Content Management System using Liferay Portal 7 on CentOS 7 - rharmonson/richtech GitHub Wiki
[DRAFT]Content Management System using Liferay Portal 7 on CentOS 7
Content Management Systems (CMS) are used to create and manage digital content. Liferay Portal can be used as CMS as well as a Document Management or Web Content Management system. Liferay is available in two versions. Liferay Portal CE or Communitiy Edition that is freely available and open source. Liferay Portal DXP or Digital Experience Platform must be purchased but comes with commercial support.
Overview
CentOS 7 Base Build
The CentOS 7 base build I use can be found at the web page given below. Please note, I deviate from the default CentOS installation by removing components such as NetworkManager and firewalld.
Adjust this article's instructions to meet your requirements or personal preference.
System Components
The solution is comprised of three hosts.
- MariaDB Database at IP address 192.168.1.12
- Liferay Portal CMS at IP address 192.168.1.11
- Elasticsearch Search at IP address 192.168.1.13
Host system requirements will differ based on a number of factors including number of sites and consumers. It is feasible to start with 2 CPUs and 2 GB RAM per host, however, advise increasing the resources to 4 CPUs and 4 GB RAM then scaling down or up after monitoring system resource loads. Storage will be determined primarily based on type or size and quantity of content.
The CMS solution is comprised of the following components:
- Liferay Portal CE 7.1 GA2
- CentOS 7.5
- MariaDB 10.2
- OpenJDK 8
- Tomcat 9
- Elasticsearch 6.1.3
- Nginx 1.12
Versions of products exceeding the main CentOS repository will be installed and maintained from the CentOS Software Collection Repository (SCL).
Database
Liferay 7 supports a variety of databases. MariaDB 10.2 from SCL will be used.
Software Collection Library
Install the SCL repository.
sudo yum install -y centos-release-scl
Results
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
centos-release-scl noarch 2-2.el7.centos extras 12 k
Installing for dependencies:
centos-release-scl-rh noarch 2-2.el7.centos extras 12 k
Transaction Summary
================================================================================
Install 1 Package (+1 Dependent package)
Total download size: 24 k
Installed size: 39 k
Is this ok [y/d/N]:
To use binaries related to the SCL package, sourcing is required. Using profile.d to configure shell sessions will simplify the process.
Create enable-scl.sh shell script.
sudo vi /etc/profile.d/enable-scl.sh
Copy+paste
source scl_source enable rh-mariadb102
To apply changes, start a new bash session.
Install MariaDB
sudo yum install -y rh-mariadb102-mariadb-server
Results
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
rh-mariadb102-mariadb-server x86_64 1:10.2.8-5.el7 centos-sclo-rh 17 M
Installing for dependencies:
lsof x86_64 4.87-5.el7 base 331 k
perl x86_64 4:5.16.3-292.el7 base 8.0 M
perl-Carp noarch 1.26-244.el7 base 19 k
perl-Compress-Raw-Bzip2 x86_64 2.061-3.el7 base 32 k
perl-Compress-Raw-Zlib x86_64 1:2.061-4.el7 base 57 k
perl-DBD-MySQL x86_64 4.023-6.el7 base 140 k
perl-DBI x86_64 1.627-4.el7 base 802 k
perl-Data-Dumper x86_64 2.145-3.el7 base 47 k
perl-Encode x86_64 2.51-7.el7 base 1.5 M
perl-Exporter noarch 5.68-3.el7 base 28 k
perl-File-Path noarch 2.09-2.el7 base 26 k
perl-File-Temp noarch 0.23.01-3.el7 base 56 k
perl-Filter x86_64 1.49-3.el7 base 76 k
