Installing an RT4 server from scratch

This is based on installing a test RT4 server on a VM called "bembo". Typically you'd want hostname ≠ vhost DNS alias, but this is just a test. You'd make the change in the usual way via DNS alias, editing the various definitions below:

Note this ensures two important variations on the "old default" RT server config:

  • local postgresql server, rather than MySQL (remote PostgreSQL is also an option, please ask)
  • remctl mailgate, rather than procmail (means no manual dredging out of INCOMING on failure).

Machine Profile

Start out with a small-server.h running SL6_64.

Add the basics to the machine profile:

#define DICE_OPTIONS_RT_SERVERNAME  sl7tracker.inf.ed.ac.uk
#define DICE_OPTIONS_COSIGN_X509TAG bembo
#define DICE_OPTIONS_COSIGN_DESCRIPTION SL7 Tracker
#define DICE_OPTIONS_COSIGN_VALIDREF ^https://bembo\.inf\.ed\.ac\.uk(/.*)?
#define DICE_RT_ROOT /disk/data
#define LCFG_OPTIONS_NAGIOS_CLIENT_REMCTL off
#define DICE_OPTIONS_APACHECONF_SECURITY_ALLOWHYPHENS
[...]
#include <dice/options/rt4-server.h>
#include <dice/options/rt-postgresql.h> /* after rt server headers! */
#include <dice/options/postgresql-9.4-server.h> /* override 9.2 default - this isn't required, it's just good sense */

/* Basic RT config */
#define RT_EMAIL_ALIAS sl7-tracker
!file.v_databasename            mSET(rt4)
!file.v_databaseuser            mSET(rt)
!file.v_databasepassword        mSET()
!file.v_webdomain               mSET(DICE_OPTIONS_RT_SERVERNAME)
!file.v_webexternalauth         mSET(1)
!file.v_webexternalauto         mSET(1)
!file.v_rtname                  mSET(SL7)
!file.v_sendmailarguments       mSET(-fRT_EMAIL_ALIAS@inf.ed.ac.uk -oi)
!file.v_commentaddress          mSET(RT_EMAIL_ALIAS+comment)
!file.v_correspondaddress       mSET(RT_EMAIL_ALIAS+correspond)
*/
!file.v_additional              mSETQ('Set($WebPath, \'\');\n\
')

Bootstrap

Having configured the profile, wait for the changes and apply as much as we can:

$ om updaterpms run
$ om file configure

HACK: On bembo itself, I had to fix up the data disk (this won't be a problem with a properly-configured VM and data disk):

# chown root:root /disk/ /disk/data/
# chmod 755 /disk/ /disk/data/
$ om file configure

Next, the database needs to be started and initialised with RT data:

 $ om x509 start
 $ om postgresql start
 # /usr/sbin/rt-setup-database --help

Now the database is configured, we can start apache/RT itself. Don't expect the cosign servers to have caught your spanning map change, though:

$ rfe lcfg/hanlon
  <make a trivial change; commit>
$ rfe lcfg/mcintyre
  <make a trivial change; commit>
$ om cosign start
$ om apacheconf start

ANOTHER HACK: At this stage apache wasn't configured correctly to serve RT from /; I found this file on another RT server, copied from a previous machine. On bembo I've set this to file component management, but it will be properly integrated into the apache config in future:

!file.files             mEXTRA(rt4_conf)
file.file_rt4_conf      /etc/httpd/conf.d/rt4.conf
file.type_rt4_conf      literal
file.mode_rt4_conf      0644
file.owner_rt4_conf     root
file.group_rt4_conf     root
file.tmpl_rt4_conf      \
Alias / "/usr/share/rt4/html/"\n\
\n\
 <Directory "/usr/share/rt4/html">\n\
  AllowOverride All\n\
  Options ExecCGI FollowSymLinks\n\
\n