< Contributors | Russ Allbery > Software > INN > INN CURRENT Documentation |
This is an installation checklist initially written by Rebecca Ore, intended to be the beginning of a different presentation of the information in INSTALL, since getting started with installing INN can be complex. Further clarifications, updates, and expansion are welcome.
This checklist explains the steps to follow for a standard installation with reasonable defaults.
The first part of this documentation can be skipped if INN is already installed on your system. Some distributions provide a package, which should be used in preference of building from scratch.
Download the INN tarball and unpack. Make sure that you download the last release from <https://ftp.isc.org/isc/inn/> or a snapshot from <https://ftp.isc.org/isc/inn/snapshots/>.
Make sure there is a news
user (and a news
group to which the news
user belongs). If necessary, you can use:
adduser --group --home /usr/local/news news
where /usr/local/news is the home directory for the news
user. This
directory will be passed to configure
via the --prefix option. It will
also be set as pathnews in inn.conf.
Work out configure options (./configure --help
for a list). If you
aren't working out of /usr/local/news, or want to put some files on a
different partition, you can set the directories now (or later in pathnews
in inn.conf if you change your mind). By default,
--prefix=/usr/local/news is used.
You probably want --with-perl. You might want to compile in TLS and SQLite, if your system supports them. You will need to have the relevant external libraries to compile (depending on whether you use OpenSSL for TLS access to your news server, libcanlock to verify the authenticity of cancel articles, Perl and/or Python for spam and abuse filtering, etc.) and to correctly set the right paths to external programs (like for GnuPG to verify the authenticity of Usenet control messages).
./configure --with-perl --with-openssl --with-sqlite3 --with-canlock ... make su make install
Note that if you update a previous installation of INN, you should use
make update
instead of make install
to keep your configuration files.
If you wish to use TLS, you can use make cert
to generate a self-signed
certificate and a private key.
Make sure the directory /usr/local/news and its subdirectories
are owned by news
, group news
.
(If you ran make install
as root, all of the ownerships and permissions
should be correct.)
You want to be careful that things in that directory stay owned by
news
-- but you can't just chown -R news:news
after the install,
because you may have binaries that are SUID root. You can do the build
as any user, but you need to be root when doing make install
so as to
set the permissions correctly. After that point, though, you may want to
su news -s /bin/sh
to avoid creating any files as root. (For routine
maintenance once INN is working, you can generally be root. However,
it is always better to be accustomed to doing that as the news user.)
Find INSTALL and open a separate window for it. A printout is probably a good idea -- it's long but very helpful. You'll find in INSTALL more information and background about each step in this document.
Now it's time to work on the configuration files in your pathetc directory.
Start with inn.conf; you must fill in or check organization (which can
be commented if you do not want to add a default Organization header field to
every post from your server), your path identity in pathhost (usually your
fully qualified domain name), the NNTP server to use for posts (server
is commonly set to localhost
), the maximum size of articles you accept
(maxartsize, set to 1 MB by default), and the abuse e-mail address
(complaints).
To store overview data, start with tradindexed overview method, already set by default in the ovmethod parameter, but know that there are various other options with their own pros and cons, as detailed in INSTALL. (Especially, the ovsqlite overview method is also a good choice if your INN installation has SQLite support.)
To store articles, start with traditional spool (named tradspool), but know that there are various other options with their own pros and cons, as detailed in INSTALL.
The default storage.conf file is already parameterized to use that storage method.
Configure in expire.ctl how long articles should be kept in your news spool. The default of 90 days maybe does not fit your needs. You can use different values for specific newsgroups or hierarchies depending on your interest in them.
Run <pathbin in inn.conf>/inncheck -a -v -f --pedantic --perm
and fix
anything noted; inncheck gives a rough check on the appropriateness of the
configuration files as you go.
Note that inncheck is very conservative about permissions; there's no reason most of the config files can't be world-readable if you prefer that.
You can now import an active file (pathdb in inn.conf/active) and run inncheck again. You may want to look at <https://ftp.isc.org/pub/usenet/CONFIG/active> and only keep the lines corresponding to the newsgroups you are interested in. Also import a newsgroups file which contains the descriptions of these newsgroups (see for instance <https://ftp.isc.org/pub/usenet/CONFIG/newsgroups>).
Note that it is not necessary to do that now. INN is shipped with minimal
active and newsgroups files and you can add newsgroups later with
ctlinnd newgroup
or actsync (have a look at the examples at the end of
the actsync(8) man page for how to use it concretely).
Review the subscriptions file, and update it according to the newsgroups you carry on your news server. This file, which may be empty, is used by a few news clients to suggest newsgroups on the first time they connect to a news server.
Create secrets in inn-secrets.conf to enable the generation of Cancel-Lock header fields in articles posted via your news server. Other news servers will then be able to verify the authenticity of possible further cancels for these articles. See the inn-secrets(5) man page for how to generate secrets.
