bbabbd5d2566d47d923d51dbe350634783455999 mspeir Sun Oct 26 12:14:52 2025 -0700 change soe to gi, refs #35031 diff --git src/hg/htdocs/goldenPath/help/mirrorManual.html src/hg/htdocs/goldenPath/help/mirrorManual.html index f5c3f75434d..516070ae300 100755 --- src/hg/htdocs/goldenPath/help/mirrorManual.html +++ src/hg/htdocs/goldenPath/help/mirrorManual.html @@ -1,2692 +1,2692 @@ <!DOCTYPE HTML> <!-- DO NOT EDIT THE HTDOCS VERSION OF THIS FILE. THIS FILE IS AUTOMATICALLY GENERATED FROM A MARKDOWN FILE IN kent/src/product. MAKE ANY EDITS TO THIS PAGE THERE, THEN RUN MAKE in kent/src/product/mirrorDocs, AND FOLLOW THE INSTRUCTIONS TO COMMIT THIS PAGE INTO git. Please read the file kent/src/product/Note-To-QA.txt for details. --> <!--#set var="TITLE" value="Genome Browser Manual Installation" --> <!--#set var="ROOT" value="../.." --> <!-- Relative paths to support mirror sites with non-standard GB docs install --> <!--#include virtual="$ROOT/inc/gbPageStart.html" --> <h1>Manual installation of the UCSC Genome Browser on a Unix server</h1> <h2>Contents</h2> <h6><a href='#overview-of-the-genome-browser-directories-and-databases'>Overview of the Genome Browser directories and databases</a></h6> <h6><a href='#software-requirements'>Software Requirements</a></h6> <h6><a href='#hardware-and-disk-space-requirements'>Hardware and disk space requirements</a></h6> <h6><a href='#installing-the-ucsc-genome-browser'>Installing the UCSC Genome browser</a></h6> <h6><a href='#mariadb-setup'>MariaDB Setup</a></h6> <h6><a href='#local-git-repository-aka-quotthe-source-treequot'>Local Git repository (aka: "the source tree")</a></h6> <h6><a href='#adding-your-own-track-groups-to-the-browser'>Adding your own track groups to the browser</a></h6> <h6><a href='#adding-your-own-tracks-to-the-browser'>Adding your own tracks to the browser</a></h6> <h6><a href='#adding-a-new-custom-non-ucsc-genome-to-the-browser'>Adding a new, custom (non-UCSC) genome to the browser</a></h6> <h6><a href='#modifying-the-source-code'>Modifying the source code</a></h6> <h6><a href='#custom-track-database'>Custom Track Database</a></h6> <h6><a href='#debugging-the-cgi-binaries'>Debugging the CGI binaries</a></h6> <h6><a href='#notes-on-security'>Notes on security</a></h6> <h6><a href='#proxy-support'>Proxy support</a></h6> <h6><a href='#support-for-cloud-urls'>Support for cloud URLs</a></h6> <h6><a href='#the-udc-local-cache-directory'>The UDC local cache directory</a></h6> <h6><a href='#activating-cram-support-for-the-genome-browser'>Activating CRAM support for the Genome Browser.</a></h6> <h6><a href='#using-freetype-font-support-for-anti-aliased-text'>Using FreeType font support for anti-aliased text</a></h6> <h6><a href='#building-the-kent-source-tree'>Building the kent source tree.</a></h6> <h6><a href='#adding-a-track-hub-to-your-hubpublic-table-so-it-appears-under-my-data-gt-track-hubs'>Adding a track hub to your hubPublic table so it appears under My Data > Track Hubs</a></h6> <h6><a href='#make-the-api-work-in-the-same-way-as-on-the-public-website'>Make the API work in the same way as on the public website</a></h6> <a name='overview-of-the-genome-browser-directories-and-databases'></a> <h2>Overview of the Genome Browser directories and databases</h2> <p> The genome browser requires only Apache and MariaDB and uses these directories: </p> <ul> <li>static html files: we typically keep them under /usr/local/apache/htdocs and configure Apache to load them from there, to avoid conflicts with the distribution of the Linux default location /var/www/html</li> <li>MariaDB databases: most of them are read-only, except the <code>hgcentral</code> database which is read-write. Most linux distributions keep these under /var/lib/mysql. (It is possible to get the genome browser to work with MySQL after version 8, but we do highly discourage it, as our download procedures use MyISAM .frm files which MySQL 8 dropped.)</li> <li>static genome data files in /gbdb/</li> <li>binary CGI programs that generate images from the MariaDB and /gbdb files and write them into the <code>trash</code> directory (see below). We modify our Apache config to load CGIs from /usr/local/apache/cgi-bin, so as to not conflict with the default directory of the Linux distribution</li> <li>a directory for temp files called <code>trash</code>, located in the parent directory of the CGI programs, usually /usr/local/apache/trash</li> <li>a small text file hg.conf in the same directory as the CGI programs, with information on how to connect to MariaDB, the location of the other directories and various other settings, on our machines the location of this file is /usr/local/apache/cgi-bin/hg.conf</li> <li>uploaded custom data gets written by the CGI programs into MariaDB databases in the database <code>customtrash</code> and also into files under /usr/local/apache/trash which is symlinked from /usr/local/apache/htdocs/trash so these files are accessible to Apache.</li> </ul> <p> When a web browser requests a Genome Browser page, typically /cgi-bin/hgTracks, Apache executes this CGI program. The programs then read information about how to connect to MariaDB using the file hg.conf, connects to MariaDB, reads the installed genome assemblies and the current user session from the MariaDB database hgcentral. For each genome assembly, there is a separate MariaDB database (e.g. hg38). Some types of data (e.g. raw genome sequences) are kept as indexed binary files outside of MariaDB, they are located in /gbdb, e.g. /gbdb/hg38. The location of the /gbdb directory can be changed with a setting in hg.conf. Some types of data are not specific for a genome, these are kept in the MariaDB databases hgFixed, proteome and visiGene. </p> <p> We strongly recommend to follow the default locations, and to place our CGI programs in <code>/usr/local/apache/cgi-bin</code>. The htdocs root directory for html files should then be in /usr/local/apache/htdocs. All Genome Browser components called from Apache get their settings from the central configuration file <code>/usr/local/apache/cgi-bin/hg.conf</code>. Among others, the location and the username/password for the MariaDB server is specified there. </p> <p> To load data into the genome browser databases, you need a command line tool like hgLoadBed. These tools are distributed separately from the CGI programs. Some tools create only MariaDB tables, others write into a /gbdb subdirectory. Most of them require a configuration file ~/.hg.conf in your home directory with the MariaDB connection information, like server name, username and password. The data loading is done from the Unix command line and not dependent on the CGI programs that create the Genome Browser graphics. </p> <a name='software-requirements'></a> <h2>Software Requirements</h2> <p> To run our provided binaries: </p> <ul> <li>Linux/Ubuntu/CentOS/Unix/MacOSX operating system</li> <li>Apache2.x - http web server - <a href='http://httpd.apache.org/' title=''>http://httpd.apache.org/</a></li> <li>MariaDB development system and libraries - <a href='http://mariadb.com/' title=''>http://mariadb.com/</a> (MySQL 8 removed support for MyISAM schema files, which makes downloading our data file very cumbersome and slow)</li> <li>libpng runtime and development packages - <a href='http://www.libpng.org/' title=''>http://www.libpng.org/</a></li> <li>libssl runtime and development packages - <a href='http://www.openssl.org/' title=''>http://www.openssl.org/</a></li> <li>Universally Unique Identifier library - <a href='http://e2fsprogs.sourceforge.net/' title=''>http://e2fsprogs.sourceforge.net/</a></li> </ul> <p> If you want to make modifications to our software, you need to compile it: </p> <ul> <li>gnu gcc - C code development system - <a href='http://www.gnu.org/software/gcc/' title=''>http://www.gnu.org/software/gcc/</a></li> <li>gnu make - <a href='http://www.gnu.org/software/make/' title=''>http://www.gnu.org/software/make/</a></li> </ul> <p> Optional: </p> <ul> <li>'ghostscript' ps to pdf converter - <a href='http://ghostscript.com' title=''>http://ghostscript.com</a></li> <li>'git' source code management: <a href='http://git-scm.com/downloads' title=''>http://git-scm.com/downloads</a></li> <li>'gmt' map plotting tools <a href='http://www.soest.hawaii.edu/gmt/' title=''>http://www.soest.hawaii.edu/gmt/</a></li> <li>'pstack' for stack traces</li> <li>'R' for the GTex track</li> <li>'python-mysqldb' for the gene interactions track (python2)</li> </ul> <p> It is best to install these packages with your standard operating system package management tools: </p> <ul> <li>Debian/Ubuntu: <code>apt-get install ghostscript apache2 mariadb-server gmt r-base uuid-dev libcurl4-openssl-dev</code></li> <li>Redhat/Fedora/CentOS: <code>yum install libpng12 httpd ghostscript GMT hdf5 R libuuid-devel libcurl-devel</code></li> </ul> <p> On newer distributions, python-mysqldb / MySQL-python is not available anymore. In this case, install python2, pip for it and then use pip to install the mysql library ("pip2 install MySQL-python"). See the file installer/browserSetup.sh for the commands. </p> <a name='hardware-and-disk-space-requirements'></a> <h2>Hardware and disk space requirements</h2> <p> We currently use the following hardware to support our website: </p> <ul> <li>24 CPUs and 128Gb of memory for each of the six machines</li> <li>16 CPUs, 64 Gb of memory for the MariaDB server</li> </ul> <p> The UCSC Genome Browser website experiences over one million hits per day. Your hardware requirements may be much less demanding and will depend upon how much traffic you expect for your mirror. </p> <p> Annotation database size differs a lot between the assemblies: The full size of the hg19 database in 2016 is 6 TB, for ce2 it is 5GB. It also depends on the tracks: The size of the hg19 annotations can be reduced to 2TB if you do not download any ENCODE tracks. The size of only the main gene and SNP annotations is around 5GB for hg19 and hg38. </p> <p> You can use the following command to get the size of the files for all of the assemblies, but it can also be modified to give the size for a particular assembly: </p> -<pre><code>rsync -hna --stats rsync://hgdownload.soe.ucsc.edu/gbdb/ | egrep "Number of files:|total size is"</code></pre> +<pre><code>rsync -hna --stats rsync://hgdownload.gi.ucsc.edu/gbdb/ | egrep "Number of files:|total size is"</code></pre> <p> For example, to get the size of all of the files for hg19, you would use the following command: </p> -<pre><code>rsync -hna --stats rsync://hgdownload.soe.ucsc.edu/gbdb/hg19/ | egrep "Number of files:|total size is"</code></pre> +<pre><code>rsync -hna --stats rsync://hgdownload.gi.ucsc.edu/gbdb/hg19/ | egrep "Number of files:|total size is"</code></pre> <p> After running that command, you should see output like this: </p> <pre><code>Number of files: 54886 total size is 6515.70G speedup is 5181080.38 (DRY RUN)</code></pre> <p> The next command will give you the size of the entire mySQL/MariaDB database, but can be changed to get the size for a particular assembly: </p> -<pre><code>rsync -hna --stats rsync://hgdownload.soe.ucsc.edu/mysql/ | egrep "Number of files:|total size is"</code></pre> +<pre><code>rsync -hna --stats rsync://hgdownload.gi.ucsc.edu/mysql/ | egrep "Number of files:|total size is"</code></pre> <a name='installing-the-ucsc-genome-browser'></a> <h2>Installing the UCSC Genome browser</h2> <p> <strong>Note:</strong> We offer Genome-Browser-in-the-Cloud (GBIC), an shell script that installs a genome browser in most main Linux distributions (Most Debian and Redhat-based ones, like Ubuntu and CentOS). GBIC is also available as a <a