Redmine Installation Instructions

On the following page I will explain how to install Redmine together with the required packages on a virtual machine running on a normal GSI linux computer. I will describe also which changes have to be done, to run a VM in the DMZ-Service of GSI. Since the machine runs in a different network segment there are some additional steps to be done to enable all needed access to the outside world.

If installing Redmine on a new VM in the DMZ-Service one can skip all points up to Setup VM in DMZ-Service, because the VM is provided by the IT department of GSI.

Prerequisites

  • Root access on the host computer
  • virtualization support on the host computer
  • virtual machine image with basic Debian Wheezy system

Install virtualization support on host computer

For the installation of the virtualization support please check the excellent information provided by Victor Penso. The instructions and the scripts can be found at github. There are also instructions how to get a virtual machine image at GSI.

Adapt the virtual Debian Wheezy image

The image are missing some important features which has to be installed before you can install Redmine using the cookbook. Everything can be installed using apt.

  • lsb-release : without the package chef-solo will not work
  • ca-certificates : allow to install the GSI specific certificates
  • ruby-dev : without the package the mysql installation fails, because it is using gems
  • GSI related certificates : Needed to connect to the GSI subversion repository.
  • locate ?
  • unzip ?

Before running apt one must copy the GSI related certificates to the correct position in the file system of the vm. In the directory with the instance of the vm use the following command to copy the required files from the host system to the correct location of the vm

vm put /usr/local/share/ca-certificates/dfn_pca_global_g01.crt /usr/local/share/ca-certificates/  
vm put /usr/local/share/ca-certificates/gsi_ca_02.crt /usr/local/share/ca-certificates/

After you copied the files login to the machine and run apt to install all the additional packages.
sudo apt-get install lsb-release ca-certificates ruby-dev <everything else>

Now you have an image which can be used as base for the redmine installation.

Create a new instance of the virtual image

vm clone <your image> lxdev01

After some time the machine is provisioned and booted so you can login
vm login

If everything looks okay log out again.

Setup VM in DMZ-Service

This section is only relevant if the machine is in DMZ-Service. Since in this network the connection to the outside is very limited one has to define the required proxy servers. To enable the needed acces for ruby/chef one has to set the correct environment variables in the .bashrc of root or even better to put the varibales in /etc/bash.bashrc. In the latter case the settings are valid for all users.
export https_proxy=140.181.64.225:8080
export http_proxy=140.181.64.225:8080
export ftp_proxy=140.181.64.225:8080

If the www-proxy is defined in /etc/hosts (should be standarn with new machines but not tested) it should also be poosible to use the following definition

export https_proxy=www-proxy.gsi.de:8080
export http_proxy=www-proxy.gsi.de:8080
export ftp_proxy=www-proxy.gsi.de:8080

That one can download files using wget, add the proxies also in /etc/wgetrc
https_proxy = http://www-proxy.gsi.de:8080/
http_proxy = http://www-proxy.gsi.de:8080/
ftp_proxy = http://www-proxy.gsi.de:8080/

# If you do not want to use proxy at all, set this to off.
use_proxy = on

That svn can access files from our subversion server at GSI add the proxy settings in the global section of /etc/subversion/servers
[global]
# http-proxy-exceptions = *.exception.com, www.internal-site.org
http-proxy-host = www-proxy.gsi.de
http-proxy-port = 8080
#

It is also necessary to check if the gsi and dfn certificate is installed correctly, otherwise redmine is not able to connect to the subversion server. To test if the certificates are installed correctly (should be the case with the newest gsi-sys cookbook) try to connect to the subversion server
svn ls https://subversion.gsi.de/fairroot

If the output is the listing of the directory everything is okay. If your are asked to accept the certificate of the subversion server there is a problem with the certificates.

Install Redmine

Copy the required cookbooks to the directory holding the instance of the virtual machine
vm config add cookbook <name>

Copy and edit or create the file with the instructions for chef-solo and store in the directory of the instance of the virtual machine. An example of the file is shown below.
{
  "run_list": [
    "recipe[apt]",
    "recipe[redmine]"
  ],
  "apt": {
    "packages": [
      "vim",
      "less",
      "joe",
      "apt-show-versions",
      "lynx",
      "unzip",
      "ruby-dev"
    ]
  },
  "redmine": {
    "databases": {
      "production": {
        "password": "my_secret_password"
      }
    }
  },
  "mysql": {
    "server_root_password": "another_secret_password"
  }
}

Now you can start the installation using chef-solo
vm config solo

which will copy the information to the virtual machine and start chef-solo. The installation will crash at some point (installing libaprutil). Rerun the configuration again and the installation will run till the end.

