Maestro Update

SCC Maestro now consists of:

  • Maestro Desktop (WordPress, WP LDAP Simple Login)
  • Maestro Mail (SquirrelMail, Postfix, Dovecot)
  • Maestro Users (OpenLDAP, phpLdapAdmin)
  • Maestro Issues (MantisBT)
  • Maestro Parts, Manufacturing and Material (Tryton)

Significant advancements include Maestro Desktop, a launching point for Maestro components, a webmail client for Maestro Mail, and an IMAP mail interface to Maestro Mail for enterprise users to bring Maestro Mail into their own system.

Upcoming advancements include Maestro Documents, a new document management component, integrated with Maestro Desktop.

A VirtualBox virtual appliance will be available shortly. Use the contact form to receive additional information.

Maestro Update

SCC Maestro system now consists of the following integrated components:

  • Maestro Mail (Postfix, Mutt)
  • Maestro Users (OpenLDAP, phpLdapAdmin)
  • Maestro Issues (MantisBT)
  • Maestro Parts, Manufacturing and Material (Tryton)

Integration consists of single-point maintenance of user master data (authentication and email address) in an LDAP server, integrated with Issue Management and Material Management for user authentication.

The LDAP server (OpenLDAP) holds user names, login ids, and email addresses. Issue management (MantisBT) and material management (Tryton) authenticate users against through OpenLDAP. If LDAP authentication fails (the user id is not known or the provided password is not authenticated), Tryton falls back to local authentication (Mantis has no fall back). Email notices from MantisBT and Tryton are sent and received internally via Maestro Mail, and can be read – and also sent – using the Mutt mail client.

The next integration milestone will bring signicant mail improvements. A web-mail client will be provided for reading Maestro Mail, and an IMAP mail interface will be provided for enterprise users to bring Maestro Mail into their own system.

Protecting a FreeBSD server

In Episode 048 of the BSD Now podcast, Allan referenced a great blog post on twisteddaemon listing basic security steps to perform after a new install. The checklist is also a good guide for a mature server checkup, which I recently did with a production server. Besides confirming sshd was configured correctly for public-key login only, I found forgotten open ports related to ntpd and ftp enabled (neither of which I need anymore), and I also found syslogd was opening a port for remote logging (all of which have now been disabled).

In addition to the checklist, Allan also recommended using a tool like denyhosts to reduce ssh door knocking. I’ve never quantified the time being wasted checking the door, but I’m running older hardware and my server log lists several hundred to upwards of a thousand knocks per day, so it may be significant.

Installing denyhosts was pretty simple with the help of On How to Install denyhosts on FreeBSD. The only issue I had was how to include at least one allowed port to prevent accidentally locking myself out. I never connect to the server from a static IP address, and it’s not readily clear to me what addresses would cover my travels around town. However, the server is in the basement, so it’s not an issue so long as I’m not travelling.

I’ll let you know in a couple weeks how my server logs are looking, and if my 2G single-core P4 is feeling less stressed (and behaving snappier).

Other references:

Hosting php apps on apache using php-fpm

Here are notes from some research I did a while back on using php-fpm with Apache and Nginx. will likely never reach traffic levels where it would benefit, so I’m staying with Apache 2.2 and mod_php for now.


    • project site, code now included in php
    • discusses fpm but does not include specific install or config instructions (some posts though)


  • Google: apache+mod_proxy+fcgi+php
  • Google: apache+php+php-fpm+freebsd
  • TODO: add references etc to blog post on same topic

Project docs


Blogs, tutorials, and forums

    • Need to translate (Spanish? Italian?)
    • nginx forum, but discusses Apache2, php-fpm, FastCGI
    • also see referenced post,131665,144226#msg-144226
    • Configure Apache to use PHP-FPM
    • Apache with PHP-FPM, chroots and per-vhost UIDs
    • tcp port


Google: nginx+PHP+php-fpm+freebsd

Blogs, tutorials, and forums

    • nginx, php, php-fpm, ….
    • VERY detailed
    • uses tcp port to communicate with php-fpm
    • uses tcp port to communicate with php-fpm
    • provides nginx.conf file (downloadable)
    • intended use FuelPHP framework
    • uses tcp port with php-fpm
    • uses fastcgi (not fpm)
    • uses fastcgi
    • installing nginx with PHP FPM on FreeBSD 8.x-9.0
    • uses fastcgi
    • discusses both unix sockets and tcp port config with fpm
    • describes unix sockets on BSD for better performance (but must use tcp sockets with Linus due to kernel bug/issue)
    • tcp port

Maestro-Tryton in Closed-Alpha

I have written before about the Tryton framework. now includes a Tryton server and an “scc” database for implementing Maestro with Tryton – or Maestro-Tryton.

