Tuesday, 10 September 2013

FreePBX Production Install Guide (RHEL v6, Asterisk v11+, FreePBX v2.11+)

 SOURCE: http://www.powerpbx.org/content/rhel-asterisk-freepbx-install-guide-rhel-v6-asterisk-v11-freepbx-v211

Changes in this guide include Asterisk 11 which requires at least FreePBX v2.11.  Also cdr_mysql module has been deprecated so FreePBX 2.11 adds support for the ODBC method. This install guide adds configurations to enable the new method.  You can continue to use the old method for as long as the cdr_mysql module is included in Asterisk and still functional.  It's just no longer being maintained by the people at Asterisk. There are a lot of other little changes to this guide too numerous to mention.
Tested on CentOS 6.4

New dependency for Asterisk v11.5+

If upgrading from a previous version of Asterisk such as v11.4 you will need to install a new dependency otherwiseres_rtp_asterisk.so module will not compile.  This dependency has been added to the required packages list below.  This note has been added here in case you are only recompiling a newer version of Asterisk and not installing from scratch.
yum install libuuid-devel

Let's get started

If you are installing Linux from scratch using Anaconda via install CD select "basic server" group then proceed with the install.   Skip down to the yum -y update part.
Otherwise, it is assumed you already have a server with a base CentOS installation before you begin.  Do NOT install a GUI such as Gnome or KDE.  We only want to be running in console text mode not GUI graphics mode.  If you already have a desktop or server GUI installed you will want to exit to console mode.  You do that by typing init 3 from a terminal or console window.  You will need to be logged in as root in order to do this so if not you can su root.  All instructions in this guide are assuming you are always logged in as root.

Install Asterisk/FreePBX required packages, other useful packages, and their dependencies

yum -y update

yum groupinstall core
yum groupinstall base

yum install gcc gcc-c++ wget bison mysql-devel mysql-server php \
php-mysql php-process php-pear php-mbstring tftp-server httpd make \
ncurses-devel libtermcap-devel sendmail sendmail-cf caching-nameserver \
sox newt-devel libxml2-devel libtiff-devel php-gd audiofile-devel gtk2-devel \
subversion nano kernel-devel selinux-policy sqlite-devel openssl-devel \
libuuid-devel tzdata

Install CDR ODBC required packages

yum install libtool-ltdl-devel unixODBC unixODBC-devel mysql-connector-odbc

Install optional packages

chan_gtalk, chan_motif, and res_xmpp will not compile unless iksemel-devel and it's dependencies are installed. For CentOS 6, iksemel is in the EPEL repository.
rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
yum install iksemel-devel

Install pear DB

Don't worry about the warning message.
pear install db

Firewall

Check if the firewall (iptables) is enabled by default and if the RHEL v6 default configuration blocks the FreePBX web GUI.  If you know what services/ports are required you can run system-config-firewall-tui and configure the firewall as required.
At a minimum, the following ports need to be opened:
TCP 80 (www)
TCP 4445 (Flash Operator Panel)
UDP 5060-5061 (SIP)
UDP 10,000 - 20,000 (RTP)
UDP 4569 (IAX)

Another option is to remove existing settings from the firewall and save.
iptables -P input accept
iptables -X
iptables -F
service iptables save
Alternatively, you can disable the firewall for now and prevent it from starting on reboot.
service iptables stop
chkconfig iptables off

Selinux

Selinux is not required or recommended.  This will create the required file if it does not already exist.  If it already exists set SELINUX=disabled.
nano /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.

SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
Make sure selinux is turned off for this session
setenforce 0

TFTP

If you plan to use hardware SIP phones you will probably want to enable the tftp server.
nano /etc/xinetd.d/tftp
change server_args = -s /var/lib/tftpboot
to server_args = -s /tftpboot
change disable=yes
to disable=no
mkdir /tftpboot
chmod 777 /tftpboot
service xinetd restart

Set Timezone

Copy your timezone from this link or use tzselect
tzselect
System timezone
Create a symbolic link to the appropriate timezone from/etc/localtime.
Example:
ln -sf /usr/share/zoneinfo/America/Vancouver /etc/localtime

PHP Settings

PHP timezone (Optional)

If not set and using php v5.3+ (the version included with RHEL6) it will revert to the default timezone of the Operating System.  FreePBX v2.9+ used to complain about this but FreePBX v2.11 does not seem to complain so I don't think this setting is necessary anymore and will not have any consequences.
nano +946 /etc/php.ini
Uncomment (;) date.timezone = and add your timezone

Memory Limit

The recommended setting is 128M otherwise you may get warnings in FreePBX.
nano +457 /etc/php.ini
memory_limit = 128M
Restart apache for the changes to take effect
service httpd restart

Download and untar source files.

Get and install DAHDI

cd /usr/src
wget http://downloads.asterisk.org/pub/telephony/dahdi-linux-complete/dahdi-linux-complete-current.tar.gz
tar zxvf dahdi-linux-complete*
cd /usr/src/dahdi-linux-complete*
make && make install && make config

Get FreePBX

Check if this is the latest released version.
cd /usr/src
wget http://mirror.freepbx.org/freepbx-2.11.0.tar.gz 
tar zxvf freepbx-2.11*

Get and Install Asterisk

Do NOT run make samples.  If you do it causes some problems you will have to clean up later on.  If you run make samples on an already running FreePBX system you are upgrading it will break FreePBX. You will then have to manually change back user/password in /etc/asterisk/manager.conf and probably some other things to get it working again.
cd /usr/src
wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11-current.tar.gz
tar zxvf asterisk-11-current.tar.gz

cd /usr/src/asterisk-11*/
make clean && make distclean
-------------------------------------
IMPORTANT 32 vs 64bit OS NOTE: Make sure to choose the correct version of the following command otherwise Asterisk v11 will not work properly even thought it may indicate it's running.
Use this ONLY for 32bit Operating Systems
./configure CFLAGS=-mtune=native && make menuselect
Use this ONLY for 64bit Operating Systems
./configure CFLAGS=-mtune=native --libdir=/usr/lib64 && make menuselect
Asterisk v11 compiles with CFLAGS=-match=native which appears to compile for CPU features that are not necessarily available on a virtual machine and can cause errors. CFLAGS=-mtune=native appears to be more compatible across various configurations.
If you want to be more precise and optimal for your cpu you can try cat /proc/cpuinfo
Then find your cputype from the gcc cpu options manual.
And use CFLAGS=-mtune=mycputype.  The downside is that it may not work if you move it to different hardware or if you are using a virtual machine.
If none of those work try CFLAGS=-mtune=generic which is probably the least optimal but most compatible across different CPU types.
---------------------------------------
Select format_mp3 in addons if you are going to be doing anything with mp3 files.  For backwards compatibility and fall back in case ODBC doesn't work you may as well install the deprecated cdr_mysql as well.
FreePBX does not use Asterisk realtime but if you are thinking of using A2Billing then also select res_config_mysql.  Select Core and Extra sounds.  I suggest ulaw as they sound better than gsm especially if you are using ulaw as your default codec.  I usually just check both.  Then make sure to press the save button afterwards.
When you select format_mp3 above as an addon you must run a script before going any further otherwise the install will fail.
./contrib/scripts/get_mp3_source.sh
You must also have subversion installed to run the above script and be in the root directory of the Asterisk source code.
Now compile and install Asterisk.  DO NOT run make samples even though the install script suggests you do.  It will cause conflicts with FreePBX config files.
make && make install
Create Asterisk user.
adduser asterisk -M -d /var/lib/asterisk -s /sbin/nologin -c "Asterisk User"