In case of an official machine one has to copy the files to the correct location in the filesystem which is /var/chef/. The cookbooks have go to the cookbooks subdirectory, the roles to roles and the data-bags to the subdirectories whith the same names. Beside the attributes.json file one needs additionaly the config.rb file which went both to /var/chef. The content of config.rb is shown below.
log_level         :info
log_location      STDOUT
verbose_logging   nil
cookbook_path     ["/var/chef/cookbooks"]
data_bag_path     "/var/chef/data-bags"
role_path         "/var/chef/roles"
cache_type        "BasicFile"
cache_options({   :path => "/tmp/chef/cache/checksums", :skip_expires => true })

The installation procedure is started with
sudo chef-solo -c config.rb -j attributes.json

The apt recipe always resets the /etc/apt/sources.list with some default values. The poor mans way to solve the problem is to edit the following file /var/chef/cookbooks/apt/templates/default/sources.list.erb and put there the following lines instead of the original ones.
deb    http://mirror.gsi.de/distrib/debian wheezy main contrib non-free
deb-src http://mirror.gsi.de/distrib/debian wheezy main contrib non-free
deb    http://mirror.gsi.de/distrib/debian-security wheezy/updates main contrib non-free
deb-src http://mirror.gsi.de/distrib/debian-security wheezy/updates main contrib non-free

After chef-solo has finished successfully one has to create the correct rules for the port forwarding from the host machine to the virtual machine. This is again done by some of Victors fantastic scripting commands.
vm forward add <instance_name>:port <port of host computer>

e.g.

vm forward add lxdev02:80 80
vm forward add lxdev02:443 443

Now you can login to Redmine for the first time. Use your favorite browser to navigate to the following URL

.gsi.de

If everything works you will be redirected to the https version of Redmine.

Congratulation. You have now a running Redmine installation. Now we come to the necessary configuration of Redmine.

Apache configuration

To avoid using RC4 encription which is known to be weak and vulnerable we have to swithch it of in the apache ssl configuration. This is done by adding the last of the following lines in /etc/apache2/mods-available/ssl.conf and disabling the original one. The first two lines should be there by default. If not add them, too.
SSLProtocol ALL -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS

A good description about the topic can be found here

Redmine Configuration

Change the default admin information

Now you should login and immediately change the admin password. Click on Sign In in the upper left corner of the web page and login with the default combination admin/admin. Click on Administration and Users and choose the admin user to change the password, the mail address and other things. After changing the items don't forget to save. To test if everything works log out and in again.

Change the general settings

Chose Administration, Settings, General and provide a good Name for the Redmine instance and write a nice welcome text which will be shown on the first page. Also set the host name and choose if you prefer http or https. Should make no difference since we redirect http to https anyway. Save the settings.

Sending E-Mail

TODO: Create a template which creates the needed file during the installation procedure.

To be able to send emails one has to set the correct information about the mail transport agent which should be used. Copy the example file, create a symbolic link and edit the file
sudo cp /usr/local/share/redmine/current/config/configuration.yml.example /usr/local/share/redmine/shared/config/configuration.yml
sudo ln -s /usr/local/share/redmine/shared/config/configuration.yml /usr/local/share/redmine/current/config/configuration.yml
joe /usr/local/share/redmine/shared/config/configuration.yml

In this file one finds several examples for different mail configurations. To send email at GSI one can use the smtp server at GSI. The settings are shown below.
default:
  # Outgoing emails configuration (see examples above)
  email_delivery:
    delivery_method: :smtp
    smtp_settings:
      address: "smtp.gsi.de"
      port: 25

sudo service apache2 restart

Save the file and restart apache that the changes take effect. Now log in as admin and choose Administration, Settings, Email notification to change the email settings. Choose a good name as sender address. Beside that chose whatever seems appropriate for you. In the text field for the email footer exchange hostname by the name of the machine. Save the settings and the test the mail by clicking on Send a test mail in the lower right corner of the page. If you receive the mail everything is okay.

