logo_kerberos.gif

Difference between revisions of "RT server configuration"

From K5Wiki
Jump to: navigation, search
 
(29 intermediate revisions by the same user not shown)
Line 1: Line 1:
  +
This page contains notes on the setup of the MIT krb5 RT server. The current server is krbdev.mit.edu (canonical name kerborg-prod-app-1.mit.edu), which runs Ubuntu 20.04.
  +
 
==Packages==
 
==Packages==
   
RT has the following perl dependencies, along with the corresponding Ubuntu packages they reside in:
 
  +
In Ubuntu 20.04, the request-tracker4 package contains a suitable version of RT. This package will ask some questions at installation time:
   
Digest::MD5 perl
 
  +
* RT site name: krbdev.mit.edu
Storable perl
 
  +
* handle RT_SiteConfig.pm permissions: yes
DBI 1.18 libdbi-perl
 
  +
* use dbconfig-common: no
DBIx::DataSource 0.02 libdbix-datasource-perl
 
DBIx::SearchBuilder 0.48 libdbix-searchbuilder-perl
 
HTML::Entities libhtml-parser-perl
 
MLDBM libmldbm-perl
 
Net::Domain perl-modules
 
Net::SMTP perl-modules
 
Params::Validate 0.02 libparams-validate-perl
 
HTML::Mason 1.02 libhtml-mason-perl
 
CGI::Cookie 1.20 perl-modules
 
Apache::Cookie libapache2-request-perl
 
Apache::Session 1.53 libapache-session-perl
 
Date::Parse libtimedate-perl
 
Date::Format libtimedate-perl
 
MIME::Entity 5.108 libmime-tools-perl
 
Mail::Mailer 1.20 libmailtools-perl
 
Getopt::Long 2.24 perl-base
 
Tie::IxHash libtie-ixhash-perl
 
Text::Wrapper libtext-wrapper-perl
 
Text::Template libtext-template-perl
 
File::Spec 0.8 perl-base
 
Errno perl-base
 
FreezeThaw libfreezethaw-perl
 
File::Temp perl-modules
 
Log::Dispatch 1.6 liblog-dispatch-perl
 
   
 
The data in RT is stored in a PostgreSQL database. The postgresql Ubuntu package will install the recommended version of PostgreSQL for the current Ubuntu version.
 
The data in RT is stored in a PostgreSQL database. The postgresql Ubuntu package will install the recommended version of PostgreSQL for the current Ubuntu version.
   
The mail interface to RT is handled by Postfix, so the postfix package is required. The libmail-milter-perl package is required for the custom milter script.
+
The mail interface to RT is handled by Postfix, so the postfix package is required. The libsendmail-pmilter-perl package is required for the custom milter script.
  +
  +
The web front end to RT is an Apache2 web server, so the apache2 package is required. RT uses a FastCGI server, so the libapache2-mod-fcgid package is required.
  +
  +
The server host acts as an authoritative name server for the kerberos.org zone, so the bind9 package must be installed.
   
The web front end to RT is an Apache2 web server, so the apache2 package is required. RT uses a FastCGI server which must run as the rt user, so the libapache2-mod-fastcgi and apache2-suexec-pristine packages are required.
 
  +
The server hosts the authoritative git repository, so the git package must be installed.
   
 
In sum, the following packages must be installed on the RT server:
 
In sum, the following packages must be installed on the RT server:
   
 
apache2
 
apache2
apache2-suexec-pristine
 
  +
bind9
libapache-session-perl
 
  +
git
libapache2-mod-fastcgi
+
libapache2-mod-fcgid
libapache2-request-perl
+
libsendmail-pmilter-perl
libdbi-perl
 
libdbix-datasource-perl
 
libdbix-searchbuilder-perl
 
libfreezethaw-perl
 
libhtml-mason-perl
 
libhtml-parser-perl
 
liblog-dispatch-perl
 
libmailtools-perl
 
libmail-milter-perl
 
libmime-tools-perl
 
libmldbm-perl
 
libparams-validate-perl
 
libtext-template-perl
 
libtext-wrapper-perl
 
libtie-ixhash-perl
 
libtimedate-perl
 
 
perl
 
perl
 
perl-base
 
perl-base
perl-modules
 
 
postfix
 
postfix
 
postgresql
 
postgresql
  +
request-tracker4
   
 
==User accounts==
 
==User accounts==
Line 57: Line 35:
   