Maestro-Tryton is in Closed-Alpha, and will publicly available when all basic SCC master data has been included – Users, Products, Bills-of-Materials (BOMs), Suppliers, Customers and Projects.

If you are interested in collaborating on the Maestro project, please leave a comment and I’ll contact you. You can access the Maestro project on GitHub to access the source data, read the Maestro project wiki, and submit wiki articles, updates, issues and other work to the project.

Configuring Git

I needed to configure Git on a new server recently (no GUI), and couldn’t remember my typical configuration.

Disable Output Color-Coding

Many developers can’t live without color-coded command-line output, but you may find (as I do) that less than perfect color vision combined with high ambient lighting and some screen glare results in a display that is essentially incompressible. To disable color-coded command line output from Git:

$ git config --global color.ui false
$ git config --global color.diff false
$ git config --global color.status false
$ git config --global color.branch false
$ git config --global color.interactive false

Ignore File-Mode Changes

Git may report that executable files (e.g. shell scripts) have been modified based on differences in file mode interpretation between Unix and Windows systems. If the mode of a file is set to executable and committed to a Git repository in a Unix environment, and then the repository cloned into a Windows environment, the file will be reported by Git in Windows as having been modified – based on its mode. This is the result of subtle differences between a Unix file system and a Windows file system. Committing the “modified” file in Windows and pushing the repository changes back to the Unix repository will result in the file not being executable in Unix (until its file mode is set back to executable).

If this is an issue for you, set your Windows global Git config (~/.gitconfig) to ignore file mode changes (but first, check that your global configuration will not be overridden by a repository configuration).

Check your global and local configs:

$ git config --global core.filemode
$ cd gitrepo
$ git config core.filemode

Set configuration to ignore file mode changes:

$ git config --global core.filemode false
$ cd gitrepo
$ git config core.filemode false

Flattening a directory structure on Windows

The other day I needed to copy all the files within a hierarchical directory structure in a shared network directory into a single directory. Here’s how I did it.

1) install the following GnuWin32 utilities from (this is much simpler than and add the bin directory (c:\Program Files\GnuWin32\bin) to your PATH environment variable.

  • CoreUtils
  • FindUtils
  • sed

2) Check the shared network directory for files with the same name, and either change names or delete files before copying. My shared network directory is mapped as I:\Share.

I:\>cd I:\Share
I:\Share>"c:\Program Files\GnuWin32\bin\find.exe" . -type f | sed "s/.*\///" | sort | uniq -d

The full path to “find” is needed because, although the GnuWin32 bin directory is on my command path, the Windows “find” command is found on my path before the GnuWin32 “find”. This can take some time – 15 minutes on a 5 year old laptop with a shared directory having 170k files and 22K directories!

3) Copy the files into a new “files” directory on X-drive:

I:\Share>mkdir X:\files
I:\Share>cp `find . -type f` X:\files


P.S. Thanks to ldenneau for the idea (

Using Tryton for Maestro Workflows

This article is part of a series on the Tryton framework, and complements the Maestro project on GitHub. This article explores a number of Maestro workflows using Tryton.

This article is a work in process.


The Swift Construction Company (SCC) manufactures a radio receiver called an Aircraft Wireless. The SCC buys assembled electronics circuit boards (part number 20000003) in lots of 5 from Trilogy-Net. The circuit boards are used in the assembly of Aircraft Wireless units (part number 10000003). When circuit boards arrive from Trilogy-Net at the SCC, they are inspected, identified with a serial number and stocked in inventory. The SCC has a number of customers for Aircraft Wireless units, including B&E Submarines who purchased an Aircraft Wireless system to evaluate.