perl-Getopt-Long noarch 2.40-3.el7 base 56 k
perl-HTTP-Tiny noarch 0.033-3.el7 base 38 k
perl-IO-Compress noarch 2.061-2.el7 base 260 k
perl-Net-Daemon noarch 0.48-5.el7 base 51 k
perl-PathTools x86_64 3.40-5.el7 base 82 k
perl-PlRPC noarch 0.2020-14.el7 base 36 k
perl-Pod-Escapes noarch 1:1.04-292.el7 base 51 k
perl-Pod-Perldoc noarch 3.20-4.el7 base 87 k
perl-Pod-Simple noarch 1:3.28-4.el7 base 216 k
perl-Pod-Usage noarch 1.63-3.el7 base 27 k
perl-Scalar-List-Utils x86_64 1.27-248.el7 base 36 k
perl-Socket x86_64 2.010-4.el7 base 49 k
perl-Storable x86_64 2.45-3.el7 base 77 k
perl-Text-ParseWords noarch 3.29-4.el7 base 14 k
perl-Time-HiRes x86_64 4:1.9725-3.el7 base 45 k
perl-Time-Local noarch 1.2300-2.el7 base 24 k
perl-constant noarch 1.27-2.el7 base 19 k
perl-libs x86_64 4:5.16.3-292.el7 base 688 k
perl-macros x86_64 4:5.16.3-292.el7 base 43 k
perl-parent noarch 1:0.225-244.el7 base 12 k
perl-podlators noarch 2.5.1-3.el7 base 112 k
perl-threads x86_64 1.87-4.el7 base 49 k
perl-threads-shared x86_64 1.43-6.el7 base 39 k
rh-mariadb102-mariadb x86_64 1:10.2.8-5.el7 centos-sclo-rh 6.6 M
rh-mariadb102-mariadb-common x86_64 1:10.2.8-5.el7 centos-sclo-rh 74 k
rh-mariadb102-mariadb-config x86_64 1:10.2.8-5.el7 centos-sclo-rh 28 k
rh-mariadb102-mariadb-errmsg x86_64 1:10.2.8-5.el7 centos-sclo-rh 216 k
rh-mariadb102-mariadb-server-utils
x86_64 1:10.2.8-5.el7 centos-sclo-rh 2.0 M
rh-mariadb102-runtime x86_64 3.0-5.el7 centos-sclo-rh 1.2 M
rsync x86_64 3.1.2-4.el7 base 403 k
scl-utils x86_64 20130529-18.el7_4 base 24 k
Transaction Summary
================================================================================
Install 1 Package (+44 Dependent packages)
Total download size: 40 M
Installed size: 177 M
Is this ok [y/d/N]:
Systemd & MariaDB
Enable the MariaDB service.
sudo systemctl enable rh-mariadb102-mariadb
Results
Created symlink from /etc/systemd/system/multi-user.target.wants/rh-mariadb102-mariadb.service to /usr/lib/systemd/system/rh-mariadb102-mariadb.service.
Start and verify no errors.
sudo systemctl start rh-mariadb102-mariadb
sudo systemctl status rh-mariadb102-mariadb
Results
● rh-mariadb102-mariadb.service - MariaDB 10.2 database server
Loaded: loaded (/usr/lib/systemd/system/rh-mariadb102-mariadb.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2018-10-26 20:15:50 PDT; 2s ago
Process: 1499 ExecStartPost=/usr/bin/scl enable $RH_MARIADB102_SCLS_ENABLED -- /opt/rh/rh-mariadb102/root/usr/libexec/mysql-check-upgrade (code=exited, status=0/SUCCESS)
Process: 1355 ExecStartPre=/usr/bin/scl enable $RH_MARIADB102_SCLS_ENABLED -- /opt/rh/rh-mariadb102/root/usr/libexec/mysql-prepare-db-dir %n (code=exited, status=0/SUCCESS)
Process: 1327 ExecStartPre=/usr/bin/scl enable $RH_MARIADB102_SCLS_ENABLED -- /opt/rh/rh-mariadb102/root/usr/libexec/mysql-check-socket (code=exited, status=0/SUCCESS)
Process: 1319 ExecStartPre=/usr/bin/scl enable $RH_MARIADB102_SCLS_ENABLED -- /usr/bin/scl_enabled rh-mariadb102 (code=exited, status=0/SUCCESS)
Main PID: 1464 (mysqld)
Status: "Taking your SQL requests now..."
CGroup: /system.slice/rh-mariadb102-mariadb.service
└─1464 /opt/rh/rh-mariadb102/root/usr/libexec/mysqld --basedir=/op...
Secure MariaDB
Using root, secure the default installation.
mysql_secure_installation
For the mysql_secure_installation set mariadb root password, permit only local access for root, disable anonymous, remove example database, etc. Answer appropriately to increase security stance.
