Op
Applications Azure

OpenCATS on Ubuntu 24.04 on Azure User Guide

| Product: OpenCATS on Ubuntu 24.04 LTS on Azure

Overview

OpenCATS is a free and open source applicant tracking system (ATS) used by recruiters and staffing teams to manage candidates, companies, contacts and job orders through their full recruiting pipeline. It brings candidate and company management, job orders, pipelines, activity logging, resume storage with full text search and a calendar together in one web console, gated by OpenCATS's own user and access control. The cloudimg image ships OpenCATS 0.10.0 served by nginx and PHP 8.3 FPM on a hardened, fully patched Ubuntu 24.04 LTS base, together with a bundled local MariaDB server so the appliance is complete and useful on its own. OpenCATS runs behind an nginx reverse proxy on port 80. The bundled MariaDB listens only on the loopback interface (127.0.0.1:3306) and keeps its database, along with uploaded resumes, on a dedicated Azure data disk. A unique administrator password is generated on the first boot of every VM, and the well known OpenCATS default login is removed. Backed by 24/7 cloudimg support.

What is included:

  • OpenCATS 0.10.0 served by nginx and PHP 8.3 FPM, managed by systemd
  • A bundled MariaDB server holding the OpenCATS database, already installed and ready
  • A ready to use recruiting console served on :80, with the full schema and seed data in place
  • A per VM administrator password generated on first boot and recorded in a root only file
  • No default login: the well known OpenCATS admin credential is removed, the admin is set to a unique per VM secret, and no known or blank credential authenticates
  • Post install hardening: the OpenCATS web installer and maintenance scripts are removed so they cannot be re run
  • Resume text extraction tools preinstalled and wired in: pdftotext, antiword, unrtf, html2text and catdoc
  • MariaDB bound to 127.0.0.1 only, never exposed to the network
  • A dedicated Azure data disk carrying both the MariaDB database and uploaded resumes
  • All required PHP extensions and OpenCATS's recommended PHP limits preconfigured
  • nginx.service, php8.3-fpm.service and mariadb.service as enabled systemd units
  • An unauthenticated /healthz endpoint for Azure Load Balancer health probes
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a sensible starting point; size up for larger or busier teams. NSG inbound: allow 22/tcp from your management network and 80/tcp (and 443/tcp once you add TLS) for the console. OpenCATS serves plain HTTP on port 80 out of the box; for production, terminate TLS in front of it with your own domain. The bundled MariaDB is never exposed: it listens on 127.0.0.1 only, so port 3306 stays off the network.

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for OpenCATS by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Review the dedicated data disk on the Disks tab, then Review + create then Create.

Step 2 - Deploy with the Azure CLI (alternative)

Prefer the command line? Create the VM from the cloudimg OpenCATS image with your resource group, image URN, size and SSH key. Open ports 22 and 80 on the network security group, then browse to the public IP.

az vm create \
  --resource-group my-rg \
  --name opencats \
  --image <cloudimg-opencats-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --generate-ssh-keys \
  --public-ip-sku Standard

az vm open-port --resource-group my-rg --name opencats --port 80 --priority 900

Step 3 - Confirm the services and retrieve the admin password

SSH in as azureuser. All three services plus the first boot unit are active, with nginx listening on port 80 and MariaDB bound to the loopback interface only.

systemctl is-active nginx php8.3-fpm mariadb opencats-firstboot
ss -tlnp | grep -E ':80 |:3306 '

The nginx, php8.3-fpm, mariadb and opencats-firstboot services all active, with nginx listening on port 80 and MariaDB bound to loopback 127.0.0.1:3306

On the first boot of every VM, OpenCATS generates a unique administrator password and records it, together with the sign in URL, in a root only file. Read it with sudo:

sudo cat /root/opencats-credentials.txt

The per VM OpenCATS credentials file, showing the admin login user, the generated password and the console URL

Step 4 - Sign in to OpenCATS

Browse to http://<your-vm-ip>/ and sign in with the user admin and the password from the credentials file. OpenCATS presents its own sign in page.

The OpenCATS sign in page showing the username and password fields and the version

After signing in you land on the dashboard, with your recent calls, upcoming calls and events, recent hires, a hiring overview graph and the important candidates list, and the top navigation for Dashboard, Activities, Job Orders, Candidates, Companies, Contacts, Lists, Calendar, Reports and Settings.

The OpenCATS dashboard showing recent calls, upcoming events, recent hires, the hiring overview graph and the important candidates panel

Step 5 - Manage candidates, companies and job orders

Open the Candidates tab to see your candidate list with name, city, state, key skills, owner and dates, sortable and filterable, with quick search across the whole system.

The OpenCATS candidates list showing candidate names, city, state, key skills and owner columns

Choose Add Candidate to enter a candidate by hand, or paste or upload a resume and let OpenCATS extract the text with the preinstalled pdftotext, antiword, unrtf and html2text tools. Create companies and job orders the same way, then build recruiting pipelines and log activity against each candidate.

The OpenCATS Add Candidate form showing the manual entry fields and the import resume panel

Security model - no default credentials

OpenCATS ships with a well known default administrator account. This image removes that hazard. The single admin account (user_id 1) is rotated to a unique per VM secret on every first boot, stored as a modern password hash, and the notorious default passwords (cats and cats123) along with other common guesses no longer authenticate. The web installer and maintenance scripts are removed after installation so they cannot be re run over HTTP. Every build proves, before the image is captured, that the per VM admin authenticates through the real OpenCATS login form while the defaults and weak guesses are rejected.

bash /usr/local/sbin/opencats-cred-roundtrip.sh

The per VM admin account in the OpenCATS user table, and the round trip check confirming the per VM admin authenticates via the OpenCATS login form while the default cats and cats123 credentials and weak guesses are rejected and the module list views render

Where your data lives

Both the MariaDB database and the OpenCATS uploaded resumes live on a dedicated Azure data disk, not on the OS disk. MariaDB's data directory is bind mounted from the data disk onto /var/lib/mysql, and the OpenCATS attachments and upload directories are symlinked onto the same disk, so your candidates, companies, job orders and resumes survive a VM resize or OS disk swap and stay on managed, snapshot friendly storage.

curl -sI http://127.0.0.1/healthz | head -1
findmnt -no SOURCE,TARGET,FSTYPE,SIZE /data
findmnt -no SOURCE,TARGET /var/lib/mysql

The OpenCATS version, the healthz endpoint returning 200, the ext4 data disk mounted at /data and bind mounted onto /var/lib/mysql, and the schema table, user, candidate and job order counts

Production - add your own domain and TLS

OpenCATS serves plain HTTP on port 80 out of the box so you can sign in immediately. Before you rely on it for day to day recruiting, put it behind your own domain and TLS so the console is served over HTTPS: point a DNS record at the VM, open 443/tcp on the NSG, and terminate TLS with a certificate from your own certificate authority (for example Let's Encrypt) in front of nginx. Keep MariaDB on the loopback interface, take regular snapshots of the data disk, and restrict SSH to your management network.

Support

This image is built and maintained by cloudimg with 24/7 support. OpenCATS is licensed under the GPL 3.0. cloudimg is not affiliated with or endorsed by the OpenCATS project.