Create the cron jobs (especially news.daily), the log files, and make the changes to your system's syslog.conf as noted in INSTALL.
Create a local mail alias for usenet
(editing your /etc/aliases file for
instance). It will be useful for daily Usenet reports sent by news.daily
and other parts of the system.
If necessary, add the path to INN's binaries (as set in pathbin in
inn.conf) to the news user's path and the path to INN's man pages (usually
pathnews/share/man) to the news user's MANPATH
in your shell config
files. (You may also want to do this, especially the second part, on your
regular account; the man pages are very useful.)
You can do this now or later, but you will certainly want the man pages to help with configuring INN.
For bash, try to add in your ~/.bashrc file:
PATH=<pathbin in inn.conf>:$PATH export PATH MANPATH=<pathnews in inn.conf>/share/man:$MANPATH export MANPATH
or csh in your ~/.cshrc file:
setenv PATH <pathbin in inn.conf>:$PATH setenv MANPATH <pathnews in inn.conf>/share/man:$MANPATH
although if you don't already have MANPATH
set, the above may give an
error or override your defaults (making it so you can only read the news
man pages); if echo $MANPATH
does not give some reasonable path, you'll
need to look up what the default is for your system (such as /usr/man or
/usr/share/man).
For the time being, we can see if everything initially works without worrying about feeds or reader access.
Start innd by running pathbin/rc.news as the news user. It is also what you should launch in your init scripts so that INN starts when your server boots:
su news -s /bin/sh -c <pathbin in inn.conf>/rc.news
Samples of init.d and systemd init scripts are present in the contrib directory (and certainly already set up on your system if you installed INN with a package for your distribution).
Check news.crit, news.err and news.notice in your pathlog
directory to see if everything went well; also use ps
to see if innd
is running.
telnet localhost 119
and you should see either a welcome banner or a no
permission to talk
message. If not, investigate.
Send QUIT
to end the telnet connection.
When you complete your configuration, do not forget to reload changed files
(see the ctlinnd reload
command in the ctlinnd(8) man page). You can also
see whether ctlinnd checkfile
reports any problems.
The following features are commonly used. Though not mandatory, they are recommended and can of course be set up later.
You may want to configure the process of newsgroup control messages to keep your list of newsgroups up to date (search for PGPKEYS in INSTALL to find the Section explaining that). Also see controlchan(8) for how to set up the newsfeeds entry.
You may want to configure the process of NoCeM notices used to cancel unwanted articles like spam (see the perl-nocem(8) man page).
You may want to install a spam and abuse filter. Good choices are either Cleanfeed (a widely used Perl filter you can find at <http://www.mixmin.net/cleanfeed/>) or PyClean (also a great Python filter you can find at <https://github.com/crooks/PyClean>).
You need to have an INN installation built with Perl and/or Python support to be able to use these filters.
You may want to submit your Path header field statistics to <http://top1000.anthologeek.net/>. Have a look at the ninpaths(8) man page to see how to do that.
All of this can be done while INN is running.
The first step is to get a news feed. You can ask for an external feed in the news.admin.peering newsgroup. Several news administrators will certainly respond and gracefully provide you with a news feed.
To get your incoming feeds working, edit incoming.conf. When done,
ctlinnd reload incoming.conf 'reason'
to reload that file (where reason
is some text that will show up in the logs -- anything will do). You'll
find examples in the incoming.conf(5) man page for how to set up this file.
To get your outgoing feeds working, edit newsfeeds and innfeed.conf.
When done, ctlinnd reload newsfeeds 'reason'
and ctlinnd flush innfeed!
to reload these configuration files. You'll find examples in the newsfeeds(5)
and innfeed.conf(5) man pages for how to set up these files.
In readers.conf, remember that authentication and authorization are configured in different blocks. You'll find useful examples in the readers.conf(5) man page. Also have a look at the description of the -f flag in the ckpasswd(8) man page, if you need to set up a password file.
You don't need to reload anything after modifying readers.conf; every time a news client connects to the server, a new nnrpd process is spawned and reads its configuration from disk.
If you wish to use TLS for your readers, you can either use the same readers.conf file or use two different files (for instance readers.conf and readers-tls.conf). The syntax is similar for both files. You then need to start a second nnrpd to listen to these connections to NNTPS port 563 and put something like that in your init scripts:
su news -s /bin/sh -c '<pathbin>/nnrpd -D -c <pathetc>/readers-tls.conf -p 563 -S'
Note that a news client which supports the STARTTLS command can also use the conventional NNTP port 119 to dynamically upgrade from unencrypted to TLS-protected traffic during an NNTP session. However, this practice is discouraged in favour of using the separate port 563. See nnrpd(8) for more information about TLS support.
< Contributors | Russ Allbery > Software > INN > INN CURRENT Documentation |