href='/goldenPath/help/docker.html' title=''>dockerfile</a>. See our <a href='https://genome.ucsc.edu/goldenPath/help/mirror.html' title=''>mirror page</a> for more general information. </p> <p> Scripts to perform all of the functions below can be found in the directory <a href='https://github.com/ucscGenomeBrowser/kent/tree/master/src/product/scripts' title=''>https://github.com/ucscGenomeBrowser/kent/tree/master/src/product/scripts</a>. In a git clone of the kent repository, the scripts are located in src/product/scripts. </p> <p> Confirm the following: </p> <ol> <li><p> Apache web server is installed and working, http://localhost/ provides the Apache default home page from your machine NOTE: The browser static html web pages require the Apache XBitHack option to be enabled to allow SSI <code>html</code> statements to function. Add 'Options +Includes' for your html directory, your httpd.conf file entry looks like: </p> <pre><code> XBitHack on <Directory /usr/local/apache/htdocs> Options +Includes </Directory></code></pre> <p> You can test your Apache cgi-bin/ directory by copying the script src/product/scripts/printEnv.pl into it. </p></li> <li><p> MariaDB database is installed and working </p> <pre><code>mysql -u browser -pgenome -e 'show tables;' mysql</code></pre> <p> MariaDB can be run from the command line, and the tables from the database MariaDB can be displayed. </p> <p> MariaDB development package is installed (mariadb-devel on RedHat) The directory: /usr/include/mysql/ has the mysql .h files And the library: /usr/lib/mysql/libmysqlclient.a exists (your exact pathnames may vary depending upon your installation) </p> <p> Set MySQL/MariaDB database access permissions. The examples mentioned in the "Mysql setup" section will allow this setup to function as described here. </p> <p> To setup the example user accounts as mentioned in these instructions, run the script: </p> <pre><code> ex.MySQLUserPerms.sh</code></pre></li> <li><p> Find the location of your Apache WEB server DocumentRoot and cgi-bin directory. Typical locations are: /var/www and /usr/local/apache, /var/www/html, /var/www/cgi-bin The directory where these are located is referred to as WEBROOT in this documentation: </p> <pre><code>WEBROOT=/var/www export WEBROOT</code></pre> <p> The browser WEB pages and cgi-bin binaries expect these two directories to be next to each other in ${WEBROOT} since referrals in html are often: "../cgi-bin" </p> <p> The browser should function even if WEBROOT is in a different directory from the primary Apache web root. In this case, the three directories: html cgi-bin and trash should be at the same level in this other WEBROOT. For example: </p> <pre><code>/some/other/directory/path/html/ /some/other/directory/path/cgi-bin/ /some/other/directory/path/trash/</code></pre> <p> Symlinks to the trash directory should exist from the html directory. As so: </p> <pre><code>/some/other/directory/path/html/trash -> ../trash</code></pre> <p> The actual trash directory can be somewhere else. If it is not in your Apache /var/www/trash/ directory, then create that symlink as well as the html/trash symlink. For example: </p> <pre><code>/var/www/trash -> /some/other/directory/trash /var/www/html/trash -> /some/other/directory/trash</code></pre></li> <li><p> Create html, cgi-bin and trash directories: </p> <pre><code>mkdir ${WEBROOT}/html mkdir ${WEBROOT}/cgi-bin chmod 755 ${WEBROOT}/cgi-bin</code></pre> <p> (this chmod 755 will prevent suexec failures that are indicated by "Premature end of script headers" errors in the Apache error_log. Your cgi binaries should also be 755 permissions.) </p> <pre><code>mkdir ${WEBROOT}/trash chmod 777 ${WEBROOT}/trash ln -s ${WEBROOT}/trash ${WEBROOT}/html/trash</code></pre> <p> The browser creates .png (and other) files in the trash directory. The 'chmod 777' allows the Apache WEB server to write into that directory. </p> <p> A cron job should be set to periodically clean the files in trash. See also, the two scripts here: </p> <pre><code> src/product/scripts/trashCleanMonitor.csh src/product/scripts/trashCleaner.csh</code></pre></li> <li><p> Download static WEB page content: See also: src/product/scripts/updateHtml.sh </p></li> <li><p> Copy CGI binaries: This set of binaries are for x86_64 types of Linux machines. If you need to instead build binaries for your platform, follow the instructions in the section "Building the kent source tree", below. </p> <p> See also: src/product/scripts/kentSrcUpdate.sh </p> -<pre><code>rsync -avP rsync://hgdownload.soe.ucsc.edu/cgi-bin/ ${WEBROOT}/cgi-bin/</code></pre></li> +<pre><code>rsync -avP rsync://hgdownload.gi.ucsc.edu/cgi-bin/ ${WEBROOT}/cgi-bin/</code></pre></li> <li><p> Create hgcentral database and tables. This is the primary gateway database that allows the browser to find specific organism databases. See also: scripts/fetchHgCentral.sh to fetch a current copy of hgcentral.sql </p> <pre><code>mysql -u browser -pgenome -e "create database hgcentral;" mysql -u browser -pgenome hgcentral < hgcentral.sql</code></pre> <p> Please note, it is possible to create alternative hgcentral databases. For example, for test purposes. In this case use a unique name for the hgcentral database, such as "hgcentraltest", and it can be specified in the hg.conf file as mentioned in the next step. To create a second copy of the hgcentral database: </p> <pre><code>mysql -u browser -pgenome -e "create database hgcentraltest;" mysql -u browser -pgenome hgcentraltest < hgcentral.sql</code></pre></li> <li><p> Create the hg.conf file in ${WEBROOT}/cgi-bin/hg.conf to allow the CGI binaries to find the hgcentral database </p> <p> Use the file here: ex.hg.conf as the beginning template for your system: </p> <p> Copy the sample hg.conf: </p> <pre><code>cp ex.hg.conf ${WEBROOT}/cgi-bin/hg.conf</code></pre> <p> Please edit this hg.conf file and set any parameters required for your installation. Use the comments in that file as your guide. </p> <p> Browser developers will want a copy of this file in their home directory with mode 600 and named: ~/.hg.conf </p> <p> These copies may have different db.user specification to allow developers write access to the database. </p></li> <li><p> Load databases of interest. See also: </p> <pre><code> src/product/scripts/activeDbList.sh src/product/scripts/minimal.db.list.txt src/product/scripts/loadDb.sh</code></pre> <p> And discussion in scripts/README about whether you can use directly the MariaDB binary database files, or if you need to download goldenPath database text dumps and load them into the database. If you use MariaDB, you can use the binary files, with MySQL >= 8 you need to use dumps, which is why we discourage the use of MySQL >= 8 with the Genome Browser. </p> <p> An alternative to loading the database tables from text files, is to directly rsync the MariaDB tables themselves and place them in your MariaDB /var/ directory. These tables are much larger than the text files due to the sizes of indexes created during a table load, but it can save a lot of time since the data loading step is quite compute intensive. A typical rsync command for an entire database (e.g. ce4) would be something like: </p> -<pre><code> rsync -avP --delete --max-delete=20 rsync://hgdownload.soe.ucsc.edu/mysql/ce4/ /var/lib/mysql/ce4/</code></pre></li> +<pre><code> rsync -avP --delete --max-delete=20 rsync://hgdownload.gi.ucsc.edu/mysql/ce4/ /var/lib/mysql/ce4/</code></pre></li> <li><p> Download extra databases to work with a full genome assembly such as human/hg38: hgFixed go140213 proteins140122 sp140122 Construct symlinks in your MariaDB data directory to use database names: go proteome uniProt for these database directories: </p> <pre><code>$ ls -og proteome go uniProt lrwxrwxrwx 1 8 Feb 26 11:39 go -> go140213 lrwxrwxrwx 1 14 Mar 27 12:01 proteome -> proteins140122 lrwxrwxrwx 1 8 Mar 27 12:01 uniProt -> sp140122 $ ls -ld go140213 proteins140122 sp140122 drwx------ 2 mysql mysql 4096 Feb 26 10:57 go140213 drwx------ 2 mysql mysql 4096 Aug 19 08:08 proteins140122 drwx------ 2 mysql mysql 4096 Mar 26 13:01 sp140122</code></pre> <p> These file names are data stamped YYMMDD to indicate changes over time as they are updated with new builds of the UCSC gene track. When a new UCSC gene track is released, fetch new databases and change the symlink. </p></li> <li><p> Copy the gbdb data to /gbdb - See also: </p> <pre><code>scripts/fetchFullGbdb.sh scripts/fetchMinimalGbdb.sh</code></pre></li> <li><p> The browser should now appear at the URL: </p> <pre><code>http://localhost/</code></pre> <p> Check your Apache error_log file for hints to solving problems. </p></li> <li><p> BLAT server setup: The blatServers table in the database hgcentral needs to have a fully qualified host name specified in the 'host' column. </p> <p> Educational and non-profit institutions are allowed to use blat free of charge. Commercial installations of the browser require a license for blat. See also: <a href='http://kentinformatics.com/index.html' title=''>http://kentinformatics.com/index.html</a> and: <a href='http://genome.ucsc.edu/license/' title=''>http://genome.ucsc.edu/license/</a> In the source tree: src/gfServer/README.blat </p></li> <li><p> Useful links: </p> <p> <a href='http://genomewiki.ucsc.edu/index.php/Category:Mirror_Site_FAQ' title=''>http://genomewiki.ucsc.edu/index.php/Category:Mirror_Site_FAQ</a> </p> <p> There are numerous README files in the source tree on a variety of specific subjects, e.g.: </p> <pre><code>./src/README ./src/product/README.* ./src/hg/makeDb/trackDB/README ./src/hg/makeDb/doc/make*.txt</code></pre></li> <li><p> Apache configuration: </p> <p> To lock down your trash directory from scanning via "indexes" enter the following in your httpd.conf: </p> <pre><code><Directory "/var/www/html/trash"> Options MultiViews AllowOverride None Order allow,deny Allow from all </Directory></code></pre> <p> The specified directory name is your apache: DocumentRoot/trash e.g. /usr/local/apache/htdocs/trash </p></li> </ol> <a name='mariadb-setup'></a> <h2>MariaDB Setup</h2> <ol> <li><p> Enable "LOAD DATA LOCAL INFILE": </p> <p> Set these in /etc/my.cnf or /etc/mysql/my.cnf: </p> <pre><code> [mysqld] local-infile=1 [client] local-infile=1</code></pre></li> <li><p> MariaDB Storage Engine: </p> <p> In recent versions of MySQL/MariaDB, the default storage engine has changed from myisam to innodb. However the myisam engine should be used with the UCSC Genome Browser. </p> <p> Set it in /etc/my.cnf or /etc/mysql/my.cnf: </p> <pre><code> [mysqld] default-storage-engine=MYISAM</code></pre> <p> Always restart your MariaDB server after making changes to these configuration files. </p></li> <li><p> Users: There are three cases of identity to consider when providing access to the MariaDB system for the browser CGI binaries and browser developers: </p> <ol> <li>A MariaDB user that needs read-only access to the genome databases. The browser CGI binaries require read-only access to the genome databases.</li> <li>A MariaDB user that has write permissions to one database. The CGI binaries require write permissions to one particular database (hgcentral) for maintaining user's cart information to store the user's browser cookie settings.