Product Structure

|--- 90000012 EARPH,MONO,HI-Z,3.5MM
     |--- 10000002 ENCL,AIRCRAFT WIRELESS
     |    \--- 80000001 BOX,IP54,4.74X3.13X2.17",ALUM,BLK,SCREWS
     |--- 20000003 PCA,AIRCRAFT WIRELESS
     |    |--- 20000001 IND,830UH,AIRCRAFT WIRELES
     |    |    |--- 90000001 WIRE,MAGNET,38AWG,POLY
     |    |    |--- 90000002 MAG,FERRITE ROD,1/4IN X 4IN,MATL=61
     |    |    \--- 90000003 TAPE,ELECTRICAL,3/4",BLUE,VINYL
     |    |--- 20000002 PCB,AIRCRAFT WIRELESS
     |    |--- 90000004 CONN,PHONE,F,MONO,PCB,3.5MM
     |    |--- 90000005 CAPV,150-230PF,TOP ADJUST,PCB
     |    |--- 90000006 DIO,SIG,GERM,0A95,AXIAL,D0-7,GLASS
     |    |--- 90000007 CAP,ELEC,10UF,16V,20%,RADIAL,ROHS
     |    |--- 90000008 CAP,CER,33PF,100V,10%,RADIAL,ROHS
     |    |--- 90000009 CAP,CER,3300PF,100V,10%,RADIAL,ROHS
     |    |--- 90000010 RES,AXIAL,2.0M,0.4W,1%,MF,ROHS
     |    \--- 90000011 RES,AXIAL,5.6M,0.4W,1%,MF,ROHS
     |--- 80000003 SCREW,MACHINE,PHIL,4-40X1/4,SS
     |--- 80000004 WASHER,FLAT,4-40
     |--- 80000006 STANDOFF,HEX,4-40,0.5"L,ALUM
     |--- 80000007 WASHER,LOCK,#4,INTERNAL TOOTH
     |--- 90000016 CONN,RING,16-22AWG,#4,RED
     |--- 90000017 WIRE,STRANDED,16AWG,GREEN,POLY
     \--- 90000018 WIRE,STRANDED,16AWG,YELLOW,POLY

|--- 90000012 EARPH,MONO,HI-Z,3.5MM Maplin LB25C
|--- 20000003 PCA,AIRCRAFT WIRELESS Trilogy-Net SCC:20000003


Serialized Stock Purchased by a Customer

This workflow explores serialized stock in the context of a customer purchase. B&E Submarines desires to purchase a spare parts kit for the Aircraft Wireless unit they previously purchased. A serialized circuit board is used in the assembly of the spare parts kit (preferably a phantom-type BoM to make the parts in it visible), which is then sold and delivered to B&E.

Sometime later, Ed Bentley calls from B&E. He says he found a circuit board, but he doesn’t know if it is the circuit board from the spares kit. Ed is not sure, but he thinks the original board might have failed and he swapped it with the one from the spare parts kit. Ed wants to know if the serial number on the board is the same as the board shipped in the spare parts kit he bought.

Serialized Stock Consumed by a Project

Explore serial numbers in the context of a project. B&E Submarines plans to upgrade 5 of their submarines with Aircraft Wireless systems. A contract is negotiated between the SCC and B&E, and the SCC initiates a Project to capture all related activity (of which the physical receiver units are only one portion). Complete radio receivers PN 10000003 are manufactured, each with its own serial number, traceable to the serialized electronics circuit board within. The completed radio receivers are sold and delivered to B&E as part of the overall project.

Sometime later, Ed Bentley calls from B&E. He has a circuit board in his hand again, and wants to know where the serial number came from. Ed asks if the circuit board was from one of the 5 receivers delivered as part of the upgrade project.

Create, sell, ship, and return a field spares kit

  • Create manufacturing order
  • Issue material to order (serialized PCA)
  • Deliver order to customer
  • Return order from customer
  • Return material to stock (serialized PCA)

Related Topics

Visual display of model

  • Start Tryton client and connect to tryton database.
  • Access Administration > Models and select a model to view the schema for.
  • Select the report icon on the toolbar followed by the “Graph” action.
  • Select the number of levels to display.

Importing Maestro data into Tryton

This article is part of a series on the Tryton framework, and complements the Maestro project on GitHub. This article explores importing basic Maestro data into Tryton.

