Building And Running Nuxeo In The Cloud

Thu 29 January 2009 By ismith

The best way solve any problem is to figure out how to avoid it, making
the solution trivial. To help you in this effort, we have set up something
so if you want to build and run Nuxeo EP 5 from source--you don't have to
do any of the work! Woot! In honor of this year's Super Bowl (American
Football, or "Gridiron," championship) coming up this weekend, I'll break
this blog post into football-sized chunks.

Pre-Game Analysis

As most of you know, I'm a big fan of "the cloud." I have spent a lot
of time over the last couple of years working with the amazon cloud pretty
extensively. I've set things up for you so that you can quite easily
"grab, rebuild, and deploy" nuxeo from the source code repository. I must
admit, though, in all honesty that I really built this so I could do the
same. I recently moved my desktop to the cloud and so I set up something
similar to this for my own use. I've been using this configuration many
hours a day for a week or two now, so it's quite stable.

The 1st Quarter

You'll need to know how to use Amazon's cloud to use this setup. If you
are familiar with EC2 + S3 then skip to the 2nd quarter.

There are several tutorials out there to get you quickly up to speed on
using Amazon's cloud services:

The 2nd Quarter

The critcal thing you need is the Amazon Machine Instance, or AMI:


With this, you can boot up an instance running my kernel--I've based
this on a pretty vanilla ubuntu 8.04 (Hardy) release. If folks have strong
feelings and want to build one for a different distro, drop me a note and
I'll advise you on how to do it and post the results. Here's the command
(roughly) that I use to start up an instance:

ec2-run-instances -K myprivatekey.txt -C mycert.txt -g webapp -k mykeypair -t m1.large ami-be9275d7

Warning: This image is for a 64 bit linux kerel, so you must
use one of the larger image sizes from amazon.
I usually use
m1.large, as shown above, since it seems to perform quite well
when running (and indeed building) nuxeo.

You should now wait a few seconds for amazon to assign you a public DNS
name. It will be something like this: and when you have
it, you should ssh to your new instance. It's now half-time, so sit back
and enjoy the commercials...

The Half Time Show With Bruce Springsteen

First, be sure to make sure that feel one with "The Boss." The league
paid him a zillion dollars to be the half-time act and even a few zillion
more to make him get offstage after 15 mins.

Now, in terms of discussion the 30 mins of what you have just done,
even though you have just done (seen) in: You've got yourself a running
image that has all the tools ready and installed (as root) to build nuxeo
from source and run a server so you can "kick the tires a bit."

Remember: Defense wins championships...

The 3rd Quarter

The next step is to pull the latest version of the source from the
source code repository at

[email protected]:~# cd /usr/local/src/nuxeo
[email protected]:/usr/local/src/nuxeo# hgf pull

The command hgf is actually a shell function defined in
root's .bashrc file. This will traverse all the nuxeo source
code directories that are located in this directory (such as
nuxeo-core and nuxeo-platform) and use mercurial
to grab the latest version of the code from the server. Don't worry if you
have never used mercurial before, there is nothing about mercurial you
need to know if you follow the next two commands...

[email protected]:/usr/local/src/nuxeo# hgf up -C 5.2

This command applies all the downloaded updates to the nuxeo packages
that are currently at version 5.2. You will see some messages like

abort: unknown revision '5.2'!
abort: unknown revision '5.2'!

This is because some of the packages use a different numbering scheme.
Naturally, you need to update them as well with an "up" command like

[email protected]:/usr/local/src/nuxeo# hgf up -C 1.5

This, of course, causes all the updates that "worked" last time to
complain that they have no revision 1.5. This can be safely ignored.

To build the source and run it, just type "ant" in the main source
directory. If you watch carefully, you'll notice that ant is being used to
fork off maven builds. Yes, that's really what you want.

[email protected]:/usr/local/src/nuxeo# ant

A full build from a source on an amazon m1.large machine takes a bit
more than 1 minute. When you are done you should see the maven message
"Build Successful."

The 4th Quarter

Remember when the commentators at half-time said that "Defense wins
championships?" Well, there are a couple of security issues to think
about. On the machine where you launched the instance you will need to
enable traffic to reach your new instance by modifying the amazon security
group. I use the group webapp and I enable traffic to port 8080 like

ec2-authorize -K myprivatekey.txt -C mycert.txt -P tcp -p 8080 webapp

You need to be careful with a command like this, because it now means
that the public internet can send traffic to that port. It's a good idea
to revoke this permission as soon as you are done playing around with

ec2-revoke -K myprivatekey.txt -C mycert.txt -P tcp -p 8080 webapp

Another security concern is that the instance is setup with a very
"vanilla" copy of JBoss 4.2.3. This means that there are various parts of
the server that should be secured before you consider running the server
for very long. To run the server you need to change to the jboss
installation and run a script:

[email protected]:~# cd /usr/local/jboss4.2.3/
[email protected]:/usr/local/jboss4.2.3# bin/ -b

The parameter to this script tells JBoss to bind to all available
interfaces rather than just to localhost. Binding to localhost is
something that JBoss does for security reasons, but unless you are doing
SSH tunnelling or something that like that, it's not much use in the cloud
since you can't run a web browser very easily on this instance. It takes
the server about 1 minute to completely boot up and then you can just
point your web browser at:

and you should see the login page. The default credentials are username
"Administrator" and password "Administrator." You've just won the

Post-Game Analysis

With a running server, it will be tempting to just run this server as
your production copy of Nuxeo. This a nice idea, but there are some things
that you will want to do before thinking about deploying this.

  • You need to secure your JBoss server. You can see that it is
    vulnerable by going to the URL with your browser and poking around with
    the JBoss administration tools:

There are a number of documents out there about securing jboss such as

  • Now! Change your Nuxeo Administrator password!

  • Ok, after those two things are done at least you are not in a world
    of trouble. You may want to set jboss up to bind to all interfaces by
    default and perhaps to use port 80 instead of port 8080. The file to
    change for these two things is
    Look for the "Connector" tag.

Finally, you may want to think about using a more "production" database
than the default one (h2) if you plan on using this copy of Nuxeo heavily.
The instance comes packaged with a copy of postgres 8.3 so you will need
to just (!) configure the postgres instance and configure Nuxeo instance
to use it as explained in
Be aware also that the instance is set up to have two "disks" and you
probably want to put your data on the "ephemeral" storage of
/mnt if you think you will have a large amount of data. But,
then again, that means you'll have to configure backups correctly since
/mnt gets wiped on each reboot.

Please let me know if you have questions, comments, or improvements!

Category: Product & Development