Enable the LDAP authentication

To use the secure ldap (sldap) connection to the GSI LDAP server one has to change the ruby ldap module. This is necessary since the GSI ldap server is picky about the used SSL protocol which has to be SSLv3. The ruby openssl module is able to define the used protocol but unfortunately the ldap module cn't pass the information to openssl. To explicitely use the correct version of the protocol change thh following line in /var/lib/gems/1.9.1/gems/net-ldap-0.3.1/lib/net/ldap.rb
    ctx = OpenSSL::SSL::SSLContext.new

has to become
    ctx = OpenSSL::SSL::SSLContext.new("SSLv3")

If you only want to authenticate against the GSI LDAP server, you have to fill in the required information which are shown in the attached screenshot. In this setup it is only tested if the user has a GSI web account and if the given password is correct. If the authentication suceed a new user is created automatically in Redmine.

To do this please choose Administration, LDAP authentication. Since there is no LDAP defined click on new authentication mode and fill the form with help of the attached screenshot.

If you also want to check if the user is in a distinct group you have to use an additional module which is described below.

Due to the changes in the ruby ldap module one has to restart apache again.
sudo service apache2 restart

Please fill the complete form with the required information, log out and try to Sign In with your GSI web account. Don't use Register. If the authentication works you end in the registration form which you have to fill and save.

Enable the automatic refresh procedure

In the default settings the local information about an external repository is only updated when the information is first accessed. This means if there was no usage of the repository browser for some time, but many commits to the repository, redmine will update first his local information. Depending on the ammount of commits this can be a time consuming action. For this time the application will block, which is a problem for an interactive application. To overcome the problem one can setup a automatic procedure that redmine updates the database immediatly after each commit. In this case the data is always up to date.

To setup this feature one has to enable the mechanism on the redmine server, create a key on the redmine server, and add/change the post-commit hook on the repository server. On the redmine server login as administrator and navigate to Administration, Settings, Repositories. On the page click on Enable the WS for repository managment and create a key by clicking on Generate a key. Don't forget to save the changes afterwards.

On the subversion server add a post-commit hook or change the existing one. In any case one has to add the following line
curl "https://<webserver_adress>/sys/fetch_changesets?key=<generated key>" --capath /etc/ssl/certs/  

The extra argument is necessary because the curlinstalltion (at least the one at GSI) uses its own certificates which does not know dfn and gsi. In the ssl cert directory both certificates are present.

TODO: Find out if there is a possibility to have different keys for different repositories or if there is another way not to check all repositories if there are changes in only one.

Install useful plugins

Redmine is extendable by an enormous amount of plugins. A list of available plugins can be found at Redmine webpage. Instructions about plugin installation is here.

In the following I will list a personal list of useful plugins and installation instructions if they differ from the normal installation procedure.

  • Redmine Ldap Sync
  • Code Review

Install and configure the Ldap Sync plugin

The info about the plugin is here

Navigate to the plugins directory (/usr/local/share/redmine/current/plugins), clone the git repository, do the installation and restart the web server.
cd /usr/local/share/redmine/current/plugins
sudo git clone https://github.com/thorin/redmine_ldap_sync.git
cd /usr/local/share/redmine/current/
sudo bundle install
sudo rake redmine:plugins:migrate RAILS_ENV=production
sudo chown -R www-data:www-data tmp/ldap_cache
sudo service apache2 restart

In the Administration section one should see now the LDAP synchronization entry. Choose it and fill the form with the information of the two attached screenshots.

Install the Code Review plugin

The info about the plugin is here

Download the zip file, unzip it and do the installation procedure.
cd /usr/local/share/redmine/current/plugins
sudo wget https://bitbucket.org/haru_iida/redmine_code_review/downloads/redmine_code_review-0.6.2.zip
sudo unzip redmine_code_review-0.6.2.zip
cd /usr/local/share/redmine/current/
sudo rake redmine:plugins:migrate RAILS_ENV=production
sudo service apache2 restart

TODO: Configuration instructions

Install the Wiki Extensions plugin

The info about the plugin is here

Download the zip file, unzip it and do the installation procedure.
cd /usr/local/share/redmine/current/plugins
sudo wget https://bitbucket.org/haru_iida/redmine_wiki_extensions/downloads/redmine_wiki_extensions-0.6.3.zip
sudo unzip redmine_wiki_extensions-0.6.3.zip
cd /usr/local/share/redmine/current/
sudo rake redmine:plugins:migrate RAILS_ENV=production
sudo touch tmp/restart.txt

Enable the module on the adminsitration setting page at Administration, Settings, Projects to add the module to any newly created project, and on the projects setting page at Projects, , Settings, Projects to add the module to already existing projects.