 
* group rt
 
* group rt
* user rt: primary group rt, homedir /var/rt2, shell /bin/false
 
 
* user rtcvs: primary group rt, homedir /var/rt2, shell /bin/sh
 
* user rtcvs: primary group rt, homedir /var/rt2, shell /bin/sh
  +
* user rt: primary group rt, homedir /var/rt2, shell /bin/false
   
 
These accounts could be created with:
 
These accounts could be created with:
   
 
groupadd -r rt
 
groupadd -r rt
useradd -r -m -g rt -d /var/rt2 -s /bin/false rt
 
 
useradd -r -g rt -d /var/rt2 rtcvs
 
useradd -r -g rt -d /var/rt2 rtcvs
  +
useradd -r -m -g rt -d /var/rt2 -s /bin/false rt
   
/var/rt2 should contain an empty .k5login file, managed by ops. Some of the above accounts may be created by ops during provisioning.
 
  +
Some of the above accounts may be created by ops during provisioning. /var/rt2 and /var/rt2/.ssh must be owned by rtcvs or sshd will reject logins as rtcvs.
   
==RT setup==
 
  +
For the authoritative repository, create a group named "krbwrite" and an account for each committer, with a root-owned home directory and git-shell configuration:
   
Our installation of Request Tracker is a modified version 2.0.13. Most of the modifications were tracked in CVS; the repository is on drugstore at /cvs/krbdev in the tracking subdirectory. drugstore no longer serves CVS, so the repository must be copied out and checked out locally. A few changes have been made on the running server without version control. Absent a proper version control setup for the running version of RT, it is necessary to transfer the contents of /var/rt2 from the old server to the new.
 
  +
groupadd krbwrite
  +
# Repeat the following commands for each committer.
  +
useradd -u 3622 -s /usr/bin/git-shell -G krbwrite ghudson
  +
mkdir /home/ghudson
  +
mkdir /home/ghudson/git-shell-commands
  +
ln -s /git/krb5.git/hooks/krb5-rt-id /home/ghudson/git-shell-commands
  +
  +
Create /var/rt2/bin and copy in the following scripts from the krbdev-services repository:
  +
  +
rt-scripts/rt-reserve-ticket
  +
rt-scripts/rtmilter.pl
  +
rt-scripts/krb5-daily.sh
  +
rt-cvs/rt-cvsgate
  +
  +
The scripts and directory should be mode 755 and owned by user rt and group rt.
  +
  +
/var/rt2 should contain an empty .k5login file, managed by ops. It should contain a .ssh/authorized_keys file, managed by ops, containing the krbsnap key from hooks/krbsnap_rsa_key.pub in the authoritative repository.
  +
  +
Create /var/psqlbackups (owned by root).
  +
  +
The rt user account is not actually needed for the current RT installation, and the homedir name /var/rt2 is outdated. The following references need to be taken into account when changing the user and group configuration:
  +
  +
* Both the rt and rtcvs accounts have the homedir /var/rt2.
  +
* krb5-daily.sh references the krbsnap.keytab file and dumps directory in /var/rt2.
  +
* A root cron job runs krb5-daily.sh from /var/rt2.
  +
* A root cron job runs rtmilter on boot from /var/rt2.
  +
* The empty /var/rt2/.k5login file is managed by ops.
  +
* The /var/rt2/.ssh/authorized_keys file is managed by ops.
  +
* The authoritative krb5 git repository rt-ssh-cmd config value references the rtcvs user and /var/rt2/bin/rt-cvsgate.
  +
* The authoritative krb5 git repository hooks/krb5-rt-id script references the rtcvs user and /var/rt2/bin/rt-reserve-ticket. This script comes from the krbdev-services repository's githooks/krb5-rt-id.
  +
* Some of the same references are present in the krbdev-services repository, but they aren't used.
  +
  +
==RT setup==
   
Several scripts do come from the krbdev-services repository, in the rt-cvs and rt-scripts directories. All are installed in /var/rt2/bin.
+
Install the RT_SiteConfig.pm file from the krbdev-services repository in /etc/request-tracker4.
   
