aboutsummarylogtreecommitdiffstats
path: root/README.md
blob: 16f222ab4591f6834e315cd3f95334c81c990fc6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
IBController AUR
=================
Source and documentation for the
[IBController](https://github.com/ib-controller/ib-controller)
AUR package [ib-controller](https://aur.archlinux.org/packages/ib-controller/).
This allows you to control [Interactive Brokers](http://interactivebrokers.com/)
[Trader Workstation](http://www.interactivebrokers.com/en/pagemap/pagemap_APISolutions.php).

This package depends on Trader Workstation having been installed via AUR package
[ib-tws](https://aur.archlinux.org/packages/ib-tws/). It installs a custom build
of IBController and a headless
[systemd](http://en.wikipedia.org/wiki/Systemd) configuration that supports
multiple concurrent IB Gateway instances while addressing usual security needs.

To start IBController and the IB Gateway it manages, create an INI file in
``/etc/ibcontroller`` and use systemd commands such as:

```
sudo systemctl start ibcontroller@ininame.service
sudo systemctl enable ibcontroller@ininame.service
```

The aforementioned ``ininame`` should be the simple name of an ``/etc/ibcontroller``
INI file. For example, use ``ibcontroller@fdemo.service`` for the included
[financial advisor sample INI file](package/fdemo.ini),
or ``ibcontroller@edemo.service`` for the included
[individual user sample INI file](package/edemo.ini). Both sample INI files can
be used concurrently, as they bind to unique ports. Please refer to the
[IBController](https://github.com/ib-controller/ib-controller) documentation for
the meaning of individual INI configuration settings.

Please note future updates to this package may change the sample INI files to
reflect new configuration defaults. You should create your own
INI file(s) rather than editing one of the shipped INI files. Similarly the
systemd configuration file may be changed in future updates.

Monitoring
----------
If you'd like to monitor your IBController is running and IB API is available,
[Monit](http://mmonit.com/monit/) is recommended. It's easily installed with
``sudo pacman -S monit``. Edit the ``/etc/monitrc`` file and add lines like:

```
set daemon 60
set mailserver mail.someisp.com
set alert you@you.com not on { instance, action }

check process ib-api-fdemo matching 'xvfb.*java.*fdemo.ini'
  start program = "/usr/sbin/systemctl start ibcontroller@fdemo.service"
  stop program = "/usr/sbin/systemctl stop ibcontroller@fdemo.service"
  if failed host 127.0.0.1 port 4002
    send "63\0x0071\0x001\0x005556\0x00" # clientVer\startAPI\startApiVer\5556
    expect "[0-9]{2,}"                   # serverVer reply
    send "49\0x001\0x00"                 # reqCurrTime\reqCurrTimeVer
    expect "49"                          # serverTime reply
  then restart
```

In the above:

* The ``daemon`` statement causes service monitoring every 60 seconds.
* The ``matching`` regular expression detects the ``fdemo.ini`` IBController
  process. Monit will then report additional  statistics in the Monit interface
  (eg CPU/RAM use) plus detect if the process is not running.
* The ``if failed host`` check on port ``4002`` performs an IB API connection
  handshake and requests the server time. This offers confidence IB API is
  running.
* The ``restart`` directive will both restart the service and send an email if
  there is any issue detected.

Don't forget you'll need to start Monit after editing the ``/etc/monitrc``:

```
sudo systemctl start monit
sudo systemctl enable monit
```

You can use [http://localhost:2812/](http://localhost:2812/) (default username
``admin``, password ``monit``) to access the Monit GUI.

Security
--------
Always ensure the ``/etc/ibcontroller`` INI files are only readable by ``root``,
as they contain your IB credentials. If you require additional credential safety
you may like to consider the IBController ``PasswordEncrypted`` option, however
it is easily decrypted and therefore not used in the sample files.

There is no mechanism to use IB hardware security tokens with the systemd
configuration. This is due to the systemd configuration using a virtual
framebuffer, so there is no mechanism by which hardware challenges can be
presented. If you have a hardware token, you can disable it for trading system
access via IB Account Management. Alternately you may like to create a new user
account under your IB account which has trading access but no hardware token.

Only 127.0.0.1 is trusted by the resulting IB Gateway instance. Port forwarding
(eg iptables, SSH tunneling) is suggested if other IP addresses are required.

Build and Test
--------------
If you'd like to try out changes to the package, these commands offer a start:

````
rm -rf pkg src *.xz *.zip && makepkg -f
namcap -m *.xz
sudo pacman -U *.xz
sudo systemctl daemon-reload
sudo systemctl start ibcontroller@fdemo.service
sudo systemctl status ibcontroller@fdemo.service
sudo systemctl stop ibcontroller@fdemo.service
mksrcinfo
git add
git push
````