Backup

In case of a crash of the server and a total loss the server and the applictaion can be created from scratch using the instructions above, so no backup is needed. The relevant information abour Redmine is stored in the mysql database, so a backup of the database is an absolut must, otherwise one would start with an empty datatbase and an empty redmine application. It is also needed t backup the content of the files directory. This directory contain all files which have been uploaded to the server.

The backup strategy is in the moment rather simply. Cretae a git repository for a specific backup directory. Do once per day a dump of the mysql database to this backup directory. Add and commit the file to the git repository. Also sync the files directory in the backup directory with the redmine installation and add new files to the git repository. Pull the changes of this repository from another computer which is in the normal gsi backup.

Since one has to put the mysql password in the script (which is not verry secure), create a backup user whith minimal privileges. To do so login to the mysql database as user root.
mysql -u root -p
mysql> GRANT LOCK TABLES, SELECT ON redmine.* TO 'BACKUPUSER'@'localhost' IDENTIFIED BY 'secret_password';
mysql> flush privileges;
mysql> exit;

Create the needed bash script in the home directory of the default user. The script is shown below.
#! /bin/sh

# Settings
BACKUP_DIR="/data.local1/redmine_backup/"
DB_USER="BACKUPUSER"
DB_PASS="secret_password"
DB="redmine"
DB_DUMP="$BACKUP_DIR/$DB.sql"

# Create your backup directory if it doesn't exist
mkdir -p $BACKUP_DIR

# Dump the database
mysqldump -u $DB_USER -p$DB_PASS --skip-extended-insert $DB > $DB_DUMP

# Change to the backup directory and initialize a new Git repo if necessary
cd $BACKUP_DIR
git init

# Add the database to the repo and commit
git add $DB_DUMP
git commit -m "Update database dump"

# Backup also the redmine files directory which is used to store uploaded files
rsync -a $REDMINE_ROOT/files/ $BACKUP_DIR/files/
git add files
git commit -m"Add files."

This will update the git repository on each run of the script.

On the computer which is in the GSI backup cretae the initial version of the repository using git clone.

git clone ssh://uhlig@lxcbmredmine01.gsi.de/data.local1/redmine_backup

To do this without being asked for the password. put the correct keys to the webserver. After the initial version of the repository is there one can do an git pull to get the latetst ersion from the web server. To do this automatically on can use a script on the backup computer which triggers first the execution of the backup script on the web server and the pull the changes from the remote repository.
#!/bin/bash

#set -xv

Backup_Dir=/u/uhlig/backup/redmine/redmine_backup

# trigger the mysqldump and git add on the remote host
/usr/bin/ssh -T uhlig@lxcbmredmine01.gsi.de /home/uhlig/mysql_backup >> /dev/null 2>&1

# pull the changes from the remote host
cd $Backup_Dir
git pull

#set +xv

To call this script regulary create a cron job.
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
MAILTO=f.uhlig@gsi.de
HOME=/u/uhlig


15 1 * * * /u/uhlig/backup/redmine/backup_redmine.sh

Now each night at 1:15 one get the last changes from the web server. This should be before the normal backup at GSI is started. With this setup one gets a simple and secure backup of Redmine.

TODO: Describe how to restore the backup. It would be good not to search for the instructions in case of an emergency.

-- FlorianUhlig - 28 Jun 2013
Topic attachments
I Attachment Action Size Date Who Comment
Ldap_Authentication.tifftiff Ldap_Authentication.tiff manage 205.1 K 12 Jul 2013 - 07:40 FlorianUhlig LDAP Authentication in Redmine
Ldap_Synchronization_1.tifftiff Ldap_Synchronization_1.tiff manage 230.6 K 12 Jul 2013 - 07:41 FlorianUhlig LDAP Synchronization in Redmine
Ldap_Synchronization_2.tifftiff Ldap_Synchronization_2.tiff manage 217.7 K 12 Jul 2013 - 07:41 FlorianUhlig LDAP Synchronization in Redmine
redmine_ldap_group_auth.patchpatch redmine_ldap_group_auth.patch manage 7.3 K 28 Jun 2013 - 12:25 FlorianUhlig Redmine patch for LDAP group authentication
Topic revision: r10 - 05 Mar 2014, FlorianUhlig
 
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding CBM Wiki? Send feedback
Imprint (in German)
Privacy Policy (in German)