Create Database & User
Connect MariaDB using root.
mysql -u root -p
Execute
create database lportal character set utf8mb4 collate utf8mb4_unicode_ci;
create user 'lpdbuser'@'192.168.1.11' identified by 'lpdbuserpasswordhere';
grant all privileges on lportal.* to 'lpdbuser'@'192.168.1.11' with grant option;
quit;
NOTES: To change the password, use the following where “newpassword” is the password to be set.
SET PASSWORD FOR 'lpdbuser'@'192.168.1.11' = PASSWORD('newpassword');
Use drop user to remove user accounts.
Permit Remote Connections
By default, MariaDB only permits connection on the ::1 loopback interface. To permit remote connections, update
sudo vi /etc/opt/rh/rh-mariadb102/my.cnf.d/mariadb-server.cnf
From
#bind-address=0.0.0.0
To
bind-address=0.0.0.0
MariaDB Host Firewall
Create IPv4 and IPv6 files for storing and executing the firewall policies.
IPv4
vi ip4-liferay-mariadb.fw
Copy+paste
#!/bin/bash
## Liferay DB IPv4 Polcies
#Flush current policies
iptables -F
# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow established sessions to receive traffic
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Accept on localhost
iptables -A INPUT -i lo -j ACCEPT
#ICMP Echo (OPTIONAL)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
# Accept incoming SSH
iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
iptables -I INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -m tcp -s 192.168.1.11 --dport 3306 -j ACCEPT
# Save Changes
service iptables save
# Service
systemctl restart iptables
systemctl status iptables
Note the argument -i eth0 and change it to reflect your interface or remove it. Restricting the communications to a specific interface outside of loopback should be used if your host has more than one network interface card.
IPv6
vi ip6-liferay-mariadb.fw
Copy+paste
#!/bin/bash
# Liferay DB IPv6 Policies
#Flush current policies
ip6tables -F
# Set default chain policies
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
# Allow established sessions to receive traffic
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Accept on localhost
ip6tables -A INPUT -i lo -j ACCEPT
#ip6tables -A OUTPUT -o lo -j ACCEPT
# Save Changes
service ip6tables save
# Service
systemctl restart ip6tables
systemctl status ip6tables
To use the files, use chmod +x or just redirect to bash.
sudo bash < ip4-liferay-mariadb.fw
sudo bash < ip6-liferay-mariadb.fw
Use sudo iptables -L -nv and sudo ip6tables -L -nv to check your work.
Liferay
This document details the following Liferay 7 components • Liferay 7.1 CE GA2 with Tomcat 9 • OpenJDK 8 • Nginx 1.12.2
MariaDB
Prior to Liferay installation, it is advisable to verify the Liferay host can connect to the database host. For example, install sudo yum install nmap then using vi and nmap to create firewall_test.sh script.
copy+paste
#!/bin/bash
echo "Test MariaDB connection:"
nmap -sS -Pn -p T:3306 192.168.1.12
echo "============================================================"
echo ""
echo "*** Done! ***"
Set the file as an executable using chmod +x firewall_test.sh then execute sudo ./firewall_test.sh which should result with:
sudo ./firewall_test.sh
Results
Test MariaDB connection:
Starting Nmap 6.40 ( http://nmap.org ) at 2018-11-04 11:28 PST
Nmap scan report for 192.168.1.12
Host is up (0.00029s latency).
PORT STATE SERVICE
3306/tcp open mysql
MAC Address: 00:34:4A:98:01:39
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
============================================================
*** Done! ***
Note state open which means a listener is up and running and a successful connection was established.
If you receive the state filtered as shown below, it generally means a firewall has filtered or denied the connection. I created the output below by commenting out the permit ACL and reloading.
Test MariaDB connection:
Starting Nmap 6.40 ( http://nmap.org ) at 2018-11-04 11:18 PST
Nmap scan report for 192.168.1.12
Host is up (0.00033s latency).
PORT STATE SERVICE
3306/tcp filtered mysql
MAC Address: [interfacemacaddress]
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
============================================================
*** Done! ***
Liferay Portal Host Firewall
Create IPv4 and IPv6 files for storing and executing the firewall policies.
