo apt update sudo apt upgrade |
Якорь | ||||
---|---|---|---|---|
|
List of mandatory service software:
...
Без форматирования |
---|
sudo dpkg --get-selections |
ECSS packages installation
Якорь | ||||
---|---|---|---|---|
|
Preliminary requirements
- Installed and updated operating system (Ubuntu-18.04);
- Absence of user named ssw in the system;
- Disk space partitioning in accordance with recommendations;
- Configured Operating system installation v2 network;
- Installed set of necessary packages;
- Access to ELTEX repository.
Подсказка |
---|
During ECSS packages installation, you will need to answer a number of questions to form required configuration. Questions templates are given below. |
For ECSS-10 system installation, you must install packages in order they are described in the documentation below.
Installation of required packages
ecss-mysql installation
Якорь | ||||
---|---|---|---|---|
|
The first step is to install ecss-mysql package.
...
If the system is deployed in cluster, then package installation and database replication configuration must be performed according to the instructions in MySQL master-master replication deployment scheme using keepalive appendix.
When installing package, MySQL server is installed with the necessary settings, and necessary databases are created. During installation, the following data will be requested:
...
Примечание |
---|
For security reasons, in versions mysql-5.7 and higher, the root login is allowed to be used only for logging in from the local host. |
ecss-node installation
Якорь | ||||
---|---|---|---|---|
|
Installation of mandatory ecss-node package includes installation and initial configuration of the main subsystems.
...
During the package installation ssw user is created, on whose behalf all ecss services are launched*. The necessary directories are being created, DNS, SSL ceritificates, and NTP service are being configured. During the installation, questions necessary for the formation of configuration files will be asked.
Question | |
---|---|
Question template | ecss-configuration/mysql_autoinstall |
Data type | boolean |
Default value | true |
Question | Set DB config to default? |
Description | If yes, mysql databases will be configured by default. |
Question | |
Question template | ecss-configuration/mysql_address |
Data type | string |
Default value | cocon.mysql.ecss |
Question | IP or hostname of MySql server: |
Description | Enter IP or host name where mysql is located |
Question | |
Question template | ecss-configuration/mysql_port |
Data type | string |
Default value | 3306 |
Question | Port of MySql server: |
Description | Enter port of mysql server |
Question | |
Question template | ecss-configuration/mysql_drive_overload_alarm |
Data type | boolean |
Default value | false |
Question | Send ECSS-10 alarm in case of MySQL drive is overload: |
Description | If yes, an alarm message will be displayed when the disk partition that hosts the mysql databases is full. |
Question | |
Question template | ecss-configuration/ntp_tos |
Data type | boolean |
Default value | false |
Question | NTP: Do you want use settings for cluster? |
Description | "Time synchronization on servers". The question is asked, if you want to enable tos orphan mode? — mode for the cluster that regulates synchronization (yes/no). |
Question | |
Question template | ecss-configuration/ntp_local |
Data type | boolean |
Default value | false |
Question | NTP: Do you want to use other servers for time synchronization? |
Description | It is suggested to use synchronization settings with local servers of the cluster. |
Question | |
Question template | ecss-configuration/ntp_server_external |
Data type | string |
Default value | ntp.ubuntu.com |
Question | External NTP servers through a space: |
Description | External NTP servers are requested — ntp.ubuntu.com by default. They are specified for nodes that regulate time and synchronize with an external source (addresses are specified separated by a space). |
Question | |
Question template | ecss-configuration/ntp_server |
Data type | string |
Default value | 127.0.0.1 |
Question | NTP: Indicate local servers for synchronization separated a space: |
Description | The local network servers between which synchronization will be performed are specified. |
Question | |
Question template | ecss-configuration/ntp_auto |
Data type | boolean |
Default value | false |
Question | NTP: Do you want to define manually which networks should have access to ntp? |
Description | Configure a list of subnets from which access is allowed for time synchronization with this server. |
Question | |
Question template | ecss-configuration/ntp_network |
Data type | string |
Question | NTP: Networks, which must have access to the ntp through a space: Format: <ip>|<mask> (x.x.x.x|255.255.255.0) |
Description | Specify networks that can have access to this server so that other nodes, as well as other devices, can synchronize time with this server in the format: <network_address|network_mask> separated by space. |
Question | |
Question template | ecss-configuration/ntp_stratum_tos |
Data type | string |
Default value | 7 |
Question | NTP: Set stratum for cluster: |
Description | Strаtum cluster time accuracy. |
Question | |
Question template | ecss-copycdr/is_need |
Data type | boolean |
Default value | false |
Question | Install ecss-copycdr utility? |
Description | If yes, the ecss-copycdr utility will be installed and configured to copy the cdr to an external FTP/SFTP server and you will be prompted to enter the necessary settings. |
Question | |
Question template | ecss-call-api/core-ip |
Data type | string |
Default value | localhost |
Question | IP address of core: |
Description | Enter IP address of a core |
Configuring certificates
Relevant only if a self-signed certificate was generated,only then ecss10root.crt
will be installed in the system (when copying, it also tries to download ecss10root.crt
, or if this file was placed during manual installation). If there are already certificates, then no actions will be taken. At the end, the validity of the certificate is also checked.