This article is a work in process. The built-in csv import capability in Tryton can be used to import basic data such as users (see the Maestro project), but more complex importing (e.g. product attributes, Bills-of-Materials) must be done by coding using the Proteus library.

Load Users

To be completed – see Maestro project

Load Units of Measure

To be completed – see Maestro project

Load Suppliers

To be completed – currently loading individual suppliers manually.

Load Customers

To be completed – currently loading individual customers manually.

Load Products

To be completed – see Maestro project

Load Projects

To be completed.

Load Serialized Stock

To be completed.

Installing Tryton server on FreeBSD

This article is part of a series on the Tryton framework, to complement the Maestro project on GitHub. This article describes installing trytond, the Tryton server daemon, on FreeBSD.

Create a new server

I will be building a virtual server using VirtualBox on Windows 7, and later transfer the virtual server to a physical server using dump/restore, but these instructions generally apply to any installation.

First, download a FreeBSD-10.0-RELEASE ISO file. The “bootonly” ISO will download the fastest, but the virtual machine must have an active internet connection for install and the install will take the longest. The “dvd1″ ISO will take longer to download, but the virtual machine will not need an active internet connection for install and the install will complete faster. Use the 64-bit “amd64″ version instead of the 32-bit “i386″ version on newer 64-bit compatible hardware.

Create a new virtual machine:

  • 1G RAM (host should have at least 4G)
  • may need to disable VT-x/AMD-V on older systems (e.g. Lenovo ThinkPad T61 and Dell Latitude D630 laptops).
  • configure bridged network connection (accessible from any system on local network) or NAT (accessible from the host only, with appropriate port forwarding – normally TCP port 8000 for Tryton, 22 for ssh and 5432 for PostgreSQL).

Install FreeBSD OS

Boot vm from boot CD/DVD and follow the standard install procedure, including creating an admin user and including it in the wheel group.

I generally use ssh keys only for remote login for security, and to avoid having to type passwords. Copy the public ssh key for the admin user to ~/.ssh, edit /etc/ssh/sshd_config to add “AllowUsers adminusername” (if I’m more interested in convenience than security I will also add “PermitRootLogin YES”), and restart sshd.

Check for and install available FreeBSD OS updates, and install the pkg packaging system port. pkg is sometimes called “pkgng” to differentiate it from the older pkg_* packaging utilities, which will be removed in the next FreeBSD release.

# freebsd-update fetch
# freebsd-update install
# pkg update   

You can check the installed packages for reported vulnerabilities (-F is required for initial use only to download a new vulnerability database).

# pkg audit -F

Install PostgreSQL RDBMS

Postgresql files will be owned by user “pgsql”, who alsos own the server process.

# pkg install postgresql93-server-9.3.4
# echo "postgresql_enable=YES" >> /etc/rc.conf
# /usr/local/etc/rc.d/postgresql initdb
# /usr/local/etc/rc.d/postgresql start

Edit /usr/local/pgsql/data/postgresql.conf and configure PostgreSQL to listen on all addresses (my vm will be on my test LAN, with no access from the internet).

listen_addresses = '*'

Edit /usr/local/pgsql/data/pg_hba.conf and add host connection permission. I’m going to allow access by all ipv4 addresses on my local LAN (your requirements may be different).

host all all md5

Add a “tryton” super-user to PostgreSQL. You must be system root to do this.

# su pgsql
$ createuser -sdrP tryton
Enter password for new role:
Enter it again:
$ exit

The “tryton” super-user password will be entered in trytond.conf (the trytond daemon configuration file) and used by Tryton to manage its PostgreSQL databases.

Restart the PostgreSQL server.

# /usr/local/etc/rc.d/postgresql restart

You should now be able to connect to the PostgreSQL server (“-W” causes psql to prompt for the “tryton” user password).

# psql --username=tryton -W --list

If you edited postgresql.conf and pg_hba.conf as indicated here, you should now also be able to connect from a remote system (e.g. using pgAdmin).

Install trytond dependencies

Install the Python 2.7 package manager “pip” (Tryton does not support Python v3, although it is being worked on by the Tryton project team). Pkg will install Python and any other dependencies required by pip, pip will be used to install Tryton Python package dependencies.

# pkg install py27-pip

Install FreeBSD package dependencies.