IPv4
vi ip4-liferay.fw
Copy+paste
#!/bin/bash
## Liferay Portal IPv4 Polcies
#Flush current policies
iptables -F
# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow established sessions to receive traffic
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Accept on localhost
iptables -A INPUT -i lo -j ACCEPT
#ICMP Echo (OPTIONAL)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
# Accept incoming SSH
iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
iptables -I INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -m tcp --dport 8080 -j ACCEPT
# Save Changes
service iptables save
# Service
systemctl restart iptables
systemctl status iptables
IPv6
vi ip6-liferay.fw
Copy+paste
#!/bin/bash
# Liferay Portal IPv6 Policies
#Flush current policies
ip6tables -F
# Set default chain policies
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
# Allow established sessions to receive traffic
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Accept on localhost
ip6tables -A INPUT -i lo -j ACCEPT
#ip6tables -A OUTPUT -o lo -j ACCEPT
# Save Changes
service ip6tables save
# Service
systemctl restart ip6tables
systemctl status ip6tables
To use the files, use chmod +x or just redirect to bash.
sudo bash < ip4-liferay.fw
sudo bash < ip6-liferay.fw
Use sudo iptables -L -nv and sudo ip6tables -L -nv to check your work.
SELinux
Set to permissive prior to installations. Prior to enforcing SELinux policies, a SELinux module will need to be created [<-- 2do]. Use sestatus to determine current settings. If enforcing, execute the following:
sudo sed -i 's/=enforcing/=permissive/g' /etc/selinux/config
Or sudo vi /etc/selinux/config.
Reboot or start a new bash session.
Create User
Create an account to run Liferay. Note the use of -m -d to create user home directory.
sudo useradd -u 4001 -m -d /opt/liferay -c 'Liferay Service Account' liferay
OpenJDK
Liferay uses Java. We will be using Red Hat's supported installation versus a manual install from Oracle.
sudo yum install -y java-1.8.0-openjdk java-1.8.0-openjdk-devel tomcat-native
Results
================================================================================
Package Arch Version Repository
Size
================================================================================
Installing:
java-1.8.0-openjdk x86_64 1:1.8.0.191.b12-0.el7_5 updates 252 k
java-1.8.0-openjdk-devel x86_64 1:1.8.0.191.b12-0.el7_5 updates 9.8 M
tomcat-native x86_64 1.2.17-1.el7 epel 75 k
Installing for dependencies:
apr x86_64 1.4.8-3.el7_4.1 base 103 k
copy-jdk-configs noarch 3.3-10.el7_5 updates 21 k
fontconfig x86_64 2.10.95-11.el7 base 229 k
fontpackages-filesystem noarch 1.44-8.el7 base 9.9 k
giflib x86_64 4.1.6-9.el7 base 40 k
java-1.8.0-openjdk-headless x86_64 1:1.8.0.191.b12-0.el7_5 updates 32 M
javapackages-tools noarch 3.4.1-11.el7 base 73 k
libICE x86_64 1.0.9-9.el7 base 66 k
libSM x86_64 1.2.2-2.el7 base 39 k
libX11 x86_64 1.6.5-1.el7 base 606 k
libX11-common noarch 1.6.5-1.el7 base 164 k
libXau x86_64 1.0.8-2.1.el7 base 29 k
libXcomposite x86_64 0.4.4-4.1.el7 base 22 k
libXext x86_64 1.3.3-3.el7 base 39 k
libXfont x86_64 1.5.2-1.el7 base 152 k
libXi x86_64 1.7.9-1.el7 base 40 k
libXrender x86_64 0.9.10-1.el7 base 26 k
libXtst x86_64 1.2.3-1.el7 base 20 k
libfontenc x86_64 1.1.3-3.el7 base 31 k
libpng x86_64 2:1.5.13-7.el7_2 base 213 k
libxcb x86_64 1.12-1.el7 base 211 k
lksctp-tools x86_64 1.0.17-2.el7 base 88 k
lyx-fonts noarch 2.2.3-1.el7 epel 159 k
python-javapackages noarch 3.4.1-11.el7 base 31 k
ttmkfdir x86_64 3.0.9-42.el7 base 48 k
tzdata-java noarch 2018f-2.el7 updates 186 k
xorg-x11-font-utils x86_64 1:7.5-20.el7 base 87 k
xorg-x11-fonts-Type1 noarch 7.5-9.el7 base 521 k
Transaction Summary
================================================================================
Install 3 Packages (+28 Dependent packages)
Total download size: 45 M
Installed size: 153 M
Verify echo $JAVA_HOME is not set, then
sudo vi /etc/profile.d/openjdk.sh
Copy+paste
export JAVA_HOME=/usr/lib/jvm/java
export JRE_HOME=$JAVA_HOME/jre
export PATH=$PATH:$JAVA_HOME/bin:$JRE_HOME/bin
Make sure it is readable for all users using sudo ll /etc/profile.d/. If not, then
sudo chmod 644 /etc/profile.d/openjdk.sh
Install Liferay
Review the compatibility matrix before beginning.