Music on Hold

The Asterisk default moh directory is "/moh" and the Freepbx default moh directory is "/mohmp3".  If we create a symbolic link everything is in one place and can still be found by both FreePBX and Asterisk.
ln -s /var/lib/asterisk/moh /var/lib/asterisk/mohmp3
The recommended music on hold behaviour for Asterisk and Freepbx is to only use wav files due to transcoding overhead and Asterisk stability issues with mp3's. So we want to install mpg123 for converting uploaded mp3's to wav automagically.  If you won't be uploading mp3's or don't want them converted then you probably don't need to install mpg123.  If not sure then install.
cd /usr/src
wget http://sourceforge.net/projects/mpg123/files/mpg123/1.15.4/mpg123-1.15.4.tar.bz2/download
tar -xjvf mpg123-1.15*

cd mpg123-1.15*/
./configure && make && make install
Freepbx php script cannot find mpg123 by default so we need to create a symbolic link.
ln -s /usr/local/bin/mpg123 /usr/bin/mpg123

Change Apache User

Change User apache and Group apache to User asterisk and Group asterisk.
sed -i "s/User apache/User asterisk/" /etc/httpd/conf/httpd.conf
sed -i "s/Group apache/Group asterisk/" /etc/httpd/conf/httpd.conf

MySQL Setup

Before you can do anything to MySQL, you need to make sure it's running:
NOTE: If running RHEL/CENTOS/SL 6 you may need to run this first.
mysql_install_db
Try without and see if it starts first.
service mysqld start
Initializing MySQL database:                  [  OK  ]
Starting MySQL:                               [  OK  ]

Now, to configure the databases for freePBX:
Note: If mysql admin password is already configured, add "-p" after the command and enter password when asked.  For example, mysqladmin -p create asterisk
cd /usr/src/freepbx-2.11*/
mysqladmin create asterisk
mysqladmin create asteriskcdrdb
mysql asterisk < SQL/newinstall.sql
mysql asteriskcdrdb < SQL/cdr_mysql_table.sql
They also need to be secured.  FreePBX will prompt you for a database username/password when you do the install. You need to pick that now. We'll assume that you've picked asteriskuser and amp109 If you use these well know defaults and your server is not firewalled make sure to set bind-address = 127.0.0.1 further down in this procedure so that MySQL only listens to localhost.
Security check: It's very important to check that Allow Login With DB Credentials is set to FALSE in FreePBX Advanced Settings GUI.  This is the default setting.  If it were set to TRUE and you were using the default credentials of asteriskuser/amp109 and your FreePBX GUI were exposed to the internet (ie. the http port), anyone could log into your FreePBX GUI as administrator using those credentials.
mysql
mysql> GRANT ALL PRIVILEGES ON asteriskcdrdb.* TO asteriskuser@localhost IDENTIFIED BY 'amp109';
Query OK, 0 rows affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON asterisk.* TO asteriskuser@localhost IDENTIFIED BY 'amp109';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> \q
Bye
Now, after all of this, you need to pick a root 'mysql' password. We'll make it 'abcdef' just for this example.  You should use a reasonably strong password. If you need to do anything else with mysql, you'll need to provide this password.
mysqladmin -u root password 'abcdef'

Install FreePBX

/usr/sbin/safe_asterisk
cd /usr/src/freepbx-2.11*/
IMPORTANT 64bit OS CHANGE  For 64bit Operating systems and Asterisk v11 do the following.  If you don't do this before running install_amp you can make 2 changes manually afterwards in /etc/asterisk/asterisk.confand in FreePBX advanced settings GUI as explained further down in this procedure:
sed -i "s_/usr/lib_/usr/lib64_" asterisk.conf install_amp libfreepbx.install.php
Now run the FreePBX install script.  Select all defaults for now by hitting the ENTER key at each prompt.
./install_amp
If you get any warnings or errors they're usually not traumatic.
64bit OS Check: For 64bit Operating Systems and Asterisk v11 check that the following is true:
/etc/asterisk/asterisk.conf contains astmoddir => /usr/lib64/asterisk/modules and not astmoddir => /usr/lib/asterisk/modules
Default username is: admin Default pw is: admin
Or create your own which is the new default behaviour on FreePBX v1.11
set FreePBX to start on boot
echo /usr/local/sbin/amportal start >> /etc/rc.local
Enable Apache and MySQL to start on boot
chkconfig httpd on
chkconfig mysqld on
Now reboot at which point you should be able to access FreePBX with your web browser.  The very first thing you need to do when you enter the FreePBX Admin GUI for the first time is Apply Configuration Changes which is a button or bar that shows up at the top of the GUI.  This generates all the *.conf files.  It may also be necessary to reboot again or amportal restart from command prompt.
If you have pre-existing *.conf files in /etc asterisk because your ran make samples or are upgrading from older versions of Asterisk/FreePBX you will get symlink fail error messages in FreePBX system staus page.  Just delete or rename those files.  The next time you Apply Configuration Changes in the FreePBX GUI the symlinks will be created and the errors should be gone.
64bit OS Check:
If Asterisk v11 on 64bit go into FreePBX GUI>Advanced settings, enable Display Readonly Settings and Override Readonly Settings.  Make sure the Asterisk Modules Dir setting is /usr/lib64/asterisk/modules and NOT /usr/lib/asterisk/modules.