</li> <li>A MariaDB user that has general write permissions to all browser and genome databases to be used by developers</li> </ol> <p> The cgi-bin binaries obtain the first two of these MariaDB identities from the text file: $WEBROOT/cgi-bin/hg.conf </p> <p> Developers of the browser databases obtain their MariaDB identities from a text file in their home directory: ~/.hg.conf Note the initial dot in the name: .hg.conf This file in a user's directory will specify a higher-privileged user to allow read/write access to the MariaDB databases. This file must be set to mode 600 to provide security of the user and password to the database: </p> <pre><code> $ chmod 600 ~/.hg.conf</code></pre> <p> All kent source code commands use this file to access the MariaDB databases. Since this file contains password information it requires the permissions to be set at 600 to keep it secret. The kent source code commands will enforce this access and not function unless it is set at 600 permissions. </p> <p> Therefore you will want to create three different MariaDB users for these purposes. </p> <p> The examples listed below are implemented in the shell script: src/product/scripts/ex.MySQLUserPerms.sh You can execute that script to set up these example users. </p> <p> An example full read/write access user: "browser", is created with the following procedure. </p> <p> For the following it is assumed that your root account has access to the MariaDB database. You should be able to perform the following: </p> <pre><code> $ export SQL_PASSWORD=mysql_root_password $ mysql -u root -p${SQL_PASSWORD} -e "show tables;" mysql</code></pre> <p> Create a MariaDB user called "browser" with password "genome" and give access to selected MariaDB commands for the following list of databases. When you add other databases, you will need to add these permissions to your databases. This procedure of adding permissions specifically for a set list of databases is a more secure method than allowing the MariaDB "browser" user to have access to any database. </p> <p> ( MySQL version 5.5 requires the LOCK TABLES permission here ) ( FILE, CREATE, DROP, ALTER, LOCK TABLES, CREATE TEMPORARY TABLES on ${DB}.* ) </p> <pre><code> for DB in cb1 hgcentral hgFixed hg38 proteins140122 sp140122 go140213 uniProt go proteome do mysql -u root -p${SQL_PASSWORD} -e "GRANT SELECT, INSERT, UPDATE, DELETE, \ FILE, CREATE, DROP, ALTER, CREATE TEMPORARY TABLES on ${DB}.* \ TO browser@localhost \ IDENTIFIED BY 'genome';" mysql done</code></pre> <p> The above granted permissions are recommended for browser developers. The WEB browser CGI binaries need SELECT, INSERT and CREATE TEMPORARY TABLES permissions. For example, you should create a special user for the browser genome databases only. In this example, user: "readonly" with password: "access" </p> <pre><code> for DB in cb1 hgcentral hgFixed hg38 proteins140122 sp140122 go140213 uniProt go proteome do mysql -u root -p${SQL_PASSWORD} -e "GRANT SELECT \ on ${DB}.* TO \ readonly@localhost IDENTIFIED BY 'access';" mysql done</code></pre> <p> Create a database to hold temporary tables: </p> <pre><code> mysql -u root -p${SQL_PASSWORD} -e "create database hgTemp" mysql -u root -p${SQL_PASSWORD} -e "GRANT SELECT, INSERT, \ CREATE TEMPORARY TABLES \ on hgTemp.* TO \ readonly@localhost IDENTIFIED BY 'access';" mysql</code></pre> <p> A third MariaDB user should be created with read-write access to only the hgcentral database. For example, a user: "readwrite" with password: "update" </p> <pre><code> for DB in hgcentral do mysql -u root -p${SQL_PASSWORD} -e "GRANT SELECT, INSERT, UPDATE, DELETE, \ CREATE, DROP, ALTER on ${DB}.* TO readwrite@localhost \ IDENTIFIED BY 'update';" mysql done</code></pre> <p> The cgi-bin binaries obtain their MariaDB identities from the hg.conf file in the cgi-bin directory. The file in this directory: src/product/ex.hg.conf demonstrates the use of the "readonly" user for genome database access and the "readwrite" user for hgcentral database access. </p></li> <li><p> The hgsql command: Developers can access the browser databases via the 'hgsql' command which can be built in the source-tree at: </p> <p> kent/src/hg/hgsql/ </p> <p> This 'hgsql' command provides a convenient front-end to the standard 'mysql' command by reading the user's ~/.hg.conf file to provide access to the browser databases with the appropriate identity. Each user creates a ~/.hg.conf file (same format as the above mentioned cgi-bin/hg.conf file) and the specified database user identity is used for accesses to the browser databases. </p> <p> This same function of reading ~/.hg.conf for database access is built into all the source-tree binaries which modify the genome databases. </p> <p> The above example hg.conf could be used as a user's ~/.hg.conf file with the change of db.user, db.password, central.user, and central.password to be the fully permitted read-write user: </p> <pre><code> db.user=browser db.password=genome central.user=browser central.password=genome central.db=hgcentral</code></pre> <p> To test this access with your ~/.hg.conf file in place: </p> <pre><code> hgsql -e "show tables;" hgcentral hgsql -e "show grants;" hgcentral</code></pre></li> <li><p> Configuring MariaDB SSL connections (entirely optional, only needed if your IT department requires it): </p> <p> MariaDB is typically compiled with SSL capability from OpenSSL or yaSSL. To see if your server supports ssl, login to MariaDB and run this command: </p> <pre><code> mysql> show variables like '%ssl%'; +---------------+----------+ | Variable_name | Value | +---------------+----------+ | have_openssl | DISABLED | | have_ssl | DISABLED | | ssl_ca | | | ssl_capath | | | ssl_cert | | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_key | | +---------------+----------+</code></pre> <p> If your MariaDB was compiled with SSL support, which is true of virtually all MariaDB packages being provided today, you can easily enable SSL by adding settings to /etc/my.cnf: </p> <pre><code> ------- my.cnf: ------- [mysqld] ssl ssl-key=/somepath/server-key.pem ssl-cert=/somepath/server-cert.pem ssl-ca=/somepath/ca.pem ssl-capath=/somepath/ ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA # mysql 5.6.3 or later ssl-crl=/someCrlPath/some-crl.pem ssl-crlpath=/someCrlPath/ # mysql5.7 or later require all connections to be encrypted require_secure_transport server </code></pre> <p> After making changes to my.cnf, be sure to restart your mariadb service. </p> <p> The key means private key here, and should be kept secured. The cert is a certificate acting like a public key, signed by a trusted authority (CA). </p> <p> If a key and cert are available, that means you can authorize. And it proves the key exists. The key is not sent to the other party. The cert is. If a ca is available it can show what certs to trust. </p> <p> You do not need all the settings, but some versions of MariaDB do not activate SSL unless at least one of these is found: key, cert, ca, capath, cipher If you configure a key for the server or client, you will also provide its cert. </p> <p> We cannot teach you how to create SSL certificates here. There are many websites including MariaDB that have information about making keys and certs and ca. </p> <p> If you just add the ssl option to the top, it will try to use SSL, or make it available. </p> <p> The ca is the certificate authority cert that you are using. It could be just a local self-signed authority you made up, or it can be a commercial authority like veriSign. This typically is used to sign the certificate for the server and users. The capath is a directory where ca-certs exist (OpenSSL only). </p> <p> The crl is a certificate revocation list. (OpenSSL only). The crlpath is a directory where revocation lists exist (OpenSSL only). This crl options are a new feature in 5.6.3, not sure it works right yet. </p> <p> After making a key for the server, and signing a cert for it with ca, you can create SSL connections. </p> <p> Do not specify a passphrase when creating your server keys. </p> <p> The cipher setting is a colon-separated list of SSL ciphers that are supported. </p> <p> The security files like certs etc. that are specified in the above settings must be readable by the unix account that mysqld runs under, default is "mysql". </p> <p> SELinux or apparmor may block access to certain locations. /etc/mysql is the default location for .pem files on some platforms. </p> <p> yaSSL, which is still often used with the MySQL Community Edition, expects keys to be in the PKCS #1 format and doesn't support the PKCS #8 format used by OpenSSL 1.0 and newer. You can convert the key to the old format using openssl rsa: openssl rsa -in key_in_pkcs1_or_pkcs8.pem -out key_in_pkcs1.pem </p> <p> yaSSL requires that all components of the CA certificate tree be contained within a single CA certificate file and that each certificate in the file has a unique SubjectName value. To work around this limitation, concatenate the individual certificate files comprising the certificate tree into a new file and specify that file as the value of the --ssl-ca option. For example, </p> <pre><code> cd my-certs-dir cat ca-cert.pem server-cert.pem (etc) > yaSSL-ca-cert.pem chmod +r yaSSL-ca-cert.pem</code></pre> <p> Now use my-certs-dir/yaSSL-ca-cert.pem for certificate authority (ca) for clients. </p> <p> These are the SSL settings which can be placed into your hg.conf for CGIs or .hg.conf for utility programs: </p> <pre><code> db.key=/sompath/someuser-key.pem db.cert=/sompath/someuser-cert.pem db.ca=/somepath/ca.pem db.caPath=/somepath db.crl=/someCrlPath/some-crl.pem db.crlPath=/someCrlPath/ db.verifyServerCert=1 db.cipher=DHE-RSA-AES256-SHA:AES128-SHA</code></pre> <p> The key and certificate for "someuser" above are signed by a ca. </p> <p> The verifyServerCert setting if it exists tells the client to verify that the CN field in the server's cert matches the hostname to which it is connecting. This prevents Man-In-the-Middle attacks. </p> <p> The caPath and crlPath options only work with OpenSSL. </p> <p> The example shows the most common use for the profile "db". But the SSL settings work with any profile in the hg.conf file. </p> <p> Of course you can stick SSL settings into your [client] section of my.cnf, but the CGIs and utils would not see them. Only mysql and hgsql would see them. </p> <p> Configuring SSL requirements for MariaDB user accounts: </p> <p> You can tell MariaDB to require SSL for a user's account like this: </p> <pre><code> GRANT ALL PRIVILEGES ON *.* TO 'someuser'@'%' REQUIRE SSL;</code></pre> <p> You can tell MariaDB to use SSL for a user's account and to further require the client to use their key and x509 certificate to connect by saying: </p> <pre><code> GRANT ALL PRIVILEGES ON *.* TO 'someuser'@'%' REQUIRE x509;</code></pre> <p> There are more-specific requirements that may be added: </p> <pre><code> GRANT ALL PRIVILEGES ON *.