 
In root's crontab file ("crontab -e" as root), add the following to perform daily maintenance:
 
In root's crontab file ("crontab -e" as root), add the following to perform daily maintenance:
   
0 3 * * * /var/rt2/bin/krb5-daily.sh
 
  +
MAILTO=krbcore-hw@mit.edu
  +
0 3 * * * /usr/sbin/rt-clean-sessions
  +
0 4 * * * /var/rt2/bin/krb5-daily.sh
   
 
==PostgreSQL configuration==
 
==PostgreSQL configuration==
Line 93: Line 105:
 
local postfix rt_user
 
local postfix rt_user
 
local nobody rt_user
 
local nobody rt_user
  +
local www-data rt_user
  +
  +
(The entry for "rt" should no longer be needed, but is currently still present.)
   
 
In /etc/postgresql/<version>/main/pg_hba.conf, find the line that reads "local all all peer" and add "map=local" to the end, so it reads "local all all peer map=local". Comment out the line that reads "local all postgres peer", despite the warning not to disable it. Run "service postgresql restart" to reread the affected files. Run "psql -Upostgres --list" to verify that the identity map works.
 
In /etc/postgresql/<version>/main/pg_hba.conf, find the line that reads "local all all peer" and add "map=local" to the end, so it reads "local all all peer map=local". Comment out the line that reads "local all postgres peer", despite the warning not to disable it. Run "service postgresql restart" to reread the affected files. Run "psql -Upostgres --list" to verify that the identity map works.
Line 98: Line 113:
 
Run "createuser -Upostgres rt_user" to create the rt_user role.
 
Run "createuser -Upostgres rt_user" to create the rt_user role.
   
Run "createdb -ESQL_ASCII -Upostgres -Ttemplate0 rt2" to create the database. This database can be removed with "dropdb -Upostgres rt2" if it becomes necessary to recreate it.
+
Run "/usr/sbin/rt-setup-database --action create" to create the database, then restore it from a backup with "zcat /path/to/dump.gz | psql -d rt4 -Upostgres"
 
Run "pg_dump -Upostgres -Fc rt2 > /path/to/dumpfile" on the old server, transfer the file to the new server, and run "pg_restore -Upostgres -d rt2 /path/to/dumpfile" on the new server to restore the database. As a simple verification, run "psql -Upostgres -c 'SELECT * FROM keywords;' rt2" on both servers and verify that the tables have the same number of rows.
 
   
 
==Postfix configuration==
 
==Postfix configuration==
   
In /etc/postfix/main.cf:
 
  +
By default ops manages Postfix with Puppet. This must be disabled by ops, and the Debian defaults restored by copying /usr/share/postfix/main.cf.debian to /etc/postfix/main.cf and /usr/share/postfix/master.cf.dist to /etc/postfix/master.cf.
   
* Set myhostname = krbdev.mit.edu
 
  +
At the end of /etc/postfix/main.cf add:
* Set mydestination = krbdev.mit.edu, krbdev-prod-app-1.mit.edu, localhost.mit.edu, localhost
 
* Add the following to the end:
 
   
  +
myhostname = krbdev.mit.edu
  +
mydestination = krbdev.mit.edu, kerborg-prod-app-1.mit.edu, localhost.mit.edu, localhost
  +
 
# Suppress some headers to avoid leaking internal addresses to spammers.
 
# Suppress some headers to avoid leaking internal addresses to spammers.
 
prepend_delivered_header =
 
prepend_delivered_header =
Line 116: Line 132:
   
 
Copy /etc/aliases from the old server. To avoid aiding spammers, its contents are not reproduced here. In particular, /etc/aliases contains an internal address corresponding to the membership of the krb5-bugs-incoming mailman list; revealing this address could allow spammers to bypass moderation of incoming bug reports.
 
Copy /etc/aliases from the old server. To avoid aiding spammers, its contents are not reproduced here. In particular, /etc/aliases contains an internal address corresponding to the membership of the krb5-bugs-incoming mailman list; revealing this address could allow spammers to bypass moderation of incoming bug reports.
 
Run "postfix reload" to pick up the changed configuration.
 