# pkg install libxml2
# pkg install libxslt
# pkg install py27-ldap2

py27-ldap2 is required for eventual user login authentication using an LDAP server.

Install the Graphviz FreeBSD package, required to display models and workflow graphs in the Tryton client.

# pkg install graphviz

Install the python virtualenv and virtualenvwrapper utilities using pip. virtualenv is a tool to create isolated Python environments. Its most basic use case is to easily create and tear down a trytond install without affecting other applications on the server. The more advanced use case is to support multiple versions of python, trytond and trytond modules for development and testing, without undesirable interactions with other server software.

# pip install virtualenv
# pip install virtualenvwrapper

I won’t be using virtualenv initially, but want it available for future use.

Some good virtualenv references I found:


Install the python hgnested package using pip. hgnested is a Mercurial DVCS add-on required for Tryton development, and will install mercurial as a dependency.

# pip install hgnested

Install the Python pydot package, the Python interface to Graphviz.

# pip install pydot

Install the Python psycopg2 package, the Python interface to PostgreSQL.

# pip install psycopg2

Install trytond

Create a trytond system user

A “tryton” system user is created to execute the trytond daemen. The tryton user home directory (/home/tryton) created will be configured as the root of the Tryton file system for storing document attachments.

root@casper:~ # adduser
Username: tryton
Full name: trytond system user
Uid (Leave empty for default):
Login group [tryton]:
Login group is tryton. Invite tryton into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash rbash nologin) [sh]:
Home directory [/home/tryton]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]: no
Username   : tryton
Password   : <disabled>
Full Name  : tryton system user
Uid        : 1002
Class      :
Groups     : tryton
Home       : /home/tryton
Home Mode  :
Shell      : /bin/sh
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (tryton) to the user database.
Add another user? (yes/no): no

Create a Tryton log directory

# mkdir /var/log/trytond
# chown -R tryton:tryton /var/log/trytond

Create a json-rpc data directory

# mkdir /var/run/trytond
# chown -R tryton:tryton /var/log/trytond

Create trytond.conf

trytond.conf contains configuration parameters read by the Tryton server daemon trytond when it starts, and includes such site-specific data as:

  • computer addresses to respond to (jsonrpc).
  • username and password for the PostgreSQL “tryton” super-user.
  • Tryton “administrator” password (required to create, drop, backup or restore a database).
  • specify FreeBSD-specific directory paths

Unfortunately, the pip install for trytond currently does not copy the default trytond.conf file in the package to a suitable location (or rather, to any location). Download the trytond server distribution from PyPi, extract and copy trytond/etc/trytond.conf to /usr/local/etc/trytond.conf.

Edit parameters in /usr/local/etc/trytond.conf using the following as reference:

jsonrpc = *:8000,
jsondata_path = /var/run/trytond

db_type = postgresql
db_host = localhost
db_port = 5432
db_user = tryton
db_password = appleton

admin_passwd = appleton

pidfile = /var/run/trytond/
logfile = /var/log/trytond/trytond.log

data_path = /home/tryton

Create tryton rc script

An rc.d script will be created to manage starting and stopping trytond, and to start trytond after booting. I’m using a basic rc.d startup script created by Christoph Larsen for the GNU Health project, and added support for status reporting. Copy the following code to /usr/local/etc/rc.d/trytond


# PROVIDE: trytond
# Originally created by: Christoph H. Larsen

. /etc/rc.subr


load_rc_config $name

: ${trytond_enable="NO"}
: ${trytond_user="tryton"}
: ${trytond_group="tryton"}



trytond_start() {
  su tryton -c "$command --config=/usr/local/etc/trytond.conf" &

trytond_stop() {
if [ -f /var/run/${name}/${name}.pid ]; then
  kill `cat /var/run/${name}/${name}.pid`

trytond_restart() {
  if [ -f /var/run/${name}/${name}.pid ]; then
  kill `cat /var/run/${name}/${name}.pid`
  sleep 1
  su tryton -c "$command --config=/usr/local/etc/trytond.conf" &

run_rc_command "$1"

Make /usr/local/etc/rc.d/trytond executable

# chmod u+x /usr/local/etc/rc.d/trytond

Add trytond_enable to /etc/rc.conf

# echo "trytond_enable=YES" >> /etc/rc.conf

Install trytond and Tryton modules

trytond is the Trytond server daemon. I’ll use pip to install the latest release version of trytond.