https://web.liferay.com/services/support/compatibility-matrix
In preparation of unarchiving the Liferay Portal CE with Tomcat download, install unzip for .zip or p7zip for .7z files. The Liferay Portal CE downloads were previously zip files, however, during this build the maintainer deviated using 7zip archive format.
Replace p7zip with unzip if the download is a .zip.
yum install -y p7zip
Change account to the liferay user account.
$ sudo su liferay
$ whoami
liferay
$ cd ~
$ pwd
/opt/liferay
Download Liferay CE Portal with Tomcat.
curl -L -O https://sourceforge.net/projects/lportal/files/Liferay%20Portal/7.1.1%20GA2/liferay-ce-portal-tomcat-7.1.1-ga2-20181105121645556.7z
Results
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 16435 100 16435 0 0 44859 0 --:--:-- --:--:-- --:--:-- 45027
100 16420 100 16420 0 0 37933 0 --:--:-- --:--:-- --:--:-- 37933
100 16502 100 16502 0 0 33423 0 --:--:-- --:--:-- --:--:-- 273k
100 455 100 455 0 0 123 0 0:00:03 0:00:03 --:--:-- 213
100 425M 100 425M 0 0 2686k 0 0:02:42 0:02:42 --:--:-- 3069k
Unarchive and move files
7za x liferay-ce-portal-tomcat*
mv liferay-ce-portal-7.1.1-ga2/* /opt/liferay/
mv liferay-ce-portal-7.1.1-ga2/.liferay-home /opt/liferay/
rm -rf liferay-ce-portal-tomcat* liferay-ce-portal-7.1.1-ga2/
Create a missing directory due to a packaging oversight. If you don’t create the directory, starting Liferay will alert on the console that the directory is missing.
mkdir /opt/liferay/tomcat-9.0.10/lib/ext/global
Create a connection profile for MariaDB.
vi /opt/liferay/tomcat-9.0.10/webapps/ROOT/WEB-INF/classes/portal-ext.properties
Copy+paste
jdbc.default.driverClassName=org.mariadb.jdbc.Driver
jdbc.default.url=jdbc:mariadb://192.168.1.12/lportal?useUnicode=true&characterEncoding=UTF-8&useFastDateParsing=false
jdbc.default.username=lpdbuser
jdbc.default.password=lpdbuserpasswordhere
schema.run.enabled=true
schema.run.minimal=true
Initial Run
Begin but executing a basic configuration test.