...
- url to http_terminal (https://ecss1:9999 )
- Login (admin)
- Password (password)
- Node with certificates (core1@ecss1)
DNS
Якорь | ||||
---|---|---|---|---|
|
During ecss-node package installation internal DNS addresses are being configured. Depending on the current system configuration the following message may be displayed during installation:
...
Без форматирования |
---|
sasha@ecss1:~$ systemctl status dnsmasq.service ● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2021-09-24 20:52:03 +07; 2 weeks 3 days ago Main PID: 10914 (dnsmasq) Tasks: 1 (limit: 4915) CGroup: /system.slice/dnsmasq.service └─10914 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service --trust-anchor=.,19036,8,2,49aac11d7b6f6446702e54a1607371607a1a41 Sep 24 20:52:03 ecss1 systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server... Sep 24 20:52:03 ecss1 dnsmasq[10890]: dnsmasq: syntax check OK. Sep 24 20:52:03 ecss1 systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. |
ecss-media-server installation
Якорь | ||||
---|---|---|---|---|
|
ecss-media-server package is a mandatory component for processing VoIP traffic. The media server is designed for processing speech and video information over RTP, organizing conferences, recording conversations, playing media files and various combinations of these modes.
...
During installation, a number of questions will be asked in order to create necessary configuration files. If the system is non-redundant, you can refuse MSR settings. A default configuration will be created. If the system is redundant, it is enough to configure only the bind-address at the initial stage, the rest of the settings can be done later. See "Media server configuration".
ecss-restfs installation
Якорь | ||||
---|---|---|---|---|
|
RestFS is a component that provides HTTP API for working with files. To install, follow these steps:
...
Setting up RestFS is given in the section RestFS RestFS configuration.
ecss-media-resources installation
Якорь | ||||
---|---|---|---|---|
|
The package includes a set of system audio files designed for playing answering machine phrases and use in IVR scenarios, as well as a set of tools for working with custom audio files.
...
Без форматирования |
---|
sudo apt install ecss-media-resources |
ecss-web-conf installation
Якорь | ||||
---|---|---|---|---|
|
Web configurator makes the system management more illustrative and comfortable. Web configurator installation is not mandatory, but recommended.
...
Без форматирования |
---|
sudo apt install ecss-web-conf |
Additional packages optional installation
Якорь | ||||
---|---|---|---|---|
|
The repository also contains additional packages that can be installed optionally based on the project.
...
Checking interfaces availability by dns names
Якорь | ||||
---|---|---|---|---|
|
You can check dnsmasq operation by simple ping:
...
All interfaces should be accessible.
Time synchronization on servers
Якорь | ||||
---|---|---|---|---|
|
Примечание |
---|
Before configuring NTP, make sure that ntp package is installed in the system. |
...
date command displays current system time without parameters.
NTP installation and configuring
NTP configuration is configured during ecss-node package installation.
...
It is necessary to enter external servers separated by space (by default ntp.ubuntu.com):
It is necessary to allow (Yes) or forbid (No) activation of the tos orphan mode (a mode for cluster in which servers independently regulate synchronization). If the system is installed in cluster, then the ECSS servers should have the same time, even if external NTP servers are unavailable. Therefore, it is necessary to select "Yes".
The accuracy of cluster time by Strаtum. By default — 7:
It is proposed to enter the addresses of neighboring cluster servers to synchronize them with each other. In this example ecss1 is configured, therefore ecss2 address is entered. When configuring ecss2, ecss1 address is entered correspondingly. If there are several servers, you need to list them separated by space.
Next, it is proposed to configure subnets addresses from which other devices are allowed to synchronize with this server:
Networks that can have access to this server are specified so that other nodes, as well as other devices could synchronize time with this server. Format of networks specifying : <net_address|net_mask>. If there are several nets, you need to list them separated by space.
After installation, settings are saved in /etc/ecss/ecss-ntp.conf file. Example of the resulting file for ecss1 server:
...
As seen, the server stratum value has become equal to 2.
Configuring Token
Якорь | ||||
---|---|---|---|---|
|
Token is a USB license protection key. Its availability is necessary for the correct operation of the licensing system and SSW in general. Earlier ECSC servers came with eToken keys for the license purchase, recently new installations are equipped with Rutoken USB keys.