CDR ODBC

This is optional if you selected the deprecated cdr_mysql module in Asterisk menu at compile time. This is the new recommended way of connecting to the CDR DB.  Eventually this will be required when cdr_mysql no longer works or is no longer included with Asterisk.
nano /etc/odbc.ini
[MySQL-asteriskcdrdb]
Description     = MySQL ODBC Driver
Driver          = MySQL
Socket          = /var/lib/mysql/mysql.sock
Server          = localhost
Database        = asteriskcdrdb
Option          = 3
Test that the ODBC driver is working
odbcinst -s -q
should result in[MySQL-asteriskcdrdb]
Test that linux can connect to the DB
isql -v MySQL-asteriskcdrdb 
should result in
+---------------------------------------+
| Connected!                            |
|                                       |
| sql-statement                         |
| help [tablename]                      |
| quit                                  |
|                                       |
+---------------------------------------+
SQL>

Type quit to exit
Lastly create or add the following so Asterisk can connect
nano /etc/asterisk/cdr_adaptive_odbc.conf
[first]
connection=asteriskcdrdb
table=cdr
alias start => calldate
-------------------------------------------------------------------------

Misc. optional settings

Change the “upload_max_filesize” from 2M to 20M to allow larger music on hold files
RHEL 6.
nano +878 /etc/php.ini
Edit Apache web server for GUI access using a port other than 80:
nano +134 /etc/httpd/conf/httpd.conf
change Listen 80 to Listen 8888 or whatever port you want
Change default Apache setting of AllowOverride None to All so that Apache obeys directives in .htaccess files which by default prevents viewing sensitive directories on Freepbx.
nano +338 /etc/httpd/conf/httpd.conf
AllowOverride All
And restart apache.
service httpd restart
Instead of accessing FreePBX by http://xxx.xxx.xxx.xxx You now access it by http://xxx.xxx.xxx.xxx:8888
Setup external sip extensions if going through NAT.  Alternatively the new and improved way of doing this is using the Asterisk SIP settings module
nano /etc/asterisk/sip_nat.conf
nat=yes
externip= or
;externhost=yourdns.com
localnet=192.168.1.0/255.255.255.0
;change the above to whatever your local subnet is
externrefresh=10
When adding external SIP extensions in FreePBX, make sure to change the nat=no default in the configuration to nat=yes for the extension that will be external.  Change that default globally in the Advanced Settings menu.

Install FreePBX commercial module dependencies

If you want to install commercial modules you need zendguard and some additional dependencies found in schmoozecom commercial repo.
Install schmoozecom repo
wget -P /etc/yum.repos.d/ -N   http://yum.schmoozecom.net/schmooze-commercial/schmooze-commercial.repo
Install zendguard and commercial module dependencies.
yum install php-5.3-zend-guard-loader incron prosody