/opt/liferay/tomcat-9.0.12/bin/configtest.sh
Results
Using CATALINA_BASE: /opt/liferay/tomcat-9.0.10
Using CATALINA_HOME: /opt/liferay/tomcat-9.0.10
Using CATALINA_TMPDIR: /opt/liferay/tomcat-9.0.10/temp
Using JRE_HOME: /usr/lib/jvm/java/jre
Using CLASSPATH: /opt/liferay/tomcat-9.0.10/bin/bootstrap.jar:/opt/liferay/tomcat-9.0.10/bin/tomcat-juli.jar
Nov 06, 2018 8:44:42 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server version: Apache Tomcat/9.0.10
Nov 06, 2018 8:44:42 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server built: Jun 20 2018 17:32:21 UTC
Nov 06, 2018 8:44:42 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server number: 9.0.10.0
Nov 06, 2018 8:44:42 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: OS Name: Linux
Nov 06, 2018 8:44:42 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: OS Version: 3.10.0-862.14.4.el7.x86_64
Nov 06, 2018 8:44:42 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Architecture: amd64
Nov 06, 2018 8:44:42 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Java Home: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.x86_64/jre
Nov 06, 2018 8:44:42 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: JVM Version: 1.8.0_191-b12
Nov 06, 2018 8:44:42 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: JVM Vendor: Oracle Corporation
Nov 06, 2018 8:44:42 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: CATALINA_BASE: /opt/liferay/tomcat-9.0.10
Nov 06, 2018 8:44:42 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: CATALINA_HOME: /opt/liferay/tomcat-9.0.10
Nov 06, 2018 8:44:42 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
Nov 06, 2018 8:44:42 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
Nov 06, 2018 8:44:42 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
Nov 06, 2018 8:44:42 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
Nov 06, 2018 8:44:42 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dignore.endorsed.dirs=
Nov 06, 2018 8:44:42 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dcatalina.base=/opt/liferay/tomcat-9.0.10
Nov 06, 2018 8:44:42 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dcatalina.home=/opt/liferay/tomcat-9.0.10
Nov 06, 2018 8:44:42 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djava.io.tmpdir=/opt/liferay/tomcat-9.0.10/temp
Nov 06, 2018 8:44:42 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: Loaded APR based Apache Tomcat Native library [1.2.17] using APR version [1.4.8].
Nov 06, 2018 8:44:42 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
Nov 06, 2018 8:44:42 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
Nov 06, 2018 8:44:42 PM org.apache.catalina.core.AprLifecycleListener initializeSSL
INFO: OpenSSL successfully initialized [OpenSSL 1.0.2k-fips 26 Jan 2017]
Nov 06, 2018 8:44:43 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-nio-8080"]
Nov 06, 2018 8:44:43 PM org.apache.tomcat.util.net.NioSelectorPool getSharedSelector
INFO: Using a shared selector for servlet write/read
Nov 06, 2018 8:44:43 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-nio-8009"]
Nov 06, 2018 8:44:43 PM org.apache.tomcat.util.net.NioSelectorPool getSharedSelector
INFO: Using a shared selector for servlet write/read
Nov 06, 2018 8:44:43 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 622 ms
Review the ouput and verify all requirements have been met.
If you observe a notification "The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found," sudo yum install tomcat-native to install the missing dependency from the EPEL repository.
Start Liferay
/opt/liferay/tomcat-9.0.10/bin/startup.sh
Monitor Liferay startup
tail -f /opt/liferay/tomcat-9.0.10/logs/catalina.out
No errors or warning should be observed except a "WARN" regarding running Elasticsearch on the Liferay host. Instruction on building an Elasticsearch is provided later in this article.
On the initial run, be patient. The database tables are being created and populated. Eventually, an ASCII "LIFERAY" will be printed to the console followed by the final message:
INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 266365 ms
Connect to Liferay using port http://cms.mydomain.com:8080 using an Internet browser to complete the initial configuration using “[email protected]” or create an alternative then restart the service to be prompted to set password.
To shutdown Liferay, execute:
/opt/liferay/tomcat-9.0.10/bin/shutdown.sh
tail -f /opt/liferay/tomcat-9.0.10/logs/catalina.out
Once shutdown is complete, the following event is displayed.
INFO [main] org.apache.coyote.AbstractProtocol.pause Pausing ProtocolHandler ["http-apr-8080"]
To startup Liferay and continue the installation, execute and monitor:
/opt/liferay/tomcat-9.0.10/bin/startup.sh
tail -f /opt/liferay/tomcat-9.0.10/logs/catalina.out
Once Liferay is finished loading, log on using “[email protected],” accept the EULA, and set a password.
systemd
Create a system control file for starting and stopping Liferay.
sudo touch /etc/systemd/system/liferay.service
sudo chmod 664 /etc/systemd/system/liferay.service
sudo vi /etc/systemd/system/liferay.service
Copy+paste
[Unit]
Description=Liferay Portal CE
After=network.target
[Service]
Type=forking
User=liferay
Group=liferay
ExecStart=/opt/liferay/tomcat-9.0.10/bin/startup.sh
ExecStop=/opt/liferay/tomcat-9.0.10/bin/shutdown.sh
TimeoutStartSec=600
TimeoutStopSec=200
SuccessExitStatus=143
[Install]
WantedBy=multi-user.target
Update system, enable, then stop and start liferay. DO NOTE USE systemctl restart liferay! If restart is used versus stop then start, Liferay will start with errors due to it not being safely shutdown before starting. (Need to either fix or remove restart the option.)
