Setup of a Cinnamon Server on Debian 10.1.0 (buster)

NOTE: This documentation is currently under construction.

This documentation relates to Debian 10.1.0 Server (without GUI).
Particularly, it relates to a minimal Debian server VM installed from the Debian repositories on the KVM virtualization host.
The installation according to this documentation has been tested on a system of this type.

Installing Cinnamon Server

• Log in to the standard Debian 10.1.0 VM (this is a minimal installation with ssh as the only option).

  IMPORTANT: Choose a safe password on production systems (see (1)).

• Use the su command to acquire root privileges.
• Edit ~/.bashrc and append the following line:

  PATH=$PATH:/usr/sbin
  

• Exit and use the su command again to make the previous change effective.
• Install Java (JDK), cURL and some other useful or required tools. When the installer asks you, deny mounting WebDAV resources to unprivileged users.

  apt update
  apt-get install curl sudo less daemontools rsync davfs2 htop zip unzip sshpass apt-transport-https ca-certificates wget dirmngr gnupg software-properties-common
  wget -qO - https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public | sudo apt-key add -
  add-apt-repository --yes https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/
  apt update
  apt install adoptopenjdk-8-hotspot
  

• In case other Java versions had been installed on the system before (like Java 11), select Java 8 with the following command:

  update-alternatives --config java
  

• Create a new group and user for tomcat.

  groupadd tomcat
  useradd -s /bin/false -g tomcat -d /opt/tomcat tomcat
  mkdir /opt/tomcat
  

  • The home directory of this account is set to /opt/tomcat.
  • The shell of this account is set to /bin/false, so logging on is not possible.
• Download and extract tomcat.

  cd /tmp 
  curl -O https://archive.apache.org/dist/tomcat/tomcat-8/v8.5.38/bin/apache-tomcat-8.5.38.tar.gz
  tar xzvf apache-tomcat-8.5.38.tar.gz -C /opt/tomcat --strip-components=1
  chgrp -R tomcat /opt/tomcat
  cd /opt/tomcat
  chown -R tomcat webapps/ work/ temp/ logs/
  chmod -R g+r conf
  chmod g+x conf
  chmod -R g+rw logs
  

• Create a Tomcat service.
  • Create the service file.

    nano /etc/systemd/system/tomcat.service
    

  • Paste the following code into the file:

    [Unit]
    Description=Apache Tomcat Web Application Container
    After=network.target
    
    [Service]
    Type=forking
    
    Environment=JAVA_HOME=/usr/lib/jvm/adoptopenjdk-8-hotspot-amd64/jre
    Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
    Environment=CATALINA_HOME=/opt/tomcat
    Environment=CATALINA_BASE=/opt/tomcat
    Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'
    
    ExecStart=/opt/tomcat/bin/startup.sh
    ExecStop=/opt/tomcat/bin/shutdown.sh
    
    User=tomcat
    Group=tomcat
    UMask=0007
    RestartSec=10
    Restart=always
    
    [Install]
    WantedBy=multi-user.target
    

  • Save and close the file.
• Start and test Tomcat.

  systemctl daemon-reload
  systemctl start tomcat
  systemctl status tomcat
  

  Alternatively, you can use the following syntax to control the tomcat service:

  service tomcat start
  service tomcat stop
  service tomcat status
  

• Stop tomcat.

  service tomcat stop
  

• Install PostgreSQL database.

  apt-get install postgresql
  

• Set password for user postgres.

  NOTE: This is required for backup and restore.

  sudo -u postgres psql template1
  ALTER USER postgres PASSWORD 'myPassword';
  \q
  

• Create a database user cinnamon.
  • Start the user creation program.

    sudo -u postgres createuser --interactive
    

  • Answer the questions as follows:

Question	Answer
Enter the name of the role to add:	cinnamon
Shall the new role be a superuser?	n
Shall the new role be allowed to create databases?	n
Shall the new role be allowed to create more new roles?	n

• Set a password for the user.

  IMPORTANT: Choose a safe password on production systems (see (1)).

  sudo -u postgres psql
  ALTER USER "cinnamon" WITH PASSWORD 'new_password';
  \q
  

• Assign password to user cinnamon and add it to the tomcat group.