* TO 'someuser'@'%' REQUIRE SUBJECT '/C=US/ST=CA/L=Santa Cruz/O=YourCompany/OU=YourDivision/CN=someuser/emailAddress=someuser@YourCompany.com' AND ISSUER '/C=US/ST=CA/L=Santa Cruz/O=YourCompany/OU=YourDivision/CN=YourCompanyCA/emailAddress=admin@YourCompany.com' AND CIPHER 'DHE-RSA-AES256-SHA';</code></pre> <p> You can see the cert details like this: openssl x509 -in /somepath/someuser-cert.pem -text </p> <p> In later versions of MariaDB, it is a requirement that the CN of the CA cert must DIFFER from the CN of the user and server certs. </p> <p> Further MySQL SSL documentation is available from <a href='https://dev.mysql.com/doc/refman/5.6/en/creating-ssl-files-using-openssl.html' title=''>https://dev.mysql.com/doc/refman/5.6/en/creating-ssl-files-using-openssl.html</a> </p></li> </ol> <a name='local-git-repository-aka-quotthe-source-treequot'></a> <h2>Local Git repository (aka: "the source tree")</h2> <p> Use the following procedures to create your own personal copy of the kent source tree where you can have your own edits that are not part of the development at UCSC This is useful for mirror sites that have their own customizations in the source tree for local circumstances. It will also be necessary if you want to add your own tracks to your mirror (see next section). </p> <p> Install Git software version 1.6.2.2 or later. See the Git Community Handbook installation (<a href='https://git-scm.com/book/en/v2/Getting-Started-Installing-Git' title=''>https://git-scm.com/book/en/v2/Getting-Started-Installing-Git</a>) and setup (<a href='https://git-scm.com/book/en/v2/Getting-Started-First-Time-Git-Setup' title=''>https://git-scm.com/book/en/v2/Getting-Started-First-Time-Git-Setup</a>) instructions, as well as our Installing Git (<a href='http://genomewiki.ucsc.edu/index.php/Installing_git' title=''>http://genomewiki.ucsc.edu/index.php/Installing_git</a>) Genomewiki page. </p> <p> Start an initial Git local repository: </p> <pre><code>git clone git://genome-source.soe.ucsc.edu/kent.git</code></pre> <p> or, if a firewall prevents git daemon port 9418, use: </p> <pre><code>git clone http://genome-source.soe.ucsc.edu/kent.git</code></pre> <p> The kent source tree will be imported to the current working directory in a directory named ./kent/. </p> <p> Track the beta branch at UCSC repository: Most users want to use the beta branch, which has tested, released versions of the browser. To create a beta tracking branch: </p> <pre><code>cd kent git checkout -t -b beta origin/beta</code></pre> <p> The -b creates a local branch with name "beta", and checks it out. The -t makes it a tracking branch, so that 'git pull' brings in updates from origin/beta, the "real" beta branch in our public central read-only repository. </p> <p> To get the latest UCSC release, from anywhere within the kent source tree: </p> <pre><code>git pull</code></pre> <p> Updates: UCSC generally updates the origin/beta branch every three weeks. If you are updating database tables for a mirror site, we recommend that you update the source at the same time, as source code is sometimes modified to include operations on new columns that have been added to database tables. </p> <p> For instructions on keeping local tracks separate from UCSC Genome Browser tracks created at UCSC and mirrored from there, see the section "Adding tracks to the browser" below. </p> <a name='adding-your-own-track-groups-to-the-browser'></a> <h2>Adding your own track groups to the browser</h2> <p> If you want to add your own tracks (see next section), you probably want to put them into a separate track group, so they are visually separated from the tracks provided by UCSC. </p> <p> The MariaDB table <code>grp</code> contains the list of all track groups. If you rsync the data from UCSC on a regular schedule, the table would be overwritten each time. To avoid this, you can create an empty table with the same schema, e.g. in the database hg38: </p> <pre><code>CREATE TABLE grp_local LIKE grp;</code></pre> <p> You can then use the MariaDB INSERT statement to add a new track group to this table, specify the name, label, priority and whether the group should be closed by default (most are open by default). </p> <pre><code>INSERT INTO grp_local VALUES ('test', 'This is my group', 1, 0);</code></pre> <p> Then, edit cgi-bin/hg.conf and add a line like this: </p> <pre><code>db.grp=grp_local,grp</code></pre> <p> This means that grp_local is added to the contents of grp and grp_local has higher priority, so you can override the UCSC-provided default groups, if needed. </p> <p> This will not have any effect yet. First you need to add a new track that uses your new group. You can use your new group's <code>name</code> using the "group" statement in trackDb (see the next section). </p> <p> All tracks with a group not in the grp table will end up in the group "Experimental" at the bottom of the page. </p> <a name='adding-your-own-tracks-to-the-browser'></a> <h2>Adding your own tracks to the browser</h2> <p> A track needs two items to make it exist in the browser: </p> <ol> <li>A database table with the track data</li> <li>An entry in a database table: trackDb_localTracks Built from track specifications in your trackDb.ra file. The format of the trackDb.ra file is explained at <a href='http://genome.ucsc.edu/goldenPath/help/trackDb/trackDbDoc.html' title=''>http://genome.ucsc.edu/goldenPath/help/trackDb/trackDbDoc.html</a> The correspondence between the database table and the trackDb.ra definition is in the name used on the 'track' line in the trackDb.ra file. Your database table name is defined by the 'track' definition line.</li> </ol> <p> To direct the genome browser to this trackDb_localTracks table to use as extra trackDb definitions, add this line to your cgi-bin/hg.conf file: </p> <pre><code>db.trackDb=trackDb_localTracks,trackDb</code></pre> <p> The order matters. Any definitions for tracks in trackDb_localTracks will override any definitions for the same named tracks in trackDb. You can then override the standard definitions for UCSC-defined tracks. The usual case will be that your tracks are unique to your local installation. </p> <p> Almost all of the database tables have specific loader programs to load the track data. The loader programs also verify the data before it is added to the table, and they create the proper indexes on the table to allow efficient display by the genome browser. </p> <p> By far the most common format of track data is the BED format. See also: <a href='http://genome.ucsc.edu/FAQ/FAQformat.html#format1' title=''>http://genome.ucsc.edu/FAQ/FAQformat.html#format1</a> for a description of BED file formats. </p> <p> A typical BED file format is loaded into a database table with the loader: hgLoadBed For example, to load the data from the file: data.bed into the table named: bedExample </p> <pre><code>hgLoadBed hg17 bedExample data.bed</code></pre> <p> You then add a section that starts with the line "track bedExample" to your trackDb.ra file, run hgTrackDb to create the trackDb_localTracks database table and the table should appear, as long as trackDb_localTracks has been added to hg.conf as explained before. </p> <p> There are a variety of file formats: GFF, GTF, PSL, WIG, MAF as well as a variety of specialized data types. All the loader programs can be seen in the source tree as subdirectories in: src/hg/makeDb/ </p> <pre><code>cd src/hg/makeDb ls -d hg*</code></pre> <p> The build instructions for the browser code do not include instructions for building all of the loaders, or other utilities in the kent source tree. This is because there are literally hundreds of utilities, 345 at last count, that are not needed for ordinary browser development. In most cases a developer will need only a couple of the loaders and utilities. Since the libraries were built for the CGI binaries, to build any utility or loader, simply go into its directory and run a 'make'. If you do not have the kent tree source repository cloned with git yet onto your own disk, please go back to the previous section and do that now. </p> <p> For our purposes here, we need for example, for BED format tracks: </p> <ol> <li>hgLoadBed</li> <li>hgTrackDb</li> <li>hgFindSpec</li> </ol> <p> To build the three loaders mentioned, go to the three directories in the kent git source repository: </p> <pre><code>src/hg/makeDb/hgTrackDb/ src/hg/makeDb/hgFindSpec/ src/hg/makeDb/hgLoadBed/</code></pre> <p> And run a 'make' in each one. The resulting binary is placed in: \(HOME/bin/\)MACHTYPE This binary directory should be in your PATH, or make this directory be a symlink to some binary directory that is in your PATH and you have write permission to. </p> <p> See also: new assistant scripts as of March 2010 in the src/product/scripts/ directory here to fetch and build the source tree. </p> <p> If you want to build all the utilities and all database loaders now, perform the following 'make' commands in your source tree: </p> <pre><code>cd src make clean make libs cd hg make cd ../utils make</code></pre> <p> This builds everything cleanly, all CGI binaries, all database loaders, all utilities. Perform this sequence each time you do a 'git pull' on your source tree. The 'make clean' step is especially important since the makefile hierarchy does not have built in dependencies and will not rebuild items that depend upon each other. The traditional dependency on the source tree libraries is taken care of because a make in any directory that produces a binary will always re-link the binary every time, thus always picking up any potentially new library. </p> <p> With those three loader programs built, you can now load BED format tracks, and build the trackDb_localTracks table as mentioned next. </p> <p> The hgTrackDb and hgFindSpec loaders are used to build the trackDb and hgFindSpec tables in the database. You can obtain example trackDb entries from the source tree hierarchy: src/hg/makeDb/trackDb/ in any of the *.ra files. And you will need to refer to the README file in that directory for information about options you can use with each track type or use our full trackDb.ra documentation at <a href='http://genome.ucsc.edu/goldenPath/help/trackDb/trackDbDoc.html' title=''>http://genome.ucsc.edu/goldenPath/help/trackDb/trackDbDoc.html</a>. </p> <p> To work independently of the UCSC source tree, establish your own trackDb.ra files outside the UCSC source tree in a directory of your choice under your control. Then, to load them into the database, run the hgTrackDb command with this simple makefile in the directory where your .ra file exists: </p> <pre><code>trackDbSql=/path/to/kent/source/tree/src/hg/lib/trackDb.sql DB=hg19 all:: hgTrackDb . ${DB} trackDb_localTracks ${trackDbSql} .</code></pre> <p> This hgTrackDb command reads your trackDb.ra file and converts it into row entries for each track specified in it into row contents in this new table trackDb_localTracks. </p> <p> The DB= specification is your database of interest, this example: hg19 This loads your local specific table trackDb_localTracks in the database. This name trackDb_localTracks is not special, just different than the ordinary trackDb table. It should have some meaning to anyone in your environment and not be the same name as any UCSC database table. The two '.' arguments in the command above refer to directory names. Since you have no hierarchy of levels in this single directory, unlike in the source tree trackDb hierarchy, the '.' arguments refer to the current directory. </p> <p> See also: </p> <ul> <li>A similar overview: <a href='http://genomewiki.ucsc.edu/index.php/Local_tracks_at_mirror_sites' title=''>http://genomewiki.ucsc.edu/index.php/Local_tracks_at_mirror_sites</a></li> <li>TrackDb.ra track configuration format: <a href='http://genome.ucsc.edu/goldenPath/help/trackDb/trackDbDoc.html' title=''>http://genome.ucsc.edu/goldenPath/help/trackDb/trackDbDoc.html</a></li> </ul> <a name='adding-a-new-custom-non-ucsc-genome-to-the-browser'></a> <h2>Adding a new, custom (non-UCSC) genome to the browser</h2> <p> Please note that setting up an <a href='assemblyHubHelp.html' title=''>assembly hub</a> is a lot easier than adding a genome to a local mirror. </p> <p> The browser can be made to operate with a bare minimum of tables for the purpose of demonstrating the CGI binaries are functioning. </p> <p> The only tables you need to load for this are: </p> <ol> <li>all tables in the hgcentral database</li> <li>six tables in the human genome</li> </ol> <p> Create an empty hgcentral database: </p> <pre><code>$ hgsql -e "create database hgcentral;" mysql</code></pre> <p> Load all tables into the hgcentral database. Copy all the mysql data files from </p> -<pre><code>rsync -avP rsync://hgdownload.soe.ucsc.edu/mysql/hgcentral/ .