Actions from Ubuntu UDS-R

This week was the Ubuntu Developer Summit in Copenhagen, this is kind of an internal series of workshops, but as Ubuntu is an open project it isn’t a closed doors event. Anyone can attend in person, some people are sponsored by Canonical to attend. Others (like me this time) can follow along remotely via live video and audio streams and IRC talk back to the workshop rooms. The full schedule was here, and the proceedings of each session are recorded on an Etherpad page. I wrote some scripts to download all the text of these pages and scoop out the action items and you can find that over here. These will all get processed and end up on status.ubuntu.com as pretty burndown charts for ongoing tracking, but this is a quick and dirty list of all of them.

Time for an Upgrade

The Ubuntu UK Local Team allocation of CDs arrived yesterday and as usual these are available for free to anyone who wants one in the UK. Just send me an SAE following the procedure here and please please try to put enough postage on it, I get bored of walking to the post office to pay the fine.

If you want several of them to hand out at an event then please get in touch and we can sort that out.

As usual there is one special CD that gets upgraded each release, the one my chickens peck at! They were using Ubuntu Server 12.04 LTS before, but today I upgraded them to Ubuntu Server 12.10 the Quantal Qetzal. I think they were pleased at the bird themed code name and they have been getting quite familiar with the command line over the last few months. I tested the retired 12.04 CD and it still works great in a computer after washing the muck off it.

Would you put that in your chicken run?

It might have Long Term Support, but would you put it in your laptop?

OpenERP and Ubuntu Unity Desktop Integration

Ubuntu has been in the news quite a lot recently with the release of version 12.10 including the Amazon shopping lens and next week some game shop thing called Steam is going to be announced. It isn’t all toys and shopping though, some of the new features make a heap of sense for serious business applications too. One really interesting area for me is the webapp integration, this is an extension for Firefox and Chromium that allows stuff running in the web browser to integrate with the Unity desktop in a variety of ways, making the distinction between a web application and a desktop application a bit more blurry – which is a good thing. There is built in integration for an assortment of popular consumer websites like youtube, twitter, facebook etc. but it isn’t limited to these single domain software as a service sites. Any web site or web application can test for the presence of the extension then export it’s menu items, do notifications and other actions.

OpenERP is probably my favourite web application to work on, and this is a typical application you might install to help manage a business, it is a modular framework that covers accountancy, logistics, sales process, project management, manufacturing, HR etc. The web server is largely python based, but as it happens this integration just uses javascript. After you install the module and visit your OpenERP server you should be prompted to allow integration, if you accept this you will get a notification (bubble in the top right of the screen) to say it is activated and from then you can use the alt key to bring up the HUD and type anything you might find in an OpenERP menu somewhere, such as “Invoice”. You don’t have to type all of the word, it will search as you type.

OpenERP Unity Integration

You can grab the code from here and the module as a standard module zip file from here. I am thinking of adding some more features, possibly messaging menu integration and notifications. I might do a separate theme module that is mostly CSS and cosmetically adjusts the user interface to match the unity desktop. Right now most of our customers running OpenERP use it on an Ubuntu server, but use a mixture of Windows and Mac on the desktop, what I want to show with this kind of integration (this is just the start) is that Ubuntu can simply be a better platform for business than other operating systems, especially as things move away from dedicated client applications to web based interfaces.

The Quantal Quetzal takes flight

Quetzal A week today on the 18th October is the release date of Ubuntu 12.10 the Quantal Quetzal. This release was pitched to be all about quality and from my testing I think the quality has improved quite a lot. If you were thinking of trying Ubuntu with the Unity interface then 12.10 is the release to go for, a lot of niggles have been unniggled and sharp edges smoothed over.

As is traditional with Ubuntu releases there will be a party in London where users, enthusiasts and the Canonical release team get together to consume some adult beverages and generally have a fun evening. This release is no exception to the tradition and you are most welcome to join us at the George Inn from about 7ish (or whenever you can). There is an optional sign up sheet with more details, anyone on the list will probably have a name badge waiting for them (this is based on feedback from previous events).

If you want to get your hands on an official Ubuntu 12.10 DVD we are now taking pre-orders for the UK local team allocation just send in an SAE they will probably arrive around the end of the month or early November.