Reload systemd to identify the new service file then enable the liferay service.
sudo systemctl daemon-reload
sudo systemctl enable liferay
Created symlink from /etc/systemd/system/multi-user.target.wants/liferay.service to /etc/systemd/system/liferay.service.
To start Liferay use the syntax given below.
sudo systemctl start liferay
sudo tail -f /opt/liferay/tomcat-9.0.10/logs/catalina.out
The use of tail should result in a message INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 110481 ms to indicate successful start of Liferay.
To stop Liferay
sudo systemctl stop liferay
sudo tail -f /opt/liferay/tomcat-8.0.32/logs/catalina.out
Results with the following in the catalina.out log.
[date_time_stamp] INFO [main] org.apache.catalina.core.StandardServer.await A valid shutdown command was received via the shutdown port. Stopping the Server instance.
[date_time_stamp] INFO [main] org.apache.coyote.AbstractProtocol.pause Pausing ProtocolHandler ["http-apr-8080"]
Search
Elasticsearch host is comprised of the following components:
- Elasticsearch 6.1
- OpenJDK 8
OpenJDK
Elasticsearch uses Java.
sudo yum install -y java-1.8.0-openjdk java-1.8.0-openjdk-devel tomcat-native
Set $JAVA_HOME.
sudo vi /etc/profile.d/openjdk.sh
Copy+paste
export JAVA_HOME=/usr/lib/jvm/java
export JRE_HOME=$JAVA_HOME/jre
export PATH=$PATH:$JAVA_HOME/bin:$JRE_HOME/bin
Make sure it is readable for all users.
sudo chmod 644 /etc/profile.d/openjdk.sh
Install Elasticsearch
Identify on the Liferay Portal host the version of Elasticsearch installed using curl.
curl http://localhost:9200
Results
{
"name" : "D21MV6V",
"cluster_name" : "LiferayElasticsearchCluster",
"cluster_uuid" : "hJxPbSzuQXGGn_DdLTdE7w",
"version" : {
"number" : "6.1.3",
"build_hash" : "af51318",
"build_date" : "2018-01-26T18:22:55.523Z",
"build_snapshot" : false,
"lucene_version" : "7.1.0",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
Note the version is 6.1.3.
Reviewing the compatibility matrix it states 6.1.x is supported. Reviewing Elasticsearch releases, 6.1.4 was the last release of the 6.1 release train. I will be installing 6.1.4, but to ensure compatibility install 6.1.3.
https://web.liferay.com/documents/14/21598941/Liferay+DXP+Compatibility+Matrix.pdf
Obtain installation package.
sudo yum install https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.1.4.rpm
Results
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
elasticsearch noarch 6.1.4-1 /elasticsearch-6.1.4 30 M
Transaction Summary
================================================================================
Install 1 Package
Total size: 30 M
Installed size: 30 M
Is this ok [y/d/N]: y
Update Elasticsearch configuration files.
sudo vi /etc/elasticsearch/elasticsearch.yml
Update the following entries:
- cluster.name: LiferayPortalCluster
- node.name: node-1
- network.host: 192.168.1.13
sudo vi /etc/elasticsearch/jvm.options
Update the following entries as appropriate for you system. I am using the default of 1 GB, but if the host had 8 GB of RAM, I would allocate between 2 to 4 GB.