</code></pre> +<pre><code>rsync -avP rsync://hgdownload.gi.ucsc.edu/mysql/hgcentral/ .</code></pre> <p> directly into the MySQL data area for your hgcentral database. (something usually like /var/lib/mysql/hgcentral/) </p> <p> Or load this database with mysql/hgsql commands and the hgcentral.sql text file dump of these tables from: </p> -<pre><code>rsync -avP rsync://hgdownload.soe.ucsc.edu/genome/admin/hgcentral.sql .</code></pre> +<pre><code>rsync -avP rsync://hgdownload.gi.ucsc.edu/genome/admin/hgcentral.sql .</code></pre> <p> And then six tables for the latest human database. </p> <p> The gateway page always needs a minimum human database in order to function even if the browser is being built for the primary purpose of displaying other genomes. This default can currently be changed in the source tree in src/hg/lib/hdb.c (to be done: specify this default in hg.conf file) </p> <p> Start with an empty database, for example hg18: </p> <pre><code>hgsql -e "create database hg18;" mysql</code></pre> <p> Again, copy the MariaDB files directly from the download server, for example hg18: </p> -<pre><code>rsync -avP rsync://hgdownload.soe.ucsc.edu/mysql/hg18/ .</code></pre> +<pre><code>rsync -avP rsync://hgdownload.gi.ucsc.edu/mysql/hg18/ .</code></pre> <p> (beware, this is several TB of data) into your MariaDB data area. Or load these tables from the text SQL dumps from: </p> -<pre><code>rsync -avP rsync://hgdownload.soe.ucsc.edu/goldenPath/hg18/database/ .</code></pre> +<pre><code>rsync -avP rsync://hgdownload.gi.ucsc.edu/goldenPath/hg18/database/ .</code></pre> <p> (beware, this is several TB of data) </p> <p> The minimal set of tables required are: </p> <pre><code>grp trackDb hgFindSpec chromInfo gold gap</code></pre> <p> With this set of six tables the gateway page will begin to function and the browser page and table browser will function. Other browser functions are not ready yet without additional tables and databases. This is a bare minimum just to demonstrate the CGI binaries are working. </p> <p> This will all work even without copying any files for the /gbdb/ data area, although most functions will not work, such as fetching the DNA sequence from a browser view. The DNA sequence for an assembly is found in, for example hg18: /gbdb/hg18/nib/chr*.nib Some assemblies have all the DNA sequence in a single .2bit file, for example: /gbdb/mm8/mm8.2bit </p> <a name='modifying-the-source-code'></a> <h2>Modifying the source code</h2> <p> If you want to make changes to the source code, contact us first via the mailing list, to make sure that there is no option in development or an undocumented way to solve your problem. </p> <p> If you need to change the code, make sure to isolate your changes into a single function, if possible. Using git, merge your branch into our "beta" branch, ideally for every release, then recompile. If your changes could be useful for someone else, and you are getting tired of updating them to keep up with our changing code base, consider submitting them as a pull request, so we can integrate it into the main code base and you do not have to worry about updating them anymore. </p> <p> Once you have git setup properly, merging your changes into our current release should be as easy as this: </p> <pre><code>git pull # get new version git checkout beta # switch to our stable branch git merge myChangesBranch # merge your changes into the beta branch make -j 20 cgi-alpha # compile and put CGIs into /usr/local/apache/cgi-bin</code></pre> <a name='custom-track-database'></a> <h2>Custom Track Database</h2> <p> Without any specific hg.conf configuration, custom track data is kept in flat files in the /trash/ct/ directory. It is much more efficient to load them into a MariaDB database. This article discusses the steps required to enable this function. </p> <ol> <li><p> Summary configuration </p> <ul> <li>database loader binaries hgLoadBed, hgLoadWiggle and wigEncode are installed in /cgi-bin/loader/ - these are installed via the normal 'make cgi' in the source tree kent/src/hg/ directory or via rsync. They are probably aleady in your cgi-bin directory.</li> <li>an empty customTrash database has been created on the MariaDB host - create this manually once, the MariaDB host name is a configuration item, the database name customTrash is not a configuration item</li> <li>temporary read-write data directory /data/tmp has been created with read/write/delete enabled for the Apache server effective user, this directory name is a configuration item</li> <li>configuration items are specified in /cgi-bin/hg.conf/ - this will turn on the function</li> <li>for command line access to the database, create a special ~/.hg.ct.conf to be used with the environment variable HGDB_CONF</li> <li>create a cron job to run a cleaner script to expire and remove older tables from the database - dbTrash command is used for this purpose</li> </ul></li> <li><p> Host and database name </p> <p> For performance and security considerations, the MariaDB host for the custom track database can be a separate machine from the ordinary MariaDB host that usually serves up the assembly databases or the hgcentral database. It is not required that the custom track database be on a separate MariaDB server. The specification of the host machine is placed in the /cgi-bin/hg.conf file, for example a host machine called "ctdbhost": </p> <pre><code> customTracks.host=ctdbHost</code></pre> <p> The database name used on this host is fixed at customTrash which is a define in the source tree file hg/inc/customTrack.h </p> <p> Edit /cgi-bin/hg.conf configuration items: </p> <p> The following items must be specified in /cgi-bin/hg.conf to enable this function: </p> <pre><code> customTracks.host=ctdbhost customTracks.user=ctdbuser customTracks.password=ctdbpasswd customTracks.useAll=yes</code></pre> <p> Establish this user account and password in MariaDB with db and user privileges: </p> <p> Select, Insert, Update, Delete, Create, Drop, Alter, Index for example with your MariaDB root user account: </p> <pre><code> hgsql -hctdbhost -uroot -p -e \ "GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER,INDEX" \ on customTrash.* TO ctdbuser@yourWebHost IDENTIFIED by 'ctdbpasswd';" mysql</code></pre> <p> Optionally, a temporary read-write directory used during database loading can be specified: </p> <pre><code> customTracks.tmpdir=/data/tmp</code></pre> <p> The default for this is /data/tmp and should be created with read/write/delete access for the Apache server effective user. It should be on a local filesystem for best access speed, not via NFS. </p></li> <li><p> Database loaders: </p> <p> The database loaders used to load custom tracks are the standard loader commands found in the source tree, hgLoadBed, hgLoadWiggle and wigEncode. They are installed into /cgi-bin/loader/ with a 'make cgi' from the source tree directory kent/src/hg/ These loaders are used by the cgi binaries hgCustom, hgTracks, and hgTables to load custom tracks into the database. They are operated in an exec'd pipeline fashion, the code details can be see in src/hg/lib/customFactory.c </p></li> <li><p> Command line access: </p> <p> Since the MariaDB host may be different than your ordinary MariaDB host, you will need to create a unique $HOME/.ct.hg.conf file to be used in the case where you want to manipulate this separate database with the kent source tree command line tools. This unique .ct.hg.conf is merely a copy of your normal .hg.conf file but with a different host/username/password specified: </p> <pre><code> db.host=ctdbhost db.user=ctdbuser db.password=ctdbpasswd central.db=hgcentral</code></pre> <p> Remember to set the privileges on this hg.conf file at 600: </p> <pre><code> chmod 600 $HOME/.ct.hg.conf</code></pre> <p> To enable the use of this file for subsequent command line operations, set the environment variable HGDB_CONF to point to this file, for example in the bash shell: </p> <pre><code> export HGDB_CONF=$HOME/.ct.hg.conf</code></pre> <p> With that in place, you can examine the contents of the customTrash database: </p> <pre><code> hgsql -e "show tables;" customTrash</code></pre> <p> This unique hg.conf file will also be used by the cleaner command dbTrash </p></li> <li><p> Cleaner script </p> <p> The database and the temporary data directory /data/tmp need to be kept clean. This is similar to the current cleaner script you have running on your /trash filesystem. In this case there is a specific source tree utility used to access and clean the database. The temporary data directory /data/tmp would stay clean if each and every loaded custom track was successfully loaded. In the case of badly formatted or illegal data submitted for the custom track, the database loaders do not remove their temporary files from /data/tmp This /data/tmp directory can be kept clean with, for example, an hourly cron job that performs: </p> <pre><code> find /data/tmp -type f -amin +10 -exec rm -f {} \;</code></pre> <p> This would remove any file not accessed in the past 10 minutes. </p> <p> The database cleaner command dbTrash should be run as a cron job encapsulated in a shell script something like this, which maintains a record of items cleaned to enable later analysis of custom track database usage statistics: </p> <pre><code> #!/bin/sh DS=`date "+%Y-%m-%d"` YYYY=`date "+%Y"` MM=`date "+%m"` export DS YYYY MM mkdir -p /data/trashLog/ctdbhost/${YYYY}/${MM} RESULT="/data/trashLog/ctdbhost/${YYYY}/${MM}/${DS}.txt" export RESULT /cluster/bin/x86_64/dbTrash -age=48 -drop -verbose=2 > ${RESULT} 2>&1</code></pre> <p> Running this once a day will remove any tables not accessed within the past 48 hours. The dbTrash command is found in the source tree in kent/src/hg/dbTrash </p> <p> The /trash directory can be kept clean with the following two commands, one to implement an 8 hour expiration time on most files, the second to implement a 48 hour expiration time on custom track files: </p> <pre><code> find /trash \! \( -regex "/trash/ct/.*" -or -regex "/trash/hgSs/.*" \) \ -type f -amin +480 -exec rm -f {} \; find /trash \( -regex "/trash/ct/.*" -or -regex "/trash/hgSs/.*" \) \ -type f -amin +2880 -exec rm -f {} \;</code></pre></li> <li><p> metaInfo and history </p> <p> You will note two special and persistent tables in the customTrash database: metaInfo and history. The metaInfo table records a time of last use for each custom track table and a useCount for statistics. The time of last use is used by the cleaner utility dbTrash to expire older tables. The history table is the same as the history table in the normal assembly databases. The loader commands, hgLoadBed and hgLoadWiggle record into the history table each time they load a track. The cleaner command dbTrash also records in the history table statistics about what it is removing. </p></li> <li><p> Turning On Considerations </p> <p> Please note, if there are currently existing custom tracks in /trash/ct/ files, at the time of adding the configuration items to /cgi-bin/hg.conf/ those existing tracks will be converted to database versions upon their next use by the user. Therefore, to enable this function on the round-robin WEB servers, we will need to do the update to /cgi-bin/hg.conf in as much a simultaneous manner as possible. Perhaps something like a shell script to do eight background rsync's all at the same time. </p></li> <li><p> Use of trash files with the database on </p> <p> When the custom tracks database is in use, there are still small files kept in /trash/ct which become the reference pointers to the actual database tables belonging to that custom track. The standard trash cleaner script should still be kept running to clean these files. </p></li> <li><p> Known difficulties </p> <p> For the case of a custom track submission that contains more than one track set of data, in the case where one of the sets of data is illegal and causes a loading problem, even though some sets of data may have loaded successfully, the submitting user will see an error about the corrupted data, and they would need to correct their data submission to get all tracks successfully loaded. </p> <p> It remains to be seen just how good the error reporting system is for illegal data. </p></li> </ol> <a name='debugging-the-cgi-binaries'></a> <h2>Debugging the CGI binaries</h2> <p> The typical sign of trouble is an Error 500 display in your web browser when accessing the CGI binaries, and the following message in your Apache error log: </p> <pre><code>[Fri Mar 25 11:02:40 2005] [error] Premature end of script headers: hgTracks</code></pre> <p> This is usually a simple configuration problem. Items to verify: </p> <ol> <li>the hg.conf file in the cgi-bin directory specifies the correct user names and passwords for MariaDB database access. See also the section "MariaDB Setup" below.