Unity Window Quicklists

The Unity desktop that the recent releases of Ubuntu uses is kind of nice overall, but there are some specific things that are really hard to do, one of which is finding and focussing on one window of a particular type of application when you may have many other windows of that application you are not interested in. For example, a lot of the time I have three browser windows, a few gedit editors and around ten terminal windows open. When I am doing something I am normally interested in one browser window, one editor and one terminal. If I want to move from the browser to the terminal I am interested in I don’t want the other 9 terminals popping up over the browser, I only want the one that relates to that browser.

What kind of makes sense to me is that you should be able to right click on the things in the launcher and see the list of windows and choose the one you want. Luckily Unity is quite extensible, there are APIs for adding quicklists to the launcher icons and there is enough information kicking about in dbus to find the window names and get callbacks to happen when things get updated like a window title changes or a window gets added or removed.

I put my thoughts together in a little python script, which I have now packaged and put in a PPA (which was harder than it sounds) so if the screenshot makes sense to you and you are running Ubuntu with Unity (2d or 3d) then you can install it with the following commands:

sudo apt-add-repository ppa:alanbell/unity
sudo apt-get update
sudo apt-get install unity-window-quicklists

Then log out and back in again to get a much more usable desktop if you tend to use lots of windows

How to: OpenERP 6.1, Ubuntu 10.04 LTS, nginx SSL Reverse Proxy

This article follows on (hopefully not unsurprisingly) from the basic 6.1 installation howto.

In this post I’ll describe one way of providing SSL encrypted access to your shiny new OpenERP 6.1 server running on Ubuntu 10.04 LTS.

This time I thought I’d use the nginx (pronounced like “Engine X”) webserver to act as a reverse proxy and do SSL termination for web, GTK client and WebDAV/CalDAV access. nginx is gaining in popularity and is now the second most popular web server in the world according to some figures. It has a reputation for being fast and lean – so it seemed like a good choice for a relatively simple job like this.

I’m indebted to xat for this post which provided the main configuration script for a reverse proxy on OpenERP 6.0. The changes I have made to xat’s original configuration are: different port number, some additional rewrite rules to support WebDAV and the new mobile interface, new location for static files.

NB: For the purposes of this how to, we’ll be using self-signed certificates. A discussion of the pros and cons of this choice is beyond the scope of this article.

Step 1. Install nginx

On your server install nginx by typing:

sudo apt-get install nginx

Next, we need to generate a SSL certificate and key.

Step 2. Create your cert and key

I create the files in a temporary directory then move them to their final resting place once they have been built (the first cd is just to make sure we are in our home directory to start with):

cd
mkdir temp
cd temp

Then we generate a new key, you will be asked to enter a passphrase and confirm:

openssl genrsa -des3 -out server.pkey 1024

We don’t really want to have to enter a passphrase every time the server starts up so we remove the passphrase by doing this:

openssl rsa -in server.pkey -out server.key

Next we need to create a signing request which will hold the data that will be visible in your final certificate:

openssl req -new -key server.key -out server.csr

This will generate a series of prompts like this: Enter the information as requested:

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:The Client’s Company

And finally we self-sign our certificate.

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

We only need two of the files in the working directory, the key and the certificate. But before we can use them they need to have their ownership and access rights altered:

sudo chown root:www-data server.crt server.key
sudo chmod 640 server.crt server.key

And then we put them in a sensible place:

sudo mkdir /etc/ssl/nginx
sudo chown www-data:root /etc/ssl/nginx
sudo chmod 710 /etc/ssl/nginx
sudo mv server.crt server.key /etc/ssl/nginx/

Now the key and certificate are safely stored away, we can tell nginx where they are and what it should be doing…

Step 3. Create the nginx site configuration file

We create a new configuration file

sudo nano /etc/nginx/sites-available/openerp

with the following content:

Note: You will need to change all references to 10.0.0.26 in the following file to either the domain name or static IP address of your server. This was the IP address of the machine I built this test script on. It will not work unless changed to suit your own system!

upstream openerpweb {
    server 127.0.0.1:8069 weight=1 fail_timeout=300s;
}

server {
    listen 80;
    server_name    10.0.0.26;

    # Strict Transport Security
    add_header Strict-Transport-Security max-age=2592000;

    rewrite ^/mobile.*$ https://10.0.0.26/web_mobile/static/src/web_mobile.html permanent;
    rewrite ^/webdav(.*)$ https://10.0.0.26/webdav/$1 permanent;
    rewrite ^/.*$ https://10.0.0.26/web/webclient/home permanent;
}

server {
    # server port and name
    listen        443 default;
    server_name   10.0.0.26;

    # Specifies the maximum accepted body size of a client request, 
    # as indicated by the request header Content-Length. 
    client_max_body_size 200m;

    # ssl log files
    access_log    /var/log/nginx/openerp-access.log;
    error_log    /var/log/nginx/openerp-error.log;

    # ssl certificate files
    ssl on;
    ssl_certificate        /etc/ssl/nginx/server.crt;
    ssl_certificate_key    /etc/ssl/nginx/server.key;

    # add ssl specific settings
    keepalive_timeout    60;

    # limit ciphers
    ssl_ciphers            HIGH:!ADH:!MD5;
    ssl_protocols            SSLv3 TLSv1;
    ssl_prefer_server_ciphers    on;

    # increase proxy buffer to handle some OpenERP web requests
    proxy_buffers 16 64k;
    proxy_buffer_size 128k;

    location / {
        proxy_pass    http://openerpweb;
        # force timeouts if the backend dies
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

        # set headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
       
        # Let the OpenERP web service know that we're using HTTPS, otherwise
        # it will generate URL using http:// and not https://
        proxy_set_header X-Forwarded-Proto https;

        # by default, do not forward anything
        proxy_redirect off;
    }

    # cache some static data in memory for 60mins.
    # under heavy load this should relieve stress on the OpenERP web interface a bit.
    location ~* /web/static/ {
        proxy_cache_valid 200 60m;
        proxy_buffering    on;
        expires 864000;
        proxy_pass http://openerpweb;
    }

}

UPDATE: 04/04/2012. I have added a line to the above file: client_max_body_size 200m; thanks to Praxi for reminding me about this. The default setting is just 1MB which will stop users from uploading any files larger than that, including databases!

And then we can enable the new site configuration by creating a symbolic link in the /etc/nginx/sites-enabled directory.

sudo ln -s /etc/nginx/sites-available/openerp /etc/nginx/sites-enabled/openerp

Step 4. Change the OpenERP server configuration file

The next step is to re-configure the OpenERP server so that non-encrypted services are not accessible from the outside world.

In /etc/openerp-server.conf the non-encrypted services will only listen on localhost, i.e. not from external connections so in effect only traffic from nginx will be accepted.

After opening the file for editing, just add 127.0.0.1 to the xmlrpc and netrpc interface lines as shown below.

sudo nano /etc/openerp-server.conf

xmlrpc_interface = 127.0.0.1
netrpc_interface = 127.0.0.1

That’s it. Everything is now configured.

Step 5. Try it out

Restart the services to load the new configurations

sudo service openerp-server restart
sudo service nginx restart

You should not be able to connect to the web client on port 8069 and the GTK client should not connect on either the NetRPC (8070) or XMLRPC (8069) services.

For web access you just need to visit https://your-ip-or-domain and in the GTK client you will need to use port 443 (https) and choose the XMLRPC (Secure) protocol.

The nginx configuration above will also redirect any incoming requests for port 80 to port 443 (https) and it also makes sensible redirects for the mobile and WebDAV/CalDAV services. (From what I can gather however WebDAV clients really don’t handle redirects so this bit is probably not that useful). I think the best bet for WebDAV/CalDAV is just to provide the correct URL in the first place.

For CalDAV access then, the URL to a calendar will be something like this:

https://your-ip-or-domain/webdav/DB_NAME/calendars/users/USERNAME/c/CALENDAR_NAME

There you have it. In OpenERP 6.1 this job actually proved to be a little simpler than the previous version largely due to the integrated web interface. There are also fewer configuration changes required in openerp-server.conf.

Finally, I really wanted to try and make use of the WSGI support in OpenERP 6.1 instead of the method above, but my efforts to get this to work from nginx or Apache have so far ended in failure :-( Obviously if anyone wants to provide a working config for that please feel free to add a comment and link.

« Previous PageNext Page »