14 January 2018

Redmine, Passenger, and Nginx on Ubuntu 16.04

Redmine with Passenger and Nginx on Ubuntu 16.04

Just in time for Ubuntu 18, here are Ubuntu 16 instructions for getting Redmine up and running. Though better than on Ubuntu 14, this is still a maze of twisty little passages, all alike. 

Here are flexible instructions to get an up to date, robust, secure installation going.
  • Ubuntu 16.04 LTS - a mature Ubuntu version with long term support 
  • MySQL - the database 
  • Ruby - the technology on which Redmine runs, installed using RVM to manage the ruby version and have access to up to date components 
  • Phusion Passenger- the application server in which to run Redmine 
  • Nginx - the web server within which Redmine runs   


MySQL Configuration

Install MySQL. For this step, relying on the Ubuntu packages is fine.
sudo apt-get install -y mysql-server libmysqlclient-dev
 Connect to the mysql service (mysql -p) and create the database and provide access to the redmine user:
mysql -p -u root
CREATE USER 'redmine'@'localhost' IDENTIFIED BY 'yourpassword';
GRANT ALL PRIVILEGES ON redmine.* TO 'redmine'@'localhost';
If this is just a test system, move onto the Ruby Installation section. 

For production systems, a separate data disk should be used rather that storing data on the same partition as the root system. Stop the service and then migrate the data directory.
 service mysql stop
Modify the data directory configuration in MySQL:
sudo vim /etc/mysql/mysql.conf.d/mysqld.cnf
#datadir = /var/lib/mysql #old location
datadir = /data/mysql # new location
On install, MySQL 5.7 automatically initiates the data directory. So this must be moved to the new location.
sudo mkdir /data
sudo mv /var/lib/mysql/ /data/mysql/
Update AppArmor, otherwise the mysql process won't start. The MySQL 5.7 and Ubuntu combination have an AppArmor bug that shows when moving the data directory. The error will show in syslog like this:
Jan 12 10:03:12 ubuntu16 kernel: [ 1289.012262] audit: type=1400 audit(1515780192.392:116): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/8834/status" pid=8834 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=111 ouid=111
Jan 12 10:03:12 ubuntu16 kernel: [ 1289.012897] audit: type=1400 audit(1515780192.396:117): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=8834 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=111 ouid=0
To really geek out, this bug has one of the more sad but funny threads I've read in a long time. They eventually get to the right conclusion and open two bugs, but getting there is a journey. We will patch it ourselves, because the bugs haven't been actually fixed in the Ubuntu release.

To update AppArmor:
sudo vim /etc/apparmor.d/usr.sbin.mysqld
In the "Allow system resource access" section add the following to fix the bug(s): 
/sys/devices/system/node/ r,
/sys/devices/system/node/** r,
/proc/** r,
And under the "Allow data dir access" section change the entries from /var/lib/mysql/ to the new directory, /data/mysql/.
# Allow data dir access
#  /var/lib/mysql/ r,
#  /var/lib/mysql/** rwk,
/data/mysql/ r,
/data/mysql/** rwk,
Reload AppArmor:
sudo systemctl reload apparmor
Restart mysql:
 service mysql start
The system should start without error if everything has been done correctly. Run the following command to ensure everything looks okay:
mysql -p -u redmine

Ruby Installation

Many methods exist to install Ruby. Unfortunately, the most convenient using apt-get will leave the system many versions behind, which means many plugins for redmine, and parts of redmine itself, will be unsupported. RVM is a tried and true method to provide clean management of ruby versions. 

For whatever reason, these steps must be run as root:
sudo su - #get into root
apt-add-repository -y ppa:rael-gc/rvm
apt-get update
apt-get install rvm
Once done, logout and log back in as root.
sudo su - #log out and log back in
command curl -sSL https://rvm.io/mpapis.asc | gpg --import -
rvmsudo rvm get stable
rvm requirements
rvm install 2.5.0
rvm use 2.5.0 --default
Test that the install looks okay. 
ruby -v
ruby 2.5.0p0 (2017-12-25 revision 61468) [x86_64-linux] 
  Note: once setup, each user of rvm needs to be added to the rvm group. 
sudo usermod -a -G rvm username

Phusion Passenger Installation

Again, many options exist for application containers. Phusion has a Passenger-Nginx combo that is straight-forward to install and configure. It does not need to be done as root.

Details of this installation can be found on the Phusion site.
sudo apt-get install -y dirmngr gnupg
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 561F9B9CAC40B2F7
sudo apt-get install -y apt-transport-https ca-certificates
sudo sh -c 'echo deb https://oss-binaries.phusionpassenger.com/apt/passenger xenial main > /etc/apt/sources.list.d/passenger.list'
sudo apt-get update
sudo apt-get install -y nginx-extras passenger

Nginx Configuration 

Passenger configuration with nginx has simplified since previous versions. 

Enable passenger in the nginx:
sudo vim /etc/nginx/nginx.conf
Uncomment the following line:
include /etc/nginx/passenger.conf;
 Restart nginx:
sudo service nginx restart
 Confirm everything looks correct
sudo /usr/bin/passenger-config validate-install
sudo /usr/sbin/passenger-memory-stats
The result will be something like this:
Also, confirm the correct location of the correct ruby.
which passenger-config 
/usr/bin/passenger-config #use this result to perform the next command
/usr/bin/passenger-config --ruby-command
The result will be something like this:
Build out the site - assuming http for now. More configuration will be needed to SSL-ize the system and lock it down. But for now, this will get things correct and running
sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.orig
sudo vim /etc/nginx/sites-available/default
Update the root location and add passenger configuration. The assumption is your redmine root location is also on the /data partition. This directory will be created when we add the redmine account.
root /data/redmine/redmine/public/; #installation location
passenger_enabled on; #turn on application container
client_max_body_size 10m; # Max attachement size allowed
Then to prevent a mess of 404 errors, comment out the location entry. Missing this step results in a special level of redmine 404 hell.
#location / {
    # First attempt to serve request as file, then
    # as directory, then fall back to displaying a 404.
    #try_files $uri $uri/ =404;
No need to restart nginx just yet. The system is almost ready for redmine installation.


Create the redmine account

Before doing too much with ruby, create a redmine service account. Note: Ideally the home directory is located where redmine is going to be installed - for production systems this should be on a separate partition. 
sudo adduser --system --shell /bin/bash --gecos 'Redmine Administrator' --group --disabled-password --home /data/redmine redmine; sudo usermod -a -G rvm redmine 
 Give the account sudo privileges (temporarily).
sudo visudo 
redmine    ALL=(ALL)      NOPASSWD:ALL

Welcome to dependency-o-rama 

The ruby add-on dependencies next depends (ha ha get it?) on various ruby pieces needed to install ruby components. A minimal list will look something like this: 
sudo apt-get install -y build-essential imagemagick libmagickwand-dev

Redmine, remember this was the main point of the article?

Whew. Like a hero that doesn't show up until the third reel of a movie, redmine is finally on the scene. Yes, this is just like Batman vs Superman. There is a lot of build up to the main event, and when you get there it is anticlimactic.

Install the latest redmine

Switch to the redmine user and pull down the latest stable release.
sudo su - redmine # should result in being in the redmine installation directory
wget http://www.redmine.org/releases/redmine-3.4.4.tar.gz
tar xvfz redmine-3.4.4.tar.gz
ln -s redmine-3.4.4 redmine
rm redmine-3.4.4.tar.gz

Configure the mysql connection 

Update the production entry with the account connection information.
cd redmine 
cp -pR config/database.yml.example config/database.yml
vim config/database.yml

Adding gems - truly outrageous!

Configure the gems - and avoid doing this as root. As with everything in redmine administration, this should be as that fancy redmine service account:
gem install bundler
bundle install --without development test
If versions and such match these instructions, the bundle install should go clean:
Bundle complete! 31 Gemfile dependencies, 55 gems now installed.
Gems in the groups development and test were not installed.
Use `bundle show [gemname]` to see where a bundled gem is installed.

If versions are different or new features are needed, some iteration may be needed to build and install the gems. This seems to be a "normal" task for ruby administrators. Apply google-fu and iterate. 

Rake magic

Next run the magic rake commands. All magic comes in three. 
bundle exec rake generate_secret_token
RAILS_ENV=production bundle exec rake db:migrate
RAILS_ENV=production bundle exec rake redmine:load_default_data
Now everything should be ready to start. This is done by restarting nginx. Monitor the following logs to ensure things start clean: 
tail -f /var/log/nginx/error.log
tail -f  /data/redmine/redmine/log/production.log

Clean up

Congratulations, the redmine site should now be up and available. 

Remove sudo privileges from the redmine account. Move the site to HTTPS, ideally using the excellent Let's Encrypt service. These instructions can be found here.

Links of interest 

General Redmine installation 
Always a good place to review the latest information on generic Redmine installations.
Using Google Authentication
If using Google Apps or Google Auth is of interest with Redmine, a longstanding plugin has been brought back to life with a patch. 

The plugin can be found here:

But in modern ruby and google land, a patch will be needed. The plugin will install just fine, but it will not save any configuration information, nor will it put the google button on the login page without the patch below.

Though out of date, this article has some pointers on setting up the google side:

Installing RVM 

Instead of MySQL, consider Aurora 
For some of my more recent Redmine installations, I've been using Amazon Aurora. It is cheaper than MySQL on AWS, compatible with MySQL 5.6, backups are taken care of, and even has regional failover built in. Much better than researching AppArmor patches because you want to simply move a data directory. 

Setting up redmine is the same as above, but instead of doing MySQL, connect to an AWS Aurora instance. (You will still need the MySQL client - libmysqlclient-dev):