Log Files Configuration

If you don't want to see a bunch of notices, warnings and errors each time you restart amportal from command line and you don't want your asterisk log files getting huge from constantly writing debug information do the following:
nano /etc/asterisk/logger_logfiles_custom.conf
console =>
full => notice,warning,error
Also make sure freepbx debug logging is disabled in FreePBX GUI>Settings>Advanced Settings>Developer and Customization

logrotate setup

Set up configuration to rotate log files otherwise they get too big after a short while. Create the following file.
nano /etc/logrotate.d/asterisk
Now add the following to make sure the asterisk log files are rotated weekly along with all the other log files.
/var/log/asterisk/messages /var/log/asterisk/*log /var/log/asterisk/full {
missingok
notifempty
sharedscripts
create 0640 asterisk asterisk
postrotate
/usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null
endscript
}
Do the same for freepbx
nano /etc/logrotate.d/freepbx
/var/log/asterisk/freepbx_dbug /var/log/asterisk/freepbx_debug {
missingok
notifempty
sharedscripts
create 0640 asterisk asterisk
postrotate
/usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null
endscript
}
Configure voicemail to email template
nano etc/asterisk/vm_email.inc
Change the template to what you want the voicemail emails to look like.  Check thathttp://ipaddress_of_Freepbx_server is correct

Root alias

Edit/etc/aliases file and add an email address to forward ‘root’ messages to your personal email address.  At the very bottom you should see a commented example.  Copy it and replace with your email address
root:   some_email@somedomain.com
Then run
/usr/bin/newaliases
after saving the file to rebuild the aliases database and have the change take effect.
Test if you can receive emails via sendmail which we are assuming is installed and running as is standard on RHEL 5 and 6.
service sendmail status
sendmail is running
sm-client is running

echo testing | mail -s "test mail" root@localhost
If you get an email then you can stop here.

Replace Sendmail with Postfix (optional)

If you do not get an email because it is being blocked or filtered or you want to customize, you can replace sendmail with postfix which is generally easier to configure.
yum install postfix
service sendmail stop
chkconfig sendmail off
chkconfig --add postfix
service postfix start
check if root alias email works or still works
echo testing | mail -s "test mail" root@localhost
Customize by editing or replacing /etc/postfix/main.cf.  A sample file is shown below.
cp /etc/postfix/main.cf /etc/postfix/main.cf.original
nano /etc/postfix/main.cf
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
inet_interfaces = localhost
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 127.0.0.0/8
home_mailbox = Maildir/
After editing reload the configuration.
service postfix restart

MySQL performance tuning

This will reduce memory usage without affecting performance.
nano /etc/my.cnf
[mysqld]
.
.
. skip-innodb
From command prompt:
service mysqld restart

MySQL security enhancement

This will prevent outside IP's from connecting to the MySQL port
nano /etc/my.cnf
[mysqld]
.
.
.
bind-address = 127.0.0.1

Add Password Protection to Flash Operator Panel GUI

By default, flash operator panel GUI (/var/www/html/admin/modules/fw_fop) is visible to anyone who points a browser at your server unless port 4445 is blocked by a firewall.   Here is one way to protect it.
mkdir -p /usr/local/apache/passwd
htpasswd -c /usr/local/apache/passwd/wwwpasswd NewUserName
Apache will prompt you for a new password for the user name you've just indicated
New password:
Apache will prompt you to retype your new password
Re-type new password:
Apache will then confirm the new user
Adding password for user NewUserName
Now you have to add the user name you've just created to the httpd.conf file. To edit that file in nano type:
nano +587 /etc/httpd/conf/httpd.conf
Now do a CTRL-W to search for AuthUser and you'll find the area where all the users are listed (for example: "maint", your AMP user).  If you don't find any try around line 587 right after the cgi-bin
Now add the following lines:
#Password protect the Flash Operator Panel Page /var/www/html/admin/modules/fw_fop

AuthType Basic
AuthName "Restricted Area"
AuthUserFile /usr/local/apache/passwd/wwwpasswd
Require user NewUserName
To delete an Apache user, type in the following and then remove the user from the httpd.conf file.
htpasswd -D /usr/local/apache/passwd/wwwpasswd NewUserName
To change the password:
htpasswd /usr/local/apache/passwd/wwwpasswd NewUserName
Then restart apache.
service httpd restart

No comments: