Redmine with Passenger and Nginx on Ubuntu 16.04
Just in time for Ubuntu 18, here are Ubuntu 16 instructions for getting Redmine up and running. Though better than on Ubuntu 14, this is still a maze of twisty little passages, all alike. Here are flexible instructions to get an up to date, robust, secure installation going.
- Ubuntu 16.04 LTS - a mature Ubuntu version with long term support
- MySQL - the database
- Ruby - the technology on which Redmine runs, installed using RVM to manage the ruby version and have access to up to date components
- Phusion Passenger- the application server in which to run Redmine
- Nginx - the web server within which Redmine runs
MySQL Configuration
Install MySQL. For this step, relying on the Ubuntu packages is fine.sudo apt-get install -y mysql-server libmysqlclient-devConnect to the mysql service (mysql -p) and create the database and provide access to the redmine user:
mysql -p -u rootIf this is just a test system, move onto the Ruby Installation section.
CREATE DATABASE redmine CHARACTER SET utf8;
CREATE USER 'redmine'@'localhost' IDENTIFIED BY 'yourpassword';
GRANT ALL PRIVILEGES ON redmine.* TO 'redmine'@'localhost';
For production systems, a separate data disk should be used rather that storing data on the same partition as the root system. Stop the service and then migrate the data directory.
service mysql stopModify the data directory configuration in MySQL:
sudo vim /etc/mysql/mysql.conf.d/mysqld.cnfOn install, MySQL 5.7 automatically initiates the data directory. So this must be moved to the new location.
#datadir = /var/lib/mysql #old location
datadir = /data/mysql # new location
sudo mkdir /dataUpdate AppArmor, otherwise the mysql process won't start. The MySQL 5.7 and Ubuntu combination have an AppArmor bug that shows when moving the data directory. The error will show in syslog like this:
sudo mv /var/lib/mysql/ /data/mysql/
Jan 12 10:03:12 ubuntu16 kernel: [ 1289.012262] audit: type=1400 audit(1515780192.392:116): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/8834/status" pid=8834 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=111 ouid=111To really geek out, this bug has one of the more sad but funny threads I've read in a long time. They eventually get to the right conclusion and open two bugs, but getting there is a journey. We will patch it ourselves, because the bugs haven't been actually fixed in the Ubuntu release.
Jan 12 10:03:12 ubuntu16 kernel: [ 1289.012897] audit: type=1400 audit(1515780192.396:117): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=8834 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=111 ouid=0
To update AppArmor:
sudo vim /etc/apparmor.d/usr.sbin.mysqldIn the "Allow system resource access" section add the following to fix the bug(s):
/sys/devices/system/node/ r,And under the "Allow data dir access" section change the entries from /var/lib/mysql/ to the new directory, /data/mysql/.
/sys/devices/system/node/** r,
/proc/** r,
# Allow data dir accessReload AppArmor:
# /var/lib/mysql/ r,
# /var/lib/mysql/** rwk,
/data/mysql/ r,
/data/mysql/** rwk,
sudo systemctl reload apparmorRestart mysql:
service mysql startThe system should start without error if everything has been done correctly. Run the following command to ensure everything looks okay:
mysql -p -u redmine
Ruby Installation
Many methods exist to install Ruby. Unfortunately, the most convenient using apt-get will leave the system many versions behind, which means many plugins for redmine, and parts of redmine itself, will be unsupported. RVM is a tried and true method to provide clean management of ruby versions.For whatever reason, these steps must be run as root:
sudo su - #get into rootOnce done, logout and log back in as root.
apt-add-repository -y ppa:rael-gc/rvm
apt-get update
apt-get install rvm
exitTest that the install looks okay.
sudo su - #log out and log back in
command curl -sSL https://rvm.io/mpapis.asc | gpg --import -
rvmsudo rvm get stable
rvm requirements
rvm install 2.5.0
rvm use 2.5.0 --default
ruby -vNote: once setup, each user of rvm needs to be added to the rvm group.
ruby 2.5.0p0 (2017-12-25 revision 61468) [x86_64-linux]
sudo usermod -a -G rvm username
Phusion Passenger Installation
Again, many options exist for application containers. Phusion has a Passenger-Nginx combo that is straight-forward to install and configure. It does not need to be done as root.Details of this installation can be found on the Phusion site.
sudo apt-get install -y dirmngr gnupg
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 561F9B9CAC40B2F7
sudo apt-get install -y apt-transport-https ca-certificates
sudo sh -c 'echo deb https://oss-binaries.phusionpassenger.com/apt/passenger xenial main > /etc/apt/sources.list.d/passenger.list'
sudo apt-get update
sudo apt-get install -y nginx-extras passenger
Nginx Configuration
Passenger configuration with nginx has simplified since previous versions.Enable passenger in the nginx:
sudo vim /etc/nginx/nginx.confUncomment the following line:
include /etc/nginx/passenger.conf;Restart nginx:
sudo service nginx restartConfirm everything looks correct
sudo /usr/bin/passenger-config validate-installThe result will be something like this:
sudo /usr/sbin/passenger-memory-stats
/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.iniAlso, confirm the correct location of the correct ruby.
which passenger-configThe result will be something like this:
/usr/bin/passenger-config #use this result to perform the next command
/usr/bin/passenger-config --ruby-command
/usr/local/rvm/gems/ruby-2.5.0/wrappers/rubyBuild out the site - assuming http for now. More configuration will be needed to SSL-ize the system and lock it down. But for now, this will get things correct and running.
sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.origUpdate the root location and add passenger configuration. The assumption is your redmine root location is also on the /data partition. This directory will be created when we add the redmine account.
sudo vim /etc/nginx/sites-available/default
root /data/redmine/redmine/public/; #installation locationThen to prevent a mess of 404 errors, comment out the location entry. Missing this step results in a special level of redmine 404 hell.
passenger_enabled on; #turn on application container
client_max_body_size 10m; # Max attachement size allowed
#location / {No need to restart nginx just yet. The system is almost ready for redmine installation.
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
#try_files $uri $uri/ =404;
#}
Create the redmine account
Before doing too much with ruby, create a redmine service account. Note: Ideally the home directory is located where redmine is going to be installed - for production systems this should be on a separate partition.sudo adduser --system --shell /bin/bash --gecos 'Redmine Administrator' --group --disabled-password --home /data/redmine redmine; sudo usermod -a -G rvm redmineGive the account sudo privileges (temporarily).
sudo visudo
redmine ALL=(ALL) NOPASSWD:ALL
Welcome to dependency-o-rama
The ruby add-on dependencies next depends (ha ha get it?) on various ruby pieces needed to install ruby components. A minimal list will look something like this:sudo apt-get install -y build-essential imagemagick libmagickwand-dev
Redmine, remember this was the main point of the article?
Whew. Like a hero that doesn't show up until the third reel of a movie, redmine is finally on the scene. Yes, this is just like Batman vs Superman. There is a lot of build up to the main event, and when you get there it is anticlimactic.Install the latest redmine
Switch to the redmine user and pull down the latest stable release.sudo su - redmine # should result in being in the redmine installation directory
wget http://www.redmine.org/releases/redmine-3.4.4.tar.gz
tar xvfz redmine-3.4.4.tar.gz
ln -s redmine-3.4.4 redmine
rm redmine-3.4.4.tar.gz
Configure the mysql connection
Update the production entry with the account connection information.cd redmine
cp -pR config/database.yml.example config/database.yml
vim config/database.yml
Adding gems - truly outrageous!
Configure the gems - and avoid doing this as root. As with everything in redmine administration, this should be as that fancy redmine service account:gem install bundlerIf versions and such match these instructions, the bundle install should go clean:
bundle install --without development test
Bundle complete! 31 Gemfile dependencies, 55 gems now installed.If versions are different or new features are needed, some iteration may be needed to build and install the gems. This seems to be a "normal" task for ruby administrators. Apply google-fu and iterate.
Gems in the groups development and test were not installed.
Use `bundle show [gemname]` to see where a bundled gem is installed.
Rake magic
Next run the magic rake commands. All magic comes in three.bundle exec rake generate_secret_tokenNow everything should be ready to start. This is done by restarting nginx. Monitor the following logs to ensure things start clean:
RAILS_ENV=production bundle exec rake db:migrate
RAILS_ENV=production bundle exec rake redmine:load_default_data
tail -f /var/log/nginx/error.log
tail -f /data/redmine/redmine/log/production.log
Clean up
Congratulations, the redmine site should now be up and available.Remove sudo privileges from the redmine account. Move the site to HTTPS, ideally using the excellent Let's Encrypt service. These instructions can be found here..
Links of interest
General Redmine installationAlways a good place to review the latest information on generic Redmine installations.
https://www.redmine.org/projects/redmine/wiki/RedmineInstall
Using Google Authentication
If using Google Apps or Google Auth is of interest with Redmine, a longstanding plugin has been brought back to life with a patch.
The plugin can be found here:
https://github.com/twinslash/redmine_omniauth_google
But in modern ruby and google land, a patch will be needed. The plugin will install just fine, but it will not save any configuration information, nor will it put the google button on the login page without the patch below.
https://github.com/twinslash/redmine_omniauth_google/pull/42
Though out of date, this article has some pointers on setting up the google side:
https://adminsdiary.wordpress.com/common-installations/redmine-installation-with-google-authentication/
Installing RVM
https://github.com/rvm/ubuntu_rvm
Instead of MySQL, consider Aurora
For some of my more recent Redmine installations, I've been using Amazon Aurora. It is cheaper than MySQL on AWS, compatible with MySQL 5.6, backups are taken care of, and even has regional failover built in. Much better than researching AppArmor patches because you want to simply move a data directory.
Setting up redmine is the same as above, but instead of doing MySQL, connect to an AWS Aurora instance. (You will still need the MySQL client - libmysqlclient-dev):
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Aurora.Connecting.html