Software installation and Token connection
All the libraries necessary for RuToken operation are installed from ELTEX repository together with ecss-node package.
...
If the key was already connected to the server earlier and it was reconnected, it is recommended to restart the server.
Checking Token operation
To check token operation, you can use pkcs11-tool application. It is possible to check the following:
...
Предупреждение |
---|
If problems with the key definition remain, contact technical support. |
Restarting Token via SSH in case it freezes
To restart USB token, perform the following set of actions:
Install usb-reset utility:
Без форматирования sudo snap install usb-reset sudo snap connect usb-reset:hardware-observe core:hardware-observe sudo snap connect usb-reset:raw-usb core:raw-usb Slot 0 (0x0): Aktiv Rutoke
Check that USB token has indeed frozen. Example:
Без форматирования pkcs11-tool --module /usr/lib/ecss/ecss-ds/lib/lpm_storage-3.14.8.70203.423017/priv/x64/librtpkcs11ecp.so -L
The output should either show nothing at all, or show all slots as empty.
Get the idVendor, idProduct of the USB token. Command for Rutoken:
Без форматирования sudo lsusb -v | grep -C 10 "Rutoken ECP"
Find the parameters idVendor, idProduct in the specified output:
Без форматирования lsusb -v | grep -C 10 "Rutoken ECP" FIXME: alloc bigger buffer for device capability descriptors bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 16 idVendor 0x0a89 idProduct 0x0030 bcdDevice 1.00 iManufacturer 1 Aktiv iProduct 2 Rutoken ECP iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 93 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80
Restart the USB device:
Без форматирования sudo usb-reset <idVendor>:<idProduct> Пример: sudo usb-reset 0a89:0030
Check that the slot(s) appeared:
Без форматирования pkcs11-tool --module /usr/lib/ecss/ecss-ds/lib/lpm_storage-<VERSION>/priv/x64/librtpkcs11ecp.so -L Available slots: Slot 0 (0x0): Aktiv Rutoken ECP 00 00 ...
Token operation problem on DEPO servers
If tokens disconnection from DEPO servers is periodically recorded, then syslog should be checked for EHCI driver errors. If errors are present, then it is necessary to go to Server BIOS and enable XHCI mode (BIOS path: Advanced/USB Configuration: XHCI Pre-Boot Driver — Enabled, XHCI — enabled).
Configuring listen interface for epmd service
Якорь | ||||
---|---|---|---|---|
|
Example of listen interface configuring for epmd service in accordance with the network configuration given in Configuring network interfaces section.
For the ecss1 server, the following sequence of actions must be performed:
...
Предупреждение |
---|
Addresses that have been configured in keepalived.conf cannot be used as ERL_EPMD_ADDRESS |
System start and activation
Якорь | ||||
---|---|---|---|---|
|
Предупреждение | ||
---|---|---|
| ||
Before starting work, check for Token availability in the system. |
To start and activate the operating system, perform the following set of actions:
...
Connect to the distributed CoCon Management Console:
Без форматирования |
---|
ssh admin@localhost -p8023 |
...
At this stage, the system is considered fully installed and ready for configuration.
Cluster system installation features
Installing ECSS-10 on a cluster
Якорь | ||||
---|---|---|---|---|
|
Host preparation
When installing ECSS-10 system in a cluster, it is necessary to perform the following on both servers in accordance with the project:
- Operating system installation;
- Network Setup;
- Necessary software installation;
- NTP configuring;
- EPMD configuring;
- Token verification.
Setting cluster name
It is necessary to specify the same cluster name on both servers for system operation. To do this, open mycelium1.config file in text editor:
...
Предупреждение |
---|
Addresses that have been configured in keepalived.confcannot be used as primary.broker.ecss and secondary.broker.ecss. |
Configuring RestFS for a cluster
Якорь | ||||
---|---|---|---|---|
|
To work in a cluster, you need to configure RestFS operation based on a GlusterFS server.
Include A Shared Block | ||||
---|---|---|---|---|
|
Installing and configuring snmpd
Install Net-SNMP agent:
Без форматирования |
---|
sudo aptitude install snmpd |
...