</li> <li>The cgi-bin directory is set to permissions 755 and not 775 or 777 When permissions are too permissive for this directory, Apache errors out with suexec permission violations.</li> <li>Verify change history of the database hgcentral. Rarely, changes in this database require corresponding changes in the source code. Make sure your code and version of hgcentral are synchronized. Newer versions of hgcentral database with old source code are OK. The problem is when you have new source code that expects new features in hgcentral.</li> </ol> <p> If these items are OK, then you can check the actual operation of a cgi binary. Go to the source tree directory of the cgi binary, for example hgTracks: </p> <pre><code>kent/src/hg/hgTracks</code></pre> <p> In this directory, run a 'make compile' to produce a binary that is left in this directory. This binary can be run from the command line: </p> <pre><code>./hgTracks</code></pre> <p> By itself with no arguments, it should produce the default tracks display HTML page for the Human genome. This assumes you have set up your $HOME/.hg.conf file to allow access to the MariaDB databases. (See also: section "MariaDB Setup"). A binary execution failure should be obvious at this stage of the game. If it exits because of SIGSEGV we can run it under a debugger for specifics. More on this below. </p> <p> If the problem is specific to a particular set of tracks being displayed, or particular genomes or options, command line arguments can be given to these CGI binaries to provide the URL inputs that a CGI binary would normally see. </p> <p> To prepare the binaries for operation under a debugger, go to the src/inc directory and edit the common.mk configuration file. Change "COPT=-O" to read: "COPT=-g" GNU gcc will allow "-O" with "-g", and some bugs will only exhibit themselves with -O on. However the optimizations with -O can sometimes confuse the debugger's sense of location due to optimization rearrangement of code. Also eliminate the -Wuninitialized option from the HG_WARN definition to avoid constant warnings about that being incompatible with -g. </p> <p> Rebuild the source tree: </p> <pre><code>cd kent/src make clean make libs cd hg/hgTracks make compile</code></pre> <p> The hgTracks binary will now have all symbol information in it and it can be operated under a debugger such as ddd (or gdb, etc...). </p> <p> For the case of specific options or tracks causing problems, to find the full set of options in effect for the failure case, when your WEB browser is at the Error 500 display page, edit the displayed URL in your WEB browser to call the cgi binary cartDump: </p> <pre><code>http://<your server>/cgi-bin/cartDump </code></pre> <p> This will display all environment variables in effect at the time of the crash. Most of the track display options that are marked as "hide" can be ignored. That is their default setting already. The important ones are the db, position, and specific options for the track under consideration. The command line can be formatted just as if it was a URL string. For example: </p> <pre><code>./hgTracks "db=hg17&trackControlsOnMain=0&position=chr4:56214201-56291736"</code></pre> <p> Or with spaces between the arguments: </p> <pre><code>./hgTracks db=hg17 trackControlsOnMain=0 position=chr4:56214201-56291736</code></pre> <p> Remember to protect special characters on the command line from shell interpretation by appropriate quoting. </p> <p> At this point, running under a debugger, with a command line for specific options, a crash of the binary should give you some clue about the problem by checking the stack backtrace to see what function is failing. It is highly doubtful you will be finding problems in the source code for the crashes. The almost universal cause for failure are the data inputs to the binaries. For example, violations of the SQL structures expected from the database tables. Missing data files in the /gbdb/ hierarchy, and so forth. </p> <p> If you are developing code for special track displays, the most common form of problem is a memory violation while using some of the specialized structures, hash lists, etc. Your stack backtrace will usually highlight these situations. </p> <p> In order to determine the URL being used by the browser CGIs to pass to in the debugger, you need to force the browser to use GET http requests rather than POST. Try adding &formMethod=GET to an URL. Not all forms pay attention to that input, but when they do it generally looks like this: </p> <pre><code>hPrintf("<FORM ACTION=\"%s\" NAME=\"mainForm\" METHOD=%s>\n", getScriptName(), cartUsualString(cart, "formMethod", "POST"));</code></pre> <p> If you add &formMethod=GET and a subsequently fetched form is still posting, you might need to alter the "<FORM..." statement to use the cartUsualString. </p> <p> The hg18 hgTracks config page generates a GET URL that is too long for FireFox, so after debugging hgTables, you will probably want to add &formMethod=POST to an URL (or clear cart, load session etc). </p> <p> One thing that does not work with GET is "upload file" inputs. </p> <pre><code># HTTPS Certificate Check for Verification Settings are: abort warn log none # currently the default is log httpsCertCheck=log # domains to whitelist, skip cert checking, space-separated list httpsCertCheckDomainExceptions=somedomain1.com somedomain2.edu</code></pre> <a name='notes-on-security'></a> <h2>Notes on security</h2> <p> The Genome Browser is a complicated piece of software of more than 2 million lines of code that have been developed over 20 years. There is a risk of bugs and security issues, and we take that seriously. At UCSC, we run a security scan on the Genome Browser once a month and pay close attention to the results. Frequently, however, the scanners complain about things in the Genome Browser that are not actually problems. The Browser is designed for significant flexibility when accessing and sharing data. As a result, security scanners often complain about potential vulnerabilities that are actually intentional features: </p> <ul> <li>The Genome Browser draws remote genome annotation files that are streamed on the fly through https. This means that parts of these files appear in our user interface. Various features of custom tracks and track hubs specifically reference external file via URLs that the user can define, and we place no restrictions on these URLs for various reasons. These features predate the introduction of CORS to the internet protocols by at least five years, and the servers from where these files are loaded by the Genome Browser do not need to specifically allow the requests. As a result, this is not a security exploit but an intentional feature, similar to a webservice that checks files entered via a URL (e.g. a robots.txt analyzer) and then shows the content of the URLs on their web pages. Security scanners will find these features and flag them as SSRF exploits (Server-side request forgery), but they are a result of our features, not a problem in our software, and not a problem in the context of our public web servers.</li> <li>Conversely, when running a local Genome Browser at your institution, do not assume that the Genome Browser web server can be granted access to internal files that should not be shared with the outside world. The Genome Browser is not a secure gateway, and anything that the Genome Browser can access may be displayable by any Genome Browser user. For example, if you restrict internal files to access from only the Genome Browser IP address, as with most other servers without dedicated security layers, assume that these can be accessed by anyone who is using the Browser. We strongly advise you to constrain access to and from your local mirror of the Browser if this is a concern for you.</li> <li>On our webservers at UCSC and your own internal mirror, even though the data from external URLs is shown, and even though the HTML tags are interpreted, Javascript in these pages is not executed, so an XSS exploit is not possible through these. We use CSP and a nonce to block Javascript injection in these pages. CSP/nonce is a system that many security scanners do not recognize. You can disregard XSS warnings from the security scanners and refer your IT department to our CSP declarations in the HTML headers unless you think that you found a case where it is possible to get through the CSP/nonce system. Feel free to send us the security report from your scanner when in doubt.</li> <li>Our CSP/nonce system also secures the Javascript libraries. We use customized jquery libraries from the mid-2000s. Some of these are outdated, so some security scanners deem them unsafe, but our use of CSP and a nonce means that possible XSS problems cannot be exploited. The security scanners also cannot detect that. To reduce these warnings, we are in the process of upgrading our Javascript dependencies where possible.</li> </ul> <a name='proxy-support'></a> <h2>Proxy support</h2> <p> net.c now has support for http(s) proxy servers which may be required by some installations to get through the firewall to external resources such as (but not limited to) for example bigWig or bigBed data via custom track bigDataUrl. </p> <p> One must add the setting "httpProxy", "httpsProxy", "ftpProxy" to hg.conf </p> <pre><code>httpProxy=http://someProxyServer:3128 httpsProxy=http://someProxyServer:3128 ftpProxy=ftp://127.0.0.1:2121</code></pre> <p> If the proxy server requires BASIC authentication </p> <pre><code>httpProxy=http://user:password@someProxyServer:3128 httpsProxy=http://user:password@someProxyServer:3128</code></pre> <p> where user and password may need URL-encoding if they contain special characters such as ":" and "@". </p> <p> If you wish to exclude domains from proxying, create a comma-separated list of domain-suffixes.<br/>If a domain ends with an entry from this list, the proxy will be skipped. </p> <pre><code>noProxy=ucsc.edu,mit.edu</code></pre> <p> The httpProxy and httpsProxy URLs should use http protocol, not https. One reason for this is that https sessions would end up doubly-encoded. </p> <p> If you are debugging your proxy configuration, you can use this hg.conf setting to turn on logging to stderr. </p> <pre><code>logProxy=on</code></pre> <p> It is not meant to be left on in production. Your proxy server should have its own logging features. </p> <p> net.c also responds to environment variables http_proxy, https_proxy, ftp_proxy, no_proxy and log_proxy. </p> <a name='support-for-cloud-urls'></a> <h2>Support for cloud URLs</h2> <p> The genome browser supports cloud URLs by allowing a mirror to configure a command to resolve these URLs to http or https URLs. </p> <p> For example, URLs with the gs, s3, or drs scheme would be resolved to https: URLs. This may involve conversion to signed https URLs. The browser caches the results under the original URL and will call the resolver command again if the signed URL has timed out. </p> <p> URL resolution is enabled by defining following variables in hg.conf: </p> <ul> <li>resolvProts: A comma-separated list of URL protocols, without the colon, to resolve with the specified command.