   
 
In root's crontab file ("crontab -e" as root):
 
In root's crontab file ("crontab -e" as root):
Line 123: Line 137:
 
@reboot /var/rt2/bin/rtmilter.pl /var/spool/postfix/private/milter
 
@reboot /var/rt2/bin/rtmilter.pl /var/spool/postfix/private/milter
   
Run the command by hand to start the milter process before the next reboot.
+
Run the command by hand (backgrounded) to start the milter process before the next reboot.
  +
  +
Run "newaliases" and "postfix reload" to pick up the changed configuration.
  +
  +
Make sure rt@kerborg-prod-app-1.mit.edu and rt-comment@kerborg-prod-app-1.mit.edu are authorized as non-member senders at https://mailman.mit.edu:444/mailman/admin/krb5-bugs/privacy/sender .
   
 
==Apache httpd configuration==
 
==Apache httpd configuration==
Line 135: Line 149:
 
Install /etc/apache2/ssl.crt/clientCA.crt from /mit/apache-ssl/certificates/mitCAclient.pem (requires tokens).
 
Install /etc/apache2/ssl.crt/clientCA.crt from /mit/apache-ssl/certificates/mitCAclient.pem (requires tokens).
   
Install the RT site file as /etc/apache2/sites-available/rt.conf . (Copy from the old server; this could probably be put into the krbdev-services repository.)
+
Install the rt.conf file from the krbdev-services repository as /etc/apache2/sites-available/rt.conf .
   
Edit /etc/apache2/mods-enabled/fastcgi.conf and uncomment the FastCgiWrapper line.
+
Edit /etc/apache2/mods-available/proxy.conf and set:
   
Clean out /var/www and install index.html and robots.txt from the krbdev-www directory of the krbdev-services repository. (TBD: index.html needs to be updated not to expect buildbot on the same server.)
 
  +
ProxyVia On
  +
  +
ProxyPass /buildbot/ws ws://krbdev-buildbot.mit.edu:8010/ws
  +
ProxyPassReverse /buildbos/ws ws://krbdev-buildbot.mit.edu:8010/ws
  +
ProxyPass /buildbot/ http://krbdev-buildbot.mit.edu:8010/
  +
ProxyPassReverse /buildbot/ http://krbdev-buildbot.mit.edu:8010/
  +
<Proxy http://krbdev-buildbot.mit.edu:8010/*>
  +
Allow from all
  +
</Proxy>
  +
  +
Edit /etc/apache2/ports.conf and add "Listen 444" in the ssl_module section after "Listen 443".
  +
  +
Clean out /var/www and install index.html and robots.txt from the krbdev-www directory of the krbdev-services repository.
   
 
Run:
 
Run:
Line 146: Line 172:
 
a2enmod userdir
 
a2enmod userdir
 
a2enmod rewrite
 
a2enmod rewrite
  +
a2enmod proxy_http
  +
a2enmod proxy_wstunnel
 
a2dissite 000-default
 
a2dissite 000-default
 
a2ensite rt
 
a2ensite rt
 
service apache2 restart
 
service apache2 restart
  +
  +
==Testing==
  +
  +
Get a certificate for the new VM's real hostname and temporarily point /etc/apache2/ssl.crt/server.crt at it.
  +
  +
In /etc/request-tracker4/RT_SiteConfig.pm, temporarily set @ReferrerWhitelist to use the real hostname instead of krbdev.mit.edu.
  +
  +
Temporarily set emergency moderation on the krb5-bugs mailing list (at https://mailman.mit.edu:444/mailman/admin/krb5-bugs/general ) to ensure that mail sent to that list as the result of testing is caught in the moderation queue.
  +
  +
Verify that RT displays at https://realhostname/rt and tickets can be accessed. Verify that https://realhostname:444/ works and that a new ticket can be created. Respond to the ticket via email and verify that the response is stored in the ticket.
  +
  +
As root, run /var/rt2/bin/krb5-daily.sh and verify that a dump file appears in /var/psqlbackups.
  +
  +
As rtcvs ("su -s /bin/bash - rtcvs"), run /var/rt2/bin/rt-reserve-ticket and verify that a ticket number is printed.
  +
  +
To test rt-cvsgate, create a test message in /tmp/testmsg like so:
  +
  +
ticket: new
  +
id: NNNN (use the ticket number printed by rt-reserve-ticket above)
  +
subject: rt-cvsgate test
  +
tags: pullup
  +
  +
test commit message
  +
  +
As rtcvs, run "/var/rt2/bin/rt-cvsgate ''username'' < /tmp/testmsg", where ''username'' is an authorized user.
  +
  +
Undo the temporary changes and restore the database from a dump file.
  +
  +
==BIND configuration==
  +
  +
The bind9 configuration files can be found in krbdev-services under bind. They should be installed under /etc/bind. "rndc reload" will restart the runing named with the changed configuration. If it is necessary to edit any of the zone files, be sure to update the serial number in the SOA record to the current date followed by "00" (or "01" etc. for successive edits in the same day).
  +
  +
If the IP address if kerberos.org needs to be changed, the glue record at hover.com must be updated. In the current Hover UI, glue records can be found under "advanced". The transfer lock on the domain must be temporarily disabled (via the Overview screen) to update glue records.
  +
  +
==Git repository==
  +
  +
The authoritative krb5 git repository lives in /git/krb5.git. If this repository needs to be reconstructed from another mirror of the repository, install the hooks from the githooks directory of krbdev-services, add the krbsnap private and public SSH key to the hooks directory, and run the git configuration commands from gitconvert/krb5-convert.sh in krbdev-services.
  +
  +
The authoritative krbdev-services repository lives in /git/krbdev-services.git.

Latest revision as of 12:13, 13 April 2022

This page contains notes on the setup of the MIT krb5 RT server. The current server is krbdev.mit.edu (canonical name kerborg-prod-app-1.mit.edu), which runs Ubuntu 20.04.

Packages

In Ubuntu 20.04, the request-tracker4 package contains a suitable version of RT. This package will ask some questions at installation time:

  • RT site name: krbdev.mit.edu
  • handle RT_SiteConfig.pm permissions: yes
  • use dbconfig-common: no

The data in RT is stored in a PostgreSQL database. The postgresql Ubuntu package will install the recommended version of PostgreSQL for the current Ubuntu version.

The mail interface to RT is handled by Postfix, so the postfix package is required. The libsendmail-pmilter-perl package is required for the custom milter script.

The web front end to RT is an Apache2 web server, so the apache2 package is required. RT uses a FastCGI server, so the libapache2-mod-fcgid package is required.

The server host acts as an authoritative name server for the kerberos.org zone, so the bind9 package must be installed.

The server hosts the authoritative git repository, so the git package must be installed.

In sum, the following packages must be installed on the RT server:

 apache2
 bind9
 git
 libapache2-mod-fcgid
 libsendmail-pmilter-perl
 perl
 perl-base
 postfix
 postgresql
 request-tracker4

User accounts

The postgresql package will create a postgres user account.

The following user accounts and group entries must be created manually:

  • group rt
  • user rtcvs: primary group rt, homedir /var/rt2, shell /bin/sh
  • user rt: primary group rt, homedir /var/rt2, shell /bin/false

These accounts could be created with:

 groupadd -r rt
 useradd -r -g rt -d /var/rt2 rtcvs
 useradd -r -m -g rt -d /var/rt2 -s /bin/false rt

Some of the above accounts may be created by ops during provisioning. /var/rt2 and /var/rt2/.ssh must be owned by rtcvs or sshd will reject logins as rtcvs.

For the authoritative repository, create a group named "krbwrite" and an account for each committer, with a root-owned home directory and git-shell configuration:

   groupadd krbwrite
   # Repeat the following commands for each committer.
   useradd -u 3622 -s /usr/bin/git-shell -G krbwrite ghudson
   mkdir /home/ghudson
   mkdir /home/ghudson/git-shell-commands
   ln -s /git/krb5.git/hooks/krb5-rt-id /home/ghudson/git-shell-commands

Create /var/rt2/bin and copy in the following scripts from the krbdev-services repository:

 rt-scripts/rt-reserve-ticket
 rt-scripts/rtmilter.pl
 rt-scripts/krb5-daily.sh
 rt-cvs/rt-cvsgate

The scripts and directory should be mode 755 and owned by user rt and group rt.

/var/rt2 should contain an empty .k5login file, managed by ops. It should contain a .ssh/authorized_keys file, managed by ops, containing the krbsnap key from hooks/krbsnap_rsa_key.pub in the authoritative repository.

Create /var/psqlbackups (owned by root).

The rt user account is not actually needed for the current RT installation, and the homedir name /var/rt2 is outdated. The following references need to be taken into account when changing the user and group configuration:

  • Both the rt and rtcvs accounts have the homedir /var/rt2.
  • krb5-daily.sh references the krbsnap.keytab file and dumps directory in /var/rt2.
  • A root cron job runs krb5-daily.sh from /var/rt2.
  • A root cron job runs rtmilter on boot from /var/rt2.
  • The empty /var/rt2/.k5login file is managed by ops.
  • The /var/rt2/.ssh/authorized_keys file is managed by ops.
  • The authoritative krb5 git repository rt-ssh-cmd config value references the rtcvs user and /var/rt2/bin/rt-cvsgate.
  • The authoritative krb5 git repository hooks/krb5-rt-id script references the rtcvs user and /var/rt2/bin/rt-reserve-ticket. This script comes from the krbdev-services repository's githooks/krb5-rt-id.
  • Some of the same references are present in the krbdev-services repository, but they aren't used.

RT setup

Install the RT_SiteConfig.pm file from the krbdev-services repository in /etc/request-tracker4.

In root's crontab file ("crontab -e" as root), add the following to perform daily maintenance:

 MAILTO=krbcore-hw@mit.edu
 0 3 * * * /usr/sbin/rt-clean-sessions
 0 4 * * * /var/rt2/bin/krb5-daily.sh

PostgreSQL configuration

Many PostgreSQL files live in directories specific to the PostgreSQL major and minor version, such as /etc/postgresql/8.3 for PostgreSQL 8.3.

The Ubuntu postgresql package will create a "main" cluster with a configuration directory in /etc/postgresql/<version>/main.

In /etc/postgresql/<version>/main/pg_ident.conf, add:

 local		root		root
 local		root		postgres
 local		root		rt_user
 local		rt		rt_user
 local		rtcvs		rt_user
 local		postfix		rt_user
 local		nobody		rt_user
 local         www-data        rt_user

(The entry for "rt" should no longer be needed, but is currently still present.)

In /etc/postgresql/<version>/main/pg_hba.conf, find the line that reads "local all all peer" and add "map=local" to the end, so it reads "local all all peer map=local". Comment out the line that reads "local all postgres peer", despite the warning not to disable it. Run "service postgresql restart" to reread the affected files. Run "psql -Upostgres --list" to verify that the identity map works.

Run "createuser -Upostgres rt_user" to create the rt_user role.

Run "/usr/sbin/rt-setup-database --action create" to create the database, then restore it from a backup with "zcat /path/to/dump.gz | psql -d rt4 -Upostgres"

Postfix configuration

By default ops manages Postfix with Puppet. This must be disabled by ops, and the Debian defaults restored by copying /usr/share/postfix/main.cf.debian to /etc/postfix/main.cf and /usr/share/postfix/master.cf.dist to /etc/postfix/master.cf.

At the end of /etc/postfix/main.cf add:

 myhostname = krbdev.mit.edu
 mydestination = krbdev.mit.edu, kerborg-prod-app-1.mit.edu, localhost.mit.edu, localhost
 
 # Suppress some headers to avoid leaking internal addresses to spammers.
 prepend_delivered_header =
 enable_original_recipient = no
 
 # RT header milter
 smtpd_milters = unix:private/milter

Copy /etc/aliases from the old server. To avoid aiding spammers, its contents are not reproduced here. In particular, /etc/aliases contains an internal address corresponding to the membership of the krb5-bugs-incoming mailman list; revealing this address could allow spammers to bypass moderation of incoming bug reports.

In root's crontab file ("crontab -e" as root):

 @reboot /var/rt2/bin/rtmilter.pl /var/spool/postfix/private/milter

Run the command by hand (backgrounded) to start the milter process before the next reboot.

Run "newaliases" and "postfix reload" to pick up the changed configuration.

Make sure rt@kerborg-prod-app-1.mit.edu and rt-comment@kerborg-prod-app-1.mit.edu are authorized as non-member senders at https://mailman.mit.edu:444/mailman/admin/krb5-bugs/privacy/sender .