Без форматирования |
---|
sudo netstat -tulpan | grep snmpd udp 0 0 127.0.0.1:3161 0.0.0.0:* 7723/snmpd |
A Shared Block | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Configuring VRRP
Configuring the keepalived daemon to manage virtual addressesOne way to increase the fault tolerance of ECSS-10 is to use virtual IP addresses. A virtual IP address is an address that does not permanently belong to any specific node of the ECSS-10 cluster, but is automatically raised on the node that is currently able to serve requests. Thus:
To manage virtual addresses, the keepalived daemon is used, which implements the following functions:
General keepalived configuration
It is recommended to use the VRRP version 3 protocol, because it provides a lower delay before address transfer in case the current active node is lost. When using the IPNET protocol on the network, the VRRP version 3 protocol must be used. To ensure prompt switching between worker nodes, it is the VRRP version 3 protocol that should be used, because it allows VRRP advertisements to be broadcast at 1/100 second (centisecond) intervals, unlike VRRP version 2, which operates at second intervals. However, VRRP version 2 is still functional in version 3.14 of ECSS. Version 3 of the VRRP protocol must be explicitly set in the configuration file, version 2 is used by default:
It is also recommended to configure the execution of the verification scripts as the nobody user (a system user without rights) and to enable the secure execution of scripts that are run as the root user. After defining the global options for the daemon, use the include option to include files with the configuration of virtual addresses. The keepalived configuration allows comments to be left. They are located in any part of the configuration starting with the # character and end with the end of the line. The basic daemon configuration is stored in /etc/keepalived/keepalived.conf Note. Many examples can be found on the network in which the authentication option is used when configuring VRRP. However, the keepalived documentation mentions that authentication was removed from VRRPv2 in the RFC3768 specification (https://tools.ietf.org/html/rfc3768) in 2004, as it did not provide real security and could result in two "masters". It is recommended to avoid using this section. In VRRP_v3 this option is disabled. Basic configuration (the same for all cluster nodes):
Configuring a virtual address for a SIP adapter
In the given diagram two virtual addresses for SIP adapters are used. This allows distributing the load between nodes by configuring neighboring devices in such a way that some of them operate with one virtual address, and some with another. At the same time, under the condition of incomplete loading of the nodes, fault tolerance is preserved, because in case of failure of one of the nodes, the virtual address will be picked up by another node. The configuration is built in such a way that the first node is the master for the first virtual address of the SIP adapter. The second node will reserve this address. The configuration for the main address of the SIP adapter of the second node is mirrored — the second node is the master, the first node is a backup. The configuration of virtual addresses for the SIP adapter is recommended to be placed in a separate /etc/keepalived/pa-sip.conf file.
First node configuration
Second node configuration
Configuring virtual address for MySQL
MySQL database replication configuration is given in the MySQL master-master replication deployment scheme using keepalive section. An example of creating a typical configuration is given in the Examples of step-by-step initial configuration of ECSS-10 section. Configuring virtual address for IPNET Якорь |
Since multiple peer addresses are not supported over IPNET, allocate a virtual IP address when running ECSS-10 in a cluster. To ensure prompt switching between operating nodes, use the VRRP version 3 protocol, because it allows VRRP advertisements to be sent at 1/100th of a second (centisecond) intervals, unlike the VRRP version 2 protocol, which operates in second intervals. From the point of view of the IPNET protocol, this is important because the IPNET protocol implements its own keepalive messages. When using the VRRP version 2 protocol, the worst virtual IP address switching time will be four seconds, with the minimum allowable time for sending VRRP advertisements under the protocol of one second, which can be unacceptably long from the point of view of the IPNET keepalive mechanism and will lead to the destruction of the call from the opposite station. In the proposed configuration, VRRP advertisements are exchanged between nodes every 50ms. The VRRP advertising interval should be chosen based on the amount of network delay between nodes. The selected interval of 50ms allows you to quickly switch when nodes fail and to experience increase in network delay up to 150-200ms without false triggering. In case the nodes are widely distributed geographically, it may be necessary to slightly increase this interval, based on the actual characteristics of the network. However, this interval should not be made too large, because this may affect the stability of keeping active calls when switching the address to the reserve. The worst failover time for a master failure or loss of VRRP advertisements packets in case of network problems is The configuration of virtual addresses for IPNET is recommended to be placed in a separate /etc/keepalived/ipnet.conf file.
For more information about the keepalived and how to configure it, see the documentation. |
System start
After everything is configured, proceed to system start and activation. The sequence of actions:
...
After successful subsystems start on ecss1 and license activation all ecss2 services can be started.
Checking the installation and entry of the system into the cluster
Якорь | ||||
---|---|---|---|---|
|
To check the status of the cluster nodes, you need to log in to the command console (CoCon) on any of the servers:
...
This completes the installation stage. After checking it can be proceeded to configuration.
Decommissioning of single server
If for some reason you need to decommission first server of ecss1 cluster out of service, then do the following on second ecss2 server:
...
Блок кода |
---|
127.0.0.1 localhost 127.0.1.1 ecss2 192.168.1.2 ecss1 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters |
Checking the correctness of installation procedures
After completing all the installation procedures, you should check the correctness and completeness of the performed actions. To do this, use the checklist given in the section ECSS-10 installation checklist.