# pip install trytond

In this context, installing Tryton modules means to install a module’s code onto the server from its source repository, which makes it available to use in a Tryton database.

Install the following modules using pip. Some modules will be installed as dependencies of others, so do not be concerned if pip reports a module has already been installed.

# pip install trytond_company
# pip install trytond_dashboard
# pip install trytond_product
# pip install trytond_product_attribute
# pip install trytond_production
# pip install trytond_project
# pip install trytond_project_plan
# pip install trytond_purchase
# pip install trytond_sale
# pip install trytond_stock
# pip install trytond_stock_lot
# pip install trytond_stock_split

I will eventually configure Tryton to authenticate users using an OpenLDAP server, and will install the necessary Tryton LDAP modules now.

# pip install trytond_ldap_connection
# pip install trytond_ldap_authentication

Start trytond

Start trytond using the rc script:

# /usr/local/etc/rc.d/trytond start

Once started, you can check if trytond is running with the status option:

# /usr/local/etc/rc.d/trytond status

or stop the server if needed:

# /usr/local/etc/rc.d/trytond stop

Create and configure a new Tryton database

Download and install the Tryton desktop client for your system. Launch the Tryton client and access menu: File > Databases > New database.

Enter the Tryton server admin password (“admin_passwd” in trytond.conf) in the password field, then click Change beside the IP address and change the address to that of your server.

You must enter the password first, before changing the server address, because the Tryton client will attempt to connect to the server immediately after the server address is changed, and will report “Unable to connect” if the admin password was not already entered.

Enter the name of the database to create (e.g. “scc”) and the admin password for the database, then click Create.

Login to the new database as user “admin” and the password you entered to create the database. The Module Configuration Wizard will run automatically after login to configure the new database.

  • Add user (e.g. “Dale Scott”, login “dale”), optionally add permissions (you may need to update user permissions after installing modules, so this is optional at this point),
    • add Permissions: “Administration” (which will be the only permission group available)
    • add Rule: Read, Write, Create, Delete, Model: View Search (which will be the only rule available available)

Install Tryton modules into the database

Mark modules for install

The Tryton modules previously installed to the server will not be installed in a Tryton database.

In the Tryton client, access the menu: Administration > Modules > Modules. Mark the following modules for install (double-click in the Mark for Install column):

  • dashboard
  • product
  • product-attribute
  • production
  • project
  • project-plan
  • purchase
  • sale
  • stock
  • stock-lot
  • stock-split

Install marked modules

There are two ways to install the marked modules, you can either:

  • Select Launch Action icon in the Modules menu bar and then Perform Pending Installation/Upgrade, or
  • Execute the Perform Pending Installation/Upgrade Wizard from the main Tryton menu.

After the install/upgrade completes, the Module Configuration wizard runs and will query you to configure the installed modules.

Create a Company

A company is a type of ‘party’. To identify a party as a company in a new database you must first create a new party, then select it as the new company.

  • Name
    • Swift Construction Company
  • Addresses
    • Name: Default
    • Street: 1 Swift Way
    • Zip: 13054
    • City: Shopton
    • Country: United States
    • Subdivision: New York
  • Language
    • English

Configure Company

  • Enter Company > Currency
    • US Dollar
  • On the Company > Employees > Party view
    • select the new company (e.g. Swift Construction Company)
    • select Add

Create Chart of Accounts

  • Company: Swift Construction Company
  • Account Template: Minimal Account Chart
  • Create Default Properties
    • Default Receivable Account: Main Receivable
    • Default Payable Account: Main Payable

You will need to reload the menu in the Tryton client if it isn’t now displaying menu choices for the new modules (i.e. access menu: User > Menu Reload (Ctrl-T).

The Tryton server has been installed and you can connect to it from a Tryton client. You have also created a new Tryton database with the modules necessary to implement Maestro workflows.


Update FreeBSD periodic databases

I don’t know if installing packages triggers the periodic databases to update, but since I often don’t run a virtual machine long enough to cross day, week or month boundaries (when they update automatically), I typically manually update them after major system changes.

# periodic daily
# periodic weekly
# periodic monthly