  IMPORTANT: Choose a safe password on production systems (see (1)).

  useradd -g tomcat -d /opt/cinnamon cinnamon
  passwd cinnamon
  mkdir /opt/cinnamon
  

• Create a file /opt/tomcat/bin/setenv.sh and paste the following content into it:

  export CATALINA_OPTS="$CATALINA_OPTS -Xms32m"
  export CATALINA_OPTS="$CATALINA_OPTS -Xmx4g"
  export CATALINA_OPTS="$CATALINA_OPTS -XX:MaxPermSize=256m"
  export CATALINA_OPTS="$CATALINA_OPTS -XX:MaxGCPauseMillis=750"
  export CATALINA_OPTS="$CATALINA_OPTS -XX:GCTimeRatio=9"
  export CATALINA_OPTS="$CATALINA_OPTS -server"
  export CATALINA_OPTS="$CATALINA_OPTS -XX:+DisableExplicitGC"
  export CINNAMON_HOME_DIR="/opt/cinnamon/cinnamon-system"
  

• Set the permissions to the file /opt/tomcat/setenv.sh.

  chmod ug+x /opt/tomcat/bin/setenv.sh
  

• Upload cinnamon.zip to /home/install.
• Unzip the required files and move Cinnamon content and system files to the correct location:

  cd /home/install
  unzip cinnamon.zip
  cd cinnamon
  mv cinnamon-data /opt/cinnamon
  mv cinnamon-system /opt/cinnamon
  

• Create database and import SQL dump.

  sudo -u postgres psql template1
  create database content with owner=cinnamon;
  \q
  sudo -u postgres psql content < /home/install/cinnamon/content.sql 
  

• Change the owner and permissions of the Cinnamon directories.

  cd /opt/cinnamon
  chown -R cinnamon:tomcat cinnamon-data
  chown -R cinnamon:tomcat cinnamon-system
  chmod -R 770 cinnamon-data
  chmod -R 770 cinnamon-system
  

• Edit the password settings in the config files. TODO details
• Move cinnamon.war and change its owner.

  mv /home/install/cinnamon/cinnamon.war /opt/tomcat/webapps
  chown -R tomcat:tomcat /opt/tomcat/webapps/cinnamon.war
  

• Set Tomcat service to start automatically.

  systemctl enable tomcat
  

• Start Tomcat.

  service tomcat start
  

Installing Cinnamon Asynchronous Engine (CAE)

• Create a new group and user for CAE.

  groupadd cae
  useradd -s /bin/bash -g cae -d /opt/cae cae
  mkdir /opt/cae
  

  • The home directory of this account is set to /opt/cae.
  • The shell of this account is set to /bin/bash. For debugging purposes, it is useful to log on as the CAE user and run CAE from the shell.
  • Optionally, the shell can be set to /bin/false, disabling login as CAE user. Instead, testing can be performed as root.
• Unzip the file cae.zip to /opt/cae.
• Install dependencies, particularly mono from their repository (instead of the Debian packages).

  apt-get install apt-transport-https dirmngr gnupg ca-certificates
  apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF
  echo "deb https://download.mono-project.com/repo/debian stable-stretch main" | sudo tee /etc/apt/sources.list.d/mono-official-stable.list
  apt update
  apt-get install mono-complete ca-certificates-mono imagemagick
  

• Configure CAE.
  • Edit the configuration file.

    nano /opt/cae/bin/CinnamonAsynchronousEngine.config.xml
    

  • Set the user credentials.

    NOTE: Details will follow.

• Transfer folder structure to user cae.

  chgrp -R cae /opt/cae
  chown -R cae /opt/cae
  chmod -R 770 /opt/cae
  

• Set owner and permission to script.

  chgrp cae /opt/cae/bin/cae.sh
  chown cae /opt/cae/bin/cae.sh
  chmod a+x /opt/cae/bin/cae.sh
  

• Set the script to be automatically started, and restarted when it exits (for any reason).
  • Copy cae.sh to run.

    cp /opt/cae/bin/cae.sh /opt/cae/bin/run
    

  • Create the crontab.

    crontab -e
    

  • Append the following code at the end of the crontab.

    120 seconds sleep time is on the safe side. On most systems, much shorter times work safely, e. g. 30 seconds. If the sleep time is too short, the process may fail to start correctly, so do not configure this value too small.

    @reboot sleep 120; supervise /opt/cae/bin
    

  • Save and close the file.

Backup

Cinnamon itself does not contain a backup mechanism, since all data is contained in the PostgreSQL database and the content files. Both can be backed up with operation system or database standard means.

The backup configuration in detail depends on the system environment and the available backup target.

A sample configuration, using rsync to copy the content and the standard database dump utility to backup the database can be found in reference (2). The configuration described there is successfully used in several production systems and has the advantage to avoid huge content transfer every night due to the differential rsync function.

References

• (1) Safe passwords
• (2) Backup and restore of a Cinnamon repository