- -Xms4g
- -Xmx4g
Install Elasticsearch plugins.
sudo /usr/share/elasticsearch/bin/elasticsearch-plugin install analysis-smartcn
Results
-> Downloading analysis-smartcn from elastic
[=================================================] 100%
-> Installed analysis-smartcn
sudo /usr/share/elasticsearch/bin/elasticsearch-plugin install analysis-icu
Results
-> Downloading analysis-icu from elastic
[=================================================] 100%
-> Installed analysis-icu
sudo /usr/share/elasticsearch/bin/elasticsearch-plugin install analysis-kuromoji
Results
-> Downloading analysis-kuromoji from elastic
[=================================================] 100%
-> Installed analysis-kuromoji
sudo /usr/share/elasticsearch/bin/elasticsearch-plugin install analysis-stempel
Results
-> Downloading analysis-stempel from elastic
[=================================================] 100%
-> Installed analysis-stempel
Enable and start Elasticsearch.
sudo systemctl enable elasticsearch
Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.
sudo systemctl start elasticsearch
Check status to verify operating as expected.
sudo systemctl status elasticsearch
Results
● elasticsearch.service - Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2018-11-09 03:58:09 PST; 10s ago
Docs: http://www.elastic.co
Main PID: 18590 (java)
CGroup: /system.slice/elasticsearch.service
└─18590 /bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSIni...
Nov 09 03:58:09 es.intranet.harmonson.net systemd[1]: Started Elasticsearch.
Nov 09 03:58:09 es.intranet.harmonson.net systemd[1]: Starting Elasticsearch...
Hint: Some lines were ellipsized, use -l to show in full.
Elasticsearch Host Firewall
IPv4
$ vi ip4-elasticsearch.fw
Copy+paste
#!/bin/bash
# Elasticsearch IPv4 Polcies
#Flush current policies
iptables -F
# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow established sessions to receive traffic
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Accept on localhost
iptables -A INPUT -i lo -j ACCEPT
#ICMP Echo (OPTIONAL)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
# Accept incoming SSH
iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
# Elasticsearch
iptables -I INPUT -i ens32 -p tcp -m conntrack --ctstate NEW -m tcp -s 192.168.1.11 --dport 9200 -j ACCEPT
iptables -I INPUT -i ens32 -p tcp -m conntrack --ctstate NEW -m tcp -s 192.168.1.11 --dport 9300 -j ACCEPT
# Save Changes
service iptables save
# Service
systemctl restart iptables
systemctl status iptables
IPv6
vi ip6-elasticsearch.fw
Copy+paste
#!/bin/bash
# Elasticsearch IPv6 Policies
#Flush current policies
ip6tables -F
# Set default chain policies
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
# Allow established sessions to receive traffic
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Accept on localhost
ip6tables -A INPUT -i lo -j ACCEPT
#ip6tables -A OUTPUT -o lo -j ACCEPT
# Save Changes
service ip6tables save
# Service
systemctl restart ip6tables
systemctl status ip6tables
To use the files, use chmod +x or just redirect to bash.
sudo bash < ip4-elasticsearch.fw
sudo bash < ip6-elasticsearch.fw
Use sudo iptables -L -nv and sudo ip6tables -L -nv to check your work.
Remote Elasticsearch
Once the Search host build is complete, Liferay Portal must be configured to use it.
To utilize the remote Elasticsearch instance, first blacklist the existing Elasticsearch as user liferay.
sudo su liferay
vi /opt/liferay/osgi/configs/ com.liferay.portal.bundle.blacklist.internal.BundleBlacklistConfiguration.config
Copy+paste
blacklistBundleSymbolicNames=["com.liferay.portal.search.elasticsearch"]
Stop and start Liferay.
Install the “Liferay CE Connector to Elasticsearch 6” by opening a browser to http://cms.mydomain.com:8080 then
Control Panel --> Apps --> Store
Create a Marketplace account and respond to the verification email.
Search and install “Liferay CE Connector to Elasticsearch 6.” Open the app's page then select the "Free" button to install. Once installed, configured the app.
Control Panel --> Configuration --> System Settings --> Platform: Search --> Elasticsearch 6
Verify or update the following values:
- Cluster Name: “LiferayPortalCluster”
- Operation Mode: “Remote”
- Transport Address: “192.168.1.13:9300”
- Select the Update button
After successful configuration, stop and start Liferay, then logon to complete the Elasticsearch installation by initiating a reindex.
Control Panel --> Configuration --> Search
Select "Execute" button for "Reindex all search indexes."
Reference: