Difference between revisions of "RT server configuration"
| (7 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | This page contains notes on the setup of the MIT krb5 RT server. The current server is krbdev.mit.edu (canonical name |
+ | This page contains notes on the setup of the MIT krb5 RT server. The current server is krbdev.mit.edu (canonical name kerborg-prod-app-1.mit.edu), which runs Ubuntu 20.04. |
==Packages== |
==Packages== |
||
| − | Some of RT's Perl dependencies are too new for Ubuntu 16.04's package repository. Therefore we allow RT's build system to use CPAN to fetch dependencies. Before doing this it is necessary to configure CPAN once with: |
||
| + | In Ubuntu 20.04, the request-tracker4 package contains a suitable version of RT. This package will ask some questions at installation time: |
||
| − | perl -MCPAN -e shell |
||
| + | * RT site name: krbdev.mit.edu |
||
| − | |||
| + | * handle RT_SiteConfig.pm permissions: yes |
||
| − | and then exit out of the shell. |
||
| + | * use dbconfig-common: no |
||
The data in RT is stored in a PostgreSQL database. The postgresql Ubuntu package will install the recommended version of PostgreSQL for the current Ubuntu version. |
The data in RT is stored in a PostgreSQL database. The postgresql Ubuntu package will install the recommended version of PostgreSQL for the current Ubuntu version. |
||
| Line 13: | Line 13: | ||
The mail interface to RT is handled by Postfix, so the postfix package is required. The libsendmail-pmilter-perl package is required for the custom milter script. |
The mail interface to RT is handled by Postfix, so the postfix package is required. The libsendmail-pmilter-perl package is required for the custom milter script. |
||
| − | The web front end to RT is an Apache2 web server, so the apache2 package is required. RT uses a FastCGI server, so the libapache2-mod- |
+ | The web front end to RT is an Apache2 web server, so the apache2 package is required. RT uses a FastCGI server, so the libapache2-mod-fcgid package is required. |
In sum, the following packages must be installed on the RT server: |
In sum, the following packages must be installed on the RT server: |
||
apache2 |
apache2 |
||
| − | apache2-suexec-pristine |
||
| + | libapache2-mod-fcgid |
||
| − | + | libsendmail-pmilter-perl |
|
| − | libapache2-mod-fastcgi |
||
perl |
perl |
||
perl-base |
perl-base |
||
| Line 25: | Line 25: | ||
postfix |
postfix |
||
postgresql |
postgresql |
||
| + | request-tracker4 |
||
==User accounts== |
==User accounts== |
||
| Line 43: | Line 44: | ||
Some of the above accounts may be created by ops during provisioning. |
Some of the above accounts may be created by ops during provisioning. |
||
| + | |||
| + | Create /var/rt2/bin and copy in the following scripts from the krbdev-services repository: |
||
| + | |||
| + | rt-scripts/rt-reserve-ticket |
||
| + | rt-scripts/rtmilter.pl |
||
| + | rt-scripts/krb5-daily.sh |
||
| + | rt-cvs/rt-cvsgate |
||
| + | |||
| + | The scripts and directory should be mode 755 and owned by user rt and group rt. |
||
/var/rt2 should contain an empty .k5login file, managed by ops. It should contain a .ssh/authorized_keys file, managed by ops, containing the krbsnap key from /git/krb5.git/hooks/krbsnap_rsa_key.pub on drugstore.mit.edu. |
/var/rt2 should contain an empty .k5login file, managed by ops. It should contain a .ssh/authorized_keys file, managed by ops, containing the krbsnap key from /git/krb5.git/hooks/krbsnap_rsa_key.pub on drugstore.mit.edu. |
||
| − | The rt user account is not actually needed for the current RT installation (although the rt group is), and the homedir name /var/rt2 is outdated. The following references need to be taken into account when changing the user and group configuration: |
||
| + | Create /var/psqlbackups (owned by root). |
||
| + | |||
| + | The rt user account is not actually needed for the current RT installation, and the homedir name /var/rt2 is outdated. The following references need to be taken into account when changing the user and group configuration: |
||
* Both the rt and rtcvs accounts have the homedir /var/rt2. |
* Both the rt and rtcvs accounts have the homedir /var/rt2. |
||
| Line 53: | Line 65: | ||
* A root cron job runs rtmilter on boot from /var/rt2. |
* A root cron job runs rtmilter on boot from /var/rt2. |
||
* The empty /var/rt2/.k5login file is managed by ops. |
* The empty /var/rt2/.k5login file is managed by ops. |
||
| − | * The /var/rt2/ssh/authorized_keys file is managed by ops. |
+ | * The /var/rt2/.ssh/authorized_keys file is managed by ops. |
* On drugstore.mit.edu, the krb5 git repository rt-ssh-cmd config value references the rtcvs user and /var/rt2/bin/rt-cvsgate. |
* On drugstore.mit.edu, the krb5 git repository rt-ssh-cmd config value references the rtcvs user and /var/rt2/bin/rt-cvsgate. |
||
* On drugstore.mit.edu, the krb5 git repository hooks/krb5-rt-id script references the rtcvs user and /var/rt2/bin/rt-reserve-ticket. This script comes from the krbdev-services repository's githooks/krb5-rt-id. |
* On drugstore.mit.edu, the krb5 git repository hooks/krb5-rt-id script references the rtcvs user and /var/rt2/bin/rt-reserve-ticket. This script comes from the krbdev-services repository's githooks/krb5-rt-id. |
||
| Line 60: | Line 72: | ||
==RT setup== |
==RT setup== |
||
| − | Our installation of Request Tracker is an unmodified version 4.4.4. The source code is present in /usr/src and is configured as follows: |
||
| + | Install the RT_SiteConfig.pm file from the krbdev-services repository in /etc/request-tracker4. |
||
| − | |||
| − | ./configure --with-bin-owner=rt --with-libs-owner=rt --with-libs-group=rt \ |
||
| − | --with-db-type=Pg --with-db-host='' \ |
||
| − | --with-web-user=www-data --with-web-group=www-data |
||
| − | make fixdeps (hit return to accept defaults as necessary) |
||
| − | make testdeps |
||
| − | make install |
||
| − | |||
| − | Install the RT_SiteConfig.pm file from the krbdev-services repository in /opt/rt4/etc. |
||
| − | |||
| − | Several scripts come from the krbdev-services repository, in the rt-cvs and rt-scripts directories. All are installed in /var/rt2/bin. |
||
In root's crontab file ("crontab -e" as root), add the following to perform daily maintenance: |
In root's crontab file ("crontab -e" as root), add the following to perform daily maintenance: |
||
MAILTO=krbcore-hw@mit.edu |
MAILTO=krbcore-hw@mit.edu |
||
| − | 0 3 * * * / |
+ | 0 3 * * * /usr/sbin/rt-clean-sessions |
| − | 0 4 * * * / |
+ | 0 4 * * * /var/rt2/bin/krb5-daily.sh |
==PostgreSQL configuration== |
==PostgreSQL configuration== |
||
| Line 102: | Line 103: | ||
Run "createuser -Upostgres rt_user" to create the rt_user role. |
Run "createuser -Upostgres rt_user" to create the rt_user role. |
||
| − | Run "/ |
+ | Run "/usr/sbin/rt-setup-database --action create" to create the database, then restore it from a backup with "zcat /path/to/dump.gz | psql -d rt4 -Upostgres" |
==Postfix configuration== |
==Postfix configuration== |
||
| − | In /etc/postfix/main.cf: |
||
| + | By default ops manages Postfix with Puppet. This must be disabled by ops, and the Debian defaults restored by copying /usr/share/postfix/main.cf.debian to /etc/postfix/main.cf and /usr/share/postfix/master.cf.dist to /etc/postfix/master.cf. |
||
| − | * Set myhostname = krbdev.mit.edu |
||
| + | At the end of /etc/postfix/main.cf add: |
||
| − | * Set mydestination = krbdev.mit.edu, krbdev-prod-app-1.mit.edu, localhost.mit.edu, localhost |
||
| − | * Add the following to the end: |
||
| + | myhostname = krbdev.mit.edu |
||
| + | mydestination = krbdev.mit.edu, kerborg-prod-app-1.mit.edu, localhost.mit.edu, localhost |
||
| + | |||
# Suppress some headers to avoid leaking internal addresses to spammers. |
# Suppress some headers to avoid leaking internal addresses to spammers. |
||
prepend_delivered_header = |
prepend_delivered_header = |
||
| Line 152: | Line 154: | ||
Allow from all |
Allow from all |
||
</Proxy> |
</Proxy> |
||
| + | |||
| + | Edit /etc/apache2/ports.conf and add "Listen 444" in the ssl_module section after "Listen 443". |
||
Clean out /var/www and install index.html and robots.txt from the krbdev-www directory of the krbdev-services repository. |
Clean out /var/www and install index.html and robots.txt from the krbdev-www directory of the krbdev-services repository. |
||
| Line 165: | Line 169: | ||
a2ensite rt |
a2ensite rt |
||
service apache2 restart |
service apache2 restart |
||
| + | |||
| + | ==Testing== |
||
| + | |||
| + | Get a certificate for the new VM's real hostname and temporarily point /etc/apache2/ssl.crt/server.crt at it. |
||
| + | |||
| + | In /etc/request-tracker4/RT_SiteConfig.pm, temporarily set @ReferrerWhitelist to use the real hostname instead of krbdev.mit.edu. |
||
| + | |||
| + | Temporarily set emergency moderation on the krb5-bugs mailing list (at https://mailman.mit.edu:444/mailman/admin/krb5-bugs/general ) to ensure that mail sent to that list as the result of testing is caught in the moderation queue. |
||
| + | |||
| + | Verify that RT displays at https://realhostname/rt and tickets can be accessed. Verify that https://realhostname:444/ works and that a new ticket can be created. Respond to the ticket via email and verify that the response is stored in the ticket. |
||
| + | |||
| + | As root, run /var/rt2/bin/krb5-daily.sh and verify that a dump file appears in /var/psqlbackups. |
||
| + | |||
| + | As rtcvs ("su -s /bin/bash - rtcvs"), run /var/rt2/bin/rt-reserve-ticket and verify that a ticket number is printed. |
||
| + | |||
| + | To test rt-cvsgate, create a test message in /tmp/testmsg like so: |
||
| + | |||
| + | id: NNNN (use the ticket number printed by rt-reserve-ticket above) |
||
| + | ticket: new |
||
| + | subject: rt-cvsgate test |
||
| + | tags: pullup |
||
| + | |||
| + | test commit message |
||
| + | |||
| + | As rt-cvsgate, run "/var/rt2/bin/rt-cvsgate ''username'' < /tmp/testmsg", where ''username'' is an authorized user. |
||
| + | |||
| + | Undo the temporary changes and restore the database from a dump file. |
||
Revision as of 20:00, 6 May 2021
This page contains notes on the setup of the MIT krb5 RT server. The current server is krbdev.mit.edu (canonical name kerborg-prod-app-1.mit.edu), which runs Ubuntu 20.04.
Contents
Packages
In Ubuntu 20.04, the request-tracker4 package contains a suitable version of RT. This package will ask some questions at installation time:
- RT site name: krbdev.mit.edu
- handle RT_SiteConfig.pm permissions: yes
- use dbconfig-common: no
The data in RT is stored in a PostgreSQL database. The postgresql Ubuntu package will install the recommended version of PostgreSQL for the current Ubuntu version.
The mail interface to RT is handled by Postfix, so the postfix package is required. The libsendmail-pmilter-perl package is required for the custom milter script.
The web front end to RT is an Apache2 web server, so the apache2 package is required. RT uses a FastCGI server, so the libapache2-mod-fcgid package is required.
In sum, the following packages must be installed on the RT server:
apache2 libapache2-mod-fcgid libsendmail-pmilter-perl perl perl-base perl-modules postfix postgresql request-tracker4
User accounts
The postgresql package will create a postgres user account.
The following user accounts and group entries must be created manually:
- group rt
- user rt: primary group rt, homedir /var/rt2, shell /bin/false
- user rtcvs: primary group rt, homedir /var/rt2, shell /bin/sh
These accounts could be created with:
groupadd -r rt useradd -r -m -g rt -d /var/rt2 -s /bin/false rt useradd -r -g rt -d /var/rt2 rtcvs
Some of the above accounts may be created by ops during provisioning.
Create /var/rt2/bin and copy in the following scripts from the krbdev-services repository:
rt-scripts/rt-reserve-ticket rt-scripts/rtmilter.pl rt-scripts/krb5-daily.sh rt-cvs/rt-cvsgate
The scripts and directory should be mode 755 and owned by user rt and group rt.
/var/rt2 should contain an empty .k5login file, managed by ops. It should contain a .ssh/authorized_keys file, managed by ops, containing the krbsnap key from /git/krb5.git/hooks/krbsnap_rsa_key.pub on drugstore.mit.edu.
Create /var/psqlbackups (owned by root).
The rt user account is not actually needed for the current RT installation, and the homedir name /var/rt2 is outdated. The following references need to be taken into account when changing the user and group configuration:
- Both the rt and rtcvs accounts have the homedir /var/rt2.
- krb5-daily.sh references the krbsnap.keytab file and dumps directory in /var/rt2.
- A root cron job runs krb5-daily.sh from /var/rt2.
- A root cron job runs rtmilter on boot from /var/rt2.
- The empty /var/rt2/.k5login file is managed by ops.
- The /var/rt2/.ssh/authorized_keys file is managed by ops.
- On drugstore.mit.edu, the krb5 git repository rt-ssh-cmd config value references the rtcvs user and /var/rt2/bin/rt-cvsgate.
- On drugstore.mit.edu, the krb5 git repository hooks/krb5-rt-id script references the rtcvs user and /var/rt2/bin/rt-reserve-ticket. This script comes from the krbdev-services repository's githooks/krb5-rt-id.
- Some of the same references are present in the krbdev-services repository, but they aren't used.
RT setup
Install the RT_SiteConfig.pm file from the krbdev-services repository in /etc/request-tracker4.
In root's crontab file ("crontab -e" as root), add the following to perform daily maintenance:
MAILTO=krbcore-hw@mit.edu 0 3 * * * /usr/sbin/rt-clean-sessions 0 4 * * * /var/rt2/bin/krb5-daily.sh
PostgreSQL configuration
Many PostgreSQL files live in directories specific to the PostgreSQL major and minor version, such as /etc/postgresql/8.3 for PostgreSQL 8.3.
The Ubuntu postgresql package will create a "main" cluster with a configuration directory in /etc/postgresql/<version>/main.
In /etc/postgresql/<version>/main/pg_ident.conf, add:
local root root local root postgres local root rt_user local rt rt_user local rtcvs rt_user local postfix rt_user local nobody rt_user local www-data rt_user
(The entry for "rt" should no longer be needed, but is currently still present.)
In /etc/postgresql/<version>/main/pg_hba.conf, find the line that reads "local all all peer" and add "map=local" to the end, so it reads "local all all peer map=local". Comment out the line that reads "local all postgres peer", despite the warning not to disable it. Run "service postgresql restart" to reread the affected files. Run "psql -Upostgres --list" to verify that the identity map works.
Run "createuser -Upostgres rt_user" to create the rt_user role.
Run "/usr/sbin/rt-setup-database --action create" to create the database, then restore it from a backup with "zcat /path/to/dump.gz | psql -d rt4 -Upostgres"
Postfix configuration
By default ops manages Postfix with Puppet. This must be disabled by ops, and the Debian defaults restored by copying /usr/share/postfix/main.cf.debian to /etc/postfix/main.cf and /usr/share/postfix/master.cf.dist to /etc/postfix/master.cf.
At the end of /etc/postfix/main.cf add:
myhostname = krbdev.mit.edu mydestination = krbdev.mit.edu, kerborg-prod-app-1.mit.edu, localhost.mit.edu, localhost # Suppress some headers to avoid leaking internal addresses to spammers. prepend_delivered_header = enable_original_recipient = no # RT header milter smtpd_milters = unix:private/milter
Copy /etc/aliases from the old server. To avoid aiding spammers, its contents are not reproduced here. In particular, /etc/aliases contains an internal address corresponding to the membership of the krb5-bugs-incoming mailman list; revealing this address could allow spammers to bypass moderation of incoming bug reports.
In root's crontab file ("crontab -e" as root):
@reboot /var/rt2/bin/rtmilter.pl /var/spool/postfix/private/milter
Run the command by hand (backgrounded) to start the milter process before the next reboot.
Run "newaliases" and "postfix reload" to pick up the changed configuration.
Apache httpd configuration
Create /etc/apache2/ssl.crt and /etc/apache2/ssl.key.
Copy /etc/apache2/ssl.key/server.key and /etc/apache2/ssl.crt/server.crt from the old server, or follow the instructions at http://kb.mit.edu/confluence/display/istcontrib/Obtaining+an+SSL+certificate+for+a+web+server to obtain a new one. server.key and server.crt may be symlinks using whatever scheme seems convenient for renewing certificates every few years.
Install /etc/apache2/ssl.crt/chain.crt from /mit/apache-ssl/certificates/InCommon-chain.crt.txt (requires tokens). Cutting and pasting is effective for transferring certificates as they are represented as short text files.
Install /etc/apache2/ssl.crt/clientCA.crt from /mit/apache-ssl/certificates/mitCAclient.pem (requires tokens).
Install the rt.conf file from the krbdev-services repository as /etc/apache2/sites-available/rt.conf .
Edit /etc/apache2/mods-available/proxy.conf and set:
ProxyVia On
ProxyPass /buildbot/ws ws://krbdev-buildbot.mit.edu:8010/ws ProxyPassReverse /buildbos/ws ws://krbdev-buildbot.mit.edu:8010/ws ProxyPass /buildbot/ http://krbdev-buildbot.mit.edu:8010/ ProxyPassReverse /buildbot/ http://krbdev-buildbot.mit.edu:8010/ <Proxy http://krbdev-buildbot.mit.edu:8010/*> Allow from all </Proxy>
Edit /etc/apache2/ports.conf and add "Listen 444" in the ssl_module section after "Listen 443".
Clean out /var/www and install index.html and robots.txt from the krbdev-www directory of the krbdev-services repository.
Run:
a2enmod ssl a2enmod userdir a2enmod rewrite a2enmod proxy_http a2enmod proxy_wstunnel a2dissite 000-default a2ensite rt service apache2 restart
Testing
Get a certificate for the new VM's real hostname and temporarily point /etc/apache2/ssl.crt/server.crt at it.
In /etc/request-tracker4/RT_SiteConfig.pm, temporarily set @ReferrerWhitelist to use the real hostname instead of krbdev.mit.edu.
Temporarily set emergency moderation on the krb5-bugs mailing list (at https://mailman.mit.edu:444/mailman/admin/krb5-bugs/general ) to ensure that mail sent to that list as the result of testing is caught in the moderation queue.
Verify that RT displays at https://realhostname/rt and tickets can be accessed. Verify that https://realhostname:444/ works and that a new ticket can be created. Respond to the ticket via email and verify that the response is stored in the ticket.
As root, run /var/rt2/bin/krb5-daily.sh and verify that a dump file appears in /var/psqlbackups.
As rtcvs ("su -s /bin/bash - rtcvs"), run /var/rt2/bin/rt-reserve-ticket and verify that a ticket number is printed.
To test rt-cvsgate, create a test message in /tmp/testmsg like so:
id: NNNN (use the ticket number printed by rt-reserve-ticket above) ticket: new subject: rt-cvsgate test tags: pullup
test commit message
As rt-cvsgate, run "/var/rt2/bin/rt-cvsgate username < /tmp/testmsg", where username is an authorized user.
Undo the temporary changes and restore the database from a dump file.