Apache httpd configuration

Create /etc/apache2/ssl.crt and /etc/apache2/ssl.key.

Copy /etc/apache2/ssl.key/server.key and /etc/apache2/ssl.crt/server.crt from the old server, or follow the instructions at http://kb.mit.edu/confluence/display/istcontrib/Obtaining+an+SSL+certificate+for+a+web+server to obtain a new one. server.key and server.crt may be symlinks using whatever scheme seems convenient for renewing certificates every few years.

Install /etc/apache2/ssl.crt/chain.crt from /mit/apache-ssl/certificates/InCommon-chain.crt.txt (requires tokens). Cutting and pasting is effective for transferring certificates as they are represented as short text files.

Install /etc/apache2/ssl.crt/clientCA.crt from /mit/apache-ssl/certificates/mitCAclient.pem (requires tokens).

Install the rt.conf file from the krbdev-services repository as /etc/apache2/sites-available/rt.conf .

Edit /etc/apache2/mods-available/proxy.conf and set:

 ProxyVia On
 ProxyPass /buildbot/ws ws://krbdev-buildbot.mit.edu:8010/ws
 ProxyPassReverse /buildbos/ws ws://krbdev-buildbot.mit.edu:8010/ws
 ProxyPass /buildbot/ http://krbdev-buildbot.mit.edu:8010/
 ProxyPassReverse /buildbot/ http://krbdev-buildbot.mit.edu:8010/
 <Proxy http://krbdev-buildbot.mit.edu:8010/*>
         Allow from all
 </Proxy>

Edit /etc/apache2/ports.conf and add "Listen 444" in the ssl_module section after "Listen 443".

Clean out /var/www and install index.html and robots.txt from the krbdev-www directory of the krbdev-services repository.

Run:

 a2enmod ssl
 a2enmod userdir
 a2enmod rewrite
 a2enmod proxy_http
 a2enmod proxy_wstunnel
 a2dissite 000-default
 a2ensite rt
 service apache2 restart

Testing

Get a certificate for the new VM's real hostname and temporarily point /etc/apache2/ssl.crt/server.crt at it.

In /etc/request-tracker4/RT_SiteConfig.pm, temporarily set @ReferrerWhitelist to use the real hostname instead of krbdev.mit.edu.

Temporarily set emergency moderation on the krb5-bugs mailing list (at https://mailman.mit.edu:444/mailman/admin/krb5-bugs/general ) to ensure that mail sent to that list as the result of testing is caught in the moderation queue.

Verify that RT displays at https://realhostname/rt and tickets can be accessed. Verify that https://realhostname:444/ works and that a new ticket can be created. Respond to the ticket via email and verify that the response is stored in the ticket.

As root, run /var/rt2/bin/krb5-daily.sh and verify that a dump file appears in /var/psqlbackups.

As rtcvs ("su -s /bin/bash - rtcvs"), run /var/rt2/bin/rt-reserve-ticket and verify that a ticket number is printed.

To test rt-cvsgate, create a test message in /tmp/testmsg like so:

 ticket: new
 id: NNNN (use the ticket number printed by rt-reserve-ticket above)
 subject: rt-cvsgate test
 tags: pullup
 test commit message

As rtcvs, run "/var/rt2/bin/rt-cvsgate username < /tmp/testmsg", where username is an authorized user.

Undo the temporary changes and restore the database from a dump file.

BIND configuration

The bind9 configuration files can be found in krbdev-services under bind. They should be installed under /etc/bind. "rndc reload" will restart the runing named with the changed configuration. If it is necessary to edit any of the zone files, be sure to update the serial number in the SOA record to the current date followed by "00" (or "01" etc. for successive edits in the same day).

If the IP address if kerberos.org needs to be changed, the glue record at hover.com must be updated. In the current Hover UI, glue records can be found under "advanced". The transfer lock on the domain must be temporarily disabled (via the Overview screen) to update glue records.

Git repository

The authoritative krb5 git repository lives in /git/krb5.git. If this repository needs to be reconstructed from another mirror of the repository, install the hooks from the githooks directory of krbdev-services, add the krbsnap private and public SSH key to the hooks directory, and run the git configuration commands from gitconvert/krb5-convert.sh in krbdev-services.

The authoritative krbdev-services repository lives in /git/krbdev-services.git.