</li> <li>resolvCmd: The path to the command to resolve the matching URLs. It may include space-separated arguments that are passed on to the command unchanged. The URL to resolve is passed as the last argument. The command writes the resolved http/https URL to stdout. If an error occurs, the command should write an error message to stderr and exit with a non-zero status code.</li> </ul> <p> For example: </p> <pre><code>resolvProts = gs,drs resolvCmd = /var/www/tools/urlResolver /var/www/tools/config</code></pre> <a name='the-udc-local-cache-directory'></a> <h2>The UDC local cache directory</h2> <p> The udcCache allows tracks that are either installed tracks or custom tracks of the above mentioned types to cache data that they have already fetched via URL. This allows data to reside elsewhere and only download the parts needed on demand. The datablocks are usually compressed and have an efficient random access index. They are accessed from a remote location via URLs such as HTTP, HTTPS, FTP. </p> <ul> <li>udcCache means URL-Data-Cache</li> <li>BBI files use the udcCache.</li> <li>BBI means Big Binary Indexed and includes file types such as BigBed (.bb) and BigWig (.bw).</li> <li>UCSC BAM file support may also use the udcCache</li> </ul> <p> By default, udcCache stores files in /tmp/udcCache </p> <p> However, you may include the following in your hg.conf and then let your regular trash cleaning scripts clean out the old udcCache automatically as well: </p> <pre><code># directory for temporary bbi file caching udc.cacheDir=../trash/udcCache</code></pre> <p> Notice that this path is relative to your cgi executable directory which is the current directory when the cgi starts up. On some systems this directory is called cgi-bin/. </p> <a name='activating-cram-support-for-the-genome-browser'></a> <h2>Activating CRAM support for the Genome Browser.</h2> <p> The UCSC Genome Browser is capable of displaying tracks from both the BAM and CRAM file formats. While BAM tracks provide all of the required data within the file, however, CRAM tracks depend on external "reference sequence" files (see <a href='http://www.ebi.ac.uk/ena/software/cram-toolkit' title=''>http://www.ebi.ac.uk/ena/software/cram-toolkit</a> for more information about the CRAM format). A bit of information on how the Browser works with these files is included below. For installation instructions, skip to the numbered steps at the end of this file. </p> <p> The directory that Genome Browser CGIs check for CRAM reference files is set with the cramRef setting in hg.conf. For example, the following setting is used on our production servers: </p> <pre><code>cramRef=/userdata/cramCache</code></pre> <p> When loading tracks from the CRAM file format, CGIs will look for reference sequences in that directory. The filename of each reference sequence should be the MD5 or SHA1 checksum of the reference sequence as described at <a href='http://www.ebi.ac.uk/ena/software/cram-reference-registry' title=''>http://www.ebi.ac.uk/ena/software/cram-reference-registry</a>. If a CGI is unable to find the reference sequence file for a CRAM track, it will next check the cramRef/pending/ directory to see if a request for that reference sequence has already been made, and the cramRef/error/ directory to see if a previous attempt at downloading that reference sequence resulted in an error. If none of those files are found, the CGI will then create a request file in the cramRef/pending/ directory. The name of the request file will be the MD5 or SHA1 sequence checksum, as specified in the CRAM data file. The contents of the request file will be the URL to download that reference sequence. A separate tool can then be used to download reference sequences listed in the pending/ directory and place them into cramRef/. </p> <p> Steps to set up CRAM track support: </p> <ol> <li><p> Add the hg.conf setting cramRef. The value should be the path (relative or absolute) to a directory where CRAM reference sequences are stored. </p></li> <li><p> Inside the cramRef directory create subdirectories called "pending" and "error". The apache user must have read/write permissions for the pending/ directory, and at least read permissions for the cramRef/ and error/ directories.<br/>If you plan to manually load all CRAM reference sequences for your tracks into the cramRef directory, track support is now complete. If you prefer to have reference sequences automatically downloaded and placed in that directory (e.g., for user-submitted custom tracks), continue to step 3. </p></li> <li><p> Add a cron job to run a script that parses files in the cramRef/pending/ directory, downloads the corresponding reference sequence files, and places those sequence files in cramRef/. Error messages during file retrieval should be placed in cramRef/error/. An example script is provided in this repository at kent/src/product/scripts/fetchCramReference.sh. The account that runs this script must have read/write permissions for the cramRef/, cramRef/pending/, and cramRef/error/ directories. </p></li> </ol> <a name='using-freetype-font-support-for-anti-aliased-text'></a> <h2>Using FreeType font support for anti-aliased text</h2> <p> The Genome Browser can use a set of hard-coded Type1 fonts for text display in hgTracks. The fonts are NOT distributed as part of the Genome Browser files but they exist natively on the UNIX systems we use in our production environment. To support FreeType font drawing on your system you may need to install these files if they are not already present. On most systems, they exist in one of three directories: </p> <pre><code>/usr/share/X11/fonts/urw-fonts /usr/share/fonts/default/Type1 /usr/share/fonts/type1/gsfonts</code></pre> <p> To turn on the FreeType font rendering you need to add this line to your hg.conf file: </p> <pre><code>freeType=on</code></pre> <p> By default, the Genome Browser looks in the directory </p> <pre><code>/usr/share/fonts/default/Type1 </code></pre> <p> for the font files it expects to find. If you have these fonts in a different directory, you need to add this line to your hg.conf file: </p> <pre><code>freeTypeDir='<apache accessible directory path with fonts in it>'</code></pre> <p> The names of the font files that the Genome Browser expects and their md5sums are in the following table: </p> <pre><code>5624bc04bbd862287bda3c44b15e90d6 a010013l.pfb 6883f53d0d140f972480f179bb5e4e3b a010015l.pfb db21f79bac990fa7e3de6d4cc6f54020 a010033l.pfb c3d0c3af6bc183010204ca923fb98e83 a010035l.pfb 33265074c9c45c356f90de9cc47259b3 n019003l.pfb 9d07b8658622c2e0127628c87fdb9661 n019004l.pfb df59ecc7bd232d2355786fd644f13baa n019023l.pfb 9f2d4377d9eea95dfdfa705c83a39464 n019024l.pfb 8f75382bd2620a20aaeb06ab8c591e8f n019043l.pfb 28bb40d1700909b2509e2125a1963e2c n019044l.pfb adf4d5565bec1170f0a5810c6984ff55 n019063l.pfb 57e1a49c39a546c2883375df12111816 n019064l.pfb 84e347c88eff2e77ed40b020b457bafe n021003l.pfb 8721c1175d907d7d484bdaa91d4533ad n021004l.pfb eef0367afaa10b929e528c40c980b941 n021023l.pfb 7af41ff3536fadcdc27eb9e5cc1c32d3 n021024l.pfb db95b702b81c12df1f91d15c8a6c3191 n022003l.pfb e97c9af68414fabe157af711b7691df7 n022004l.pfb f13fb8e581426a1ffa5fc12b10ad0f34 n022023l.pfb f3cd9244150f086434b62d5c5bb559b0 n022024l.pfb 30aef717b7c68a6b6b7760b764fbd01c z003034l.pfb</code></pre> <a name='building-the-kent-source-tree'></a> <h2>Building the kent source tree.</h2> <p> In some cases, you may have to modify the source code itself. In these cases, you would need to build all the tools and CGI programs from the source code on your machine. </p> <p> There are scripts available in the git repo src/product/scripts/ directory that can run all of these steps for you with the script: scripts/kentSrcUpdate.sh See the instructions in scripts/README </p> <p> If you have the kent git repository cloned: </p> <ol> <li><p> Check your shell environment. It should contain a MACHTYPE variable. Typical values, for example: </p> <pre><code>i386 i686 sparc alpha x86_64 ppc</code></pre> <p> If there is none, set it to indicate your CPU architecture, for example, </p> <pre><code>MACHTYPE=i686 export MACHTYPE</code></pre> <p> You need to do this if your existing MACHTYPE is a long string such as: </p> <pre><code>i686-pc-linux-gnu</code></pre> <p> since this is used as an argument on the command line to gcc which will not work with the - signs in the strings. Typical values: </p> <pre><code>i386 i686 x86_64 sparc ppc</code></pre> <p> To determine the machine cpu type of your computer, try one of these uname command options: </p> <pre><code>$ uname -m $ uname -p $ uname -a</code></pre> <p> Remember to set this MACHTYPE in your .bashrc or .tcshrc home directory environment files so it will be set properly at your next login. </p> <p> The browser code has not been tested by UCSC outside a CentOS Linux on Intel or AMD Opteron environment. Other users do report successful operation on other systems. </p> <p> Depending upon what libraries you have installed locally, you may want to set environment variable USE_SAMTABIX. </p> <p> See also: <a href='http://genomewiki.ucsc.edu/index.php/Build_Environment_Variables' title=''>http://genomewiki.ucsc.edu/index.php/Build_Environment_Variables</a> </p></li> <li><p> Create a directory where binaries will be moved to during the build of the source tree: </p> <pre><code>$ mkdir -p ~/bin/${MACHTYPE}</code></pre> <p> 2a. ALTERNATE PATH: </p> <p> If you are going to do a full build anyway, skip this and proceed straight to step 3 below. Otherwise, to make a minimal utility build without MariaDB: There are some utilities that depend only on jkweb.a and not jkhgap.a which means they can be compiled without needing MariaDB client installed. To make a utility like pslCDnaFilter without installing MariaDB client: </p> <pre><code># create jkweb.a cd kent/src/lib make # create stringify utility required by some makefiles cd kent/src/utils/stringify make # create pslCDnaFilter utility program cd kent/src/hg/pslCDnaFilter make</code></pre> <p> Proceed similarly for any other such utilities. You are done and can stop here. </p></li> <li><p> Create the following shell environment variables: </p> <p> NOTE: As of mid-October 2013 the makefile build system in the source tree will attempt to configure MYSQLINC and MYSQLLIBS with the mysql_config command. To use that automatic configuration, eliminate any MYSQLINC and MYSQLLIBS definitions from your shell environment and make sure mysql_config can be found in your PATH. This option is not perfect and may not function correctly. It usually will not use a static linked library which can lead to a known issue on the Mac OSX. See '<a href='#known-issues' title=''>Known Problems</a>' item 10 below. </p> <p> In the case the automatic configuration does not function, you can set these variables in your shell environment to override the automatic configuration: </p> <pre><code>MYSQLINC=/usr/include/mysql MYSQLLIBS="/usr/lib/mysql/libmysqlclient.a -lz" export MYSQLINC MYSQLLIBS</code></pre> <p> Your setting may vary depending upon where your MariaDB is installed. The above example is typical. If your system does not have this set of include files or this static client.a file, you may need to install the mariadb-devel package to obtain the MariaDB development environment. With that package installed, this command: </p> <pre><code>mysql_config --libs</code></pre> <p> will display the appropriate libraries to link with for your system configuration. And: </p> <pre><code>mysql_config --include</code></pre> <p> will display the appropriate MYSQLINC directory. The -lz requires a link to the libraries installed in the zlib-devel rpm. </p> <p> 3a. Required SSL support: </p> <p> In order for the libraries to be able to use SSL, for instance to support fetching HTTPS URLs, install openssl. We are currently using these packages: </p> <pre><code>openssl-1.0.1e openssl-devel-1.0.1e</code></pre> <p> SSL is also useful for accessing bigWig and bigBed over HTTPS. The directory on your server should be found automatically. </p> <p> 3b. In the source tree, perform the following: </p> <pre><code>$ cd kent/src $ make libs</code></pre> <p> At this point, you can build utilities in other parts of the source tree if that is your goal. Go to the directory of the utility command you want to build and run a 'make' in that directory. The resulting binary will be placed in \(HOME/bin/\)MACHTYPE </p></li> <li><p> To continue building the CGI binaries </p> <pre><code>$ cd kent/src/hg $ make compile $ make install DESTDIR=/destination/prefix</code></pre> <p> Where "/destination/prefix" is your choice, and this will install the cgi binaries in: </p> <pre><code>/destination/prefix/usr/local/apache/cgi-bin</code></pre> <p> If your cgi-bin directory is something different than /usr/local/apache/cgi-bin then use the CGI_BIN variable, e.g.: </p> <pre><code>make install DESTDIR=/var/www CGI_BIN=/cgi-bin \ DOCUMENTROOT=/var/www/html</code></pre> <p> You can save yourself time and trouble if your Apache is somewhere other than at /usr/local/apache by creating that directory and making symlinks to your actual apache directories. For example: </p> <pre><code>mkdir /usr/local/apache ln -s /var/www/cgi-bin /usr/local/apache/cgi-bin ln -s /var/www/html /usr/local/apache/htdocs ln -s /var/www/cgi-bin-${LOGNAME} /usr/local/apache/cgi-bin</code></pre> <p> With those symlinks in place, a simple 'make cgi' can be used instead of the 'make compile; make install DESTDIR=...' business. </p> <p> If your apache DocumentRoot is something different than /usr/local/apache/htdocs then use the DOCUMENTROOT variable. This value should be a full path and should agree with the browser.documentRoot setting in hg.conf; see the section "MariaDB Setup" for more details. </p> <pre><code>$ make install DESTDIR=/destination/prefix CGI_BIN=/cgi-bin/path DOCUMENTROOT=/usr/local/apache/htdocs</code></pre> <p> to install binaries in "/destination/prefix/cgi-bin/path" </p> <p> [NOTE: These 'make' commands assume gnu make is being used] </p></li> <li><p> After source tree updates, the make sequence is: </p> <pre><code>$ cd kent/src $ make clean $ make libs $ cd hg $ make compile $ make install DESTDIR=/destination/prefix</code></pre></li> </ol> <hr/> <h3 id="known-issues">Known problems:</h3> <ol> <li><p> A compile/link of a utility has complaints about undefined symbols such as: bind, accept, listen, gethostbyname, socket, setsockopt, connect, inet_pton, inet_ntop or h_errno To fix this, you need to add '-lsocket -lnsl' to your MYSQLLIBS environment variable. This is typically the case on Solaris systems: </p> <pre><code>MYSQLLIBS="/usr/lib/mysql/libmysqlclient.a -lsocket -lnsl -lz"</code></pre></li> <li><p> The build fails immediately in the first src/lib/ directory with the compiler issuing a warning about unused variables. Some newer versions of gcc issue these warnings and the src/inc/common.mk file specifies -Werror which causes it to exit on these warnings. Either remove the -Werror specifications in src/inc/common.mk or add the -Wno-unused-variable to instruct the compiler to allow these warnings without an exit. </p></li> <li><p> The build fails during a link of any program under the src/hg/ hierarchy with an error something like: </p> <pre><code>undefined reference to 'SSL_CTX_free' undefined reference to 'ERR_get_error_line_data' undefined reference to 'SSL_read' undefined reference to 'SSL_get_error' undefined reference to 'SSL_write'</code></pre> <p> This error is due to your MariaDB libraries have been compiled with SSL functionality enabled. To fix this build problem, add '-lssl' to your MYSQLLIBS environment variable to satisify these SSL library functions. </p></li> <li><p> Build fails on Macintosh with an error: </p> <pre><code>aliType.c:5: warning: 'rcsid' defined but not used make: *** [aliType.o] Error 1</code></pre> <p> The OSTYPE environment variable needs to be set to "darwin". If your shell is bash, it is a shell local variable instead of an environment variable as with tcsh. </p> <p> To avoid this error, place an export statement in your $HOME/.bashrc environment: </p> <pre><code>export OSTYPE</code></pre> <p> This causes the OSTYPE variable to be recognized during the make and the conditional statements in src/inc/common.mk will include the -Wno-unused-variable option in the build. </p></li> <li><p> The build fails with an error: </p> <pre><code>gifdecomp.c:274: error: call to function 'gif_out_line' without a real prototype</code></pre> <p> This happens with newer versions of the gcc compiler. To avoid the build stopping at this point, eliminate the -Werror argument from the src/inc/common.mk file. We will fix this error as soon as we get our hands on a newer version of the gcc compiler. </p></li> <li><p> The build fails with an error of this type: </p> <pre><code>pipeline.c: In function waitOnExec: pipeline.c:351: error: ignoring return value of read, declared with attribute warn_unused_result </code></pre> <p> This happens with newer versions of the gcc compiler. To avoid the build stopping at this point, eliminate the -Werror argument from the src/inc/common.mk file. We will fix this error as soon as we get our hands on a newer version of the gcc compiler. </p></li> <li><p> Build fails complaining about missing png.h file: </p> <pre><code>pngwrite.c:7:87: error: png.h: No such file or directory</code></pre> <p> Find out where your png.h file is and set PNGINCL to something like: </p> <pre><code>export PNGINCL="-I/opt/local/include/libpng14"</code></pre> <p> pointing to the directory where png.h exists. </p></li> <li><p> Build fails at the point of building a CGI binary with the error: </p> <pre><code>Undefined symbols: "_png_write_png", referenced from: _mgSaveToPng in jkweb.a(pngwrite.o) ... other png symbols ...</code></pre> <p> You need to find out where your libpng.a is located. For example it may be in /opt/local/lib/libpng.a When found, use the PNGLIB variable to specify it, for example: </p> <pre><code>export PNGLIB=/opt/local/lib/libpng.a</code></pre> <p> or equivalent: </p> <pre><code>export PNGLIB='-L/opt/local/lib -lpng'</code></pre></li> <li><p> Build fails with complains about missing functions dlclose, dlopen: </p> <pre><code> /usr/lib/x86_64-linux-gnu/libmysqlclient.a(client_plugin.c.o): In function 'add_plugin': (.text+0x1ed): undefined reference to 'dlclose' /usr/lib/x86_64-linux-gnu/libmysqlclient.a(client_plugin.c.o): In function 'mysql_client_plugin_deinit': (.text+0x28b): undefined reference to 'dlclose' /usr/lib/x86_64-linux-gnu/libmysqlclient.a(client_plugin.c.o): In function 'mysql_load_plugin_v': (.text+0x51e): undefined reference to 'dlopen'</code></pre> <p> To add the library that includes these functions, add '-ldl' to the MYSQLLIBS string: </p> <pre><code> MYSQLLIBS="/usr/lib/mysql/libmysqlclient.a -ldl -lz"</code></pre></li> <li><p> Mac OSX dynamic link with the MySQL/MariaDB libraries results in the following run-time error for CGI binaries or command line programs: </p> <pre><code>dyld: Library not loaded: libmysqlclient.18.dylib</code></pre> <p> This is a known problem with the dynamic library for MySQL, with potential work-arounds offered: <a href='http://bugs.mysql.com/bug.php?id=61243' title=''>http://bugs.mysql.com/bug.php?id=61243</a> </p> <p> Or, you can set the MYSQLINC and MYSQLLIBS shell environment variables to the static MySQL library as mentioned in Step 3 above. </p></li> <li><p> Genome browser issues error: </p> <pre><code>"PDF format not available" when trying to export to pdf.</code></pre> <p> The browser can't find the command 'ps2pdf' which is usually found in /usr/bin/ps2pdf and is installed with the 'ghostscript' package. Install the 'ghostscript' package and verify ps2pdf is in: /usr/bin/ps2pdf </p></li> </ol> <a name='adding-a-track-hub-to-your-hubpublic-table-so-it-appears-under-my-data-gt-track-hubs'></a> <h2>Adding a track hub to your hubPublic table so it appears under My Data > Track Hubs</h2> <p> By default, your browser mirror only comes with our public hubs. You may want to remove these and replace them with the hubs in your institution. One idea could be to have one hub per research group or department and users connect to them on My Data > Track Hubs. </p> <p> Use hubPublicCheck to create the SQL command to add the hub: </p> <pre><code>hubPublicCheck hubPublic -addHub=https://genome.ucsc.edu/goldenPath/help/examples/hubDirectory/hub.txt</code></pre> <p> Output is: </p> <pre><code>insert into hubPublic (hubUrl,descriptionUrl,shortLabel,longLabel,registrationTime,dbCount,dbList) values ("https://genome.ucsc.edu/goldenPath/help/examples/hubDirectory/hub.txt","", "My Hub's Name", "Name up to 80 characters versus shortLabel limited to 17 characters", now(),1, "hg19,"); </code></pre> <p> Then we run hubCrawl to get the searches to work (most mirrors do not need this). See <a href='https://genomewiki.ucsc.edu/genecats/index.php/Public_Hub_QA' title=''>https://genomewiki.ucsc.edu/genecats/index.php/Public_Hub_QA</a> for more details. </p> <a name='make-the-api-work-in-the-same-way-as-on-the-public-website'></a> <h2>Make the API work in the same way as on the public website</h2> <p> The API is served by the hubApi program, but an Apache rule in httpd.conf allows shorter URLs to be used for API queries. The virtual host definition looks as follows on our server: </p> <pre><code><VirtualHost *:443> ServerName api.genome.ucsc.edu ServerAlias api ScriptAlias /cgi-bin/ "/data/apache/cgi-bin/" DocumentRoot "/data/apache/htdocs" RewriteEngine on RewriteOptions Inherit # The next four rewrite rules added by Hiram's request 05/01/2019 RewriteRule "^/list/(.*)$" "/cgi-bin/hubApi/list/$1" [L,PT] RewriteRule "^/getData/(.*)$" "/cgi-bin/hubApi/getData/$1" [L,PT] RewriteRule "^/findGenome(.*)$" "/cgi-bin/hubApi/findGenome$1" [L,PT] RewriteRule "^/search$" "/cgi-bin/hubApi/search?%{QUERY_STRING}" [L,PT] RewriteRule "^/cgi-bin/hubApi(.*)$" "/cgi-bin/hubApi$1" [L,PT] RewriteRule "^(.*)$" "http://genome.ucsc.edu/goldenPath/help/api.html" [L] AllowEncodedSlashes NoDecode <Directory "/usr/local/apache/htdocs"> SSILegacyExprParser on Options Indexes FollowSymLinks MultiViews Includes AllowOverride None Require all granted </Directory> AddOutputFilterByType DEFLATE text/html text/plain text/css text/javascript application/x-javascript application/json application/javascript SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SSLCertificateChainFile /etc/httpd/conf/ssl.crt/chain.crt Header set Access-Control-Allow-Origin "*" Header set Access-Control-Allow-Headers "Range" </VirtualHost></code></pre> <!--#include virtual="$ROOT/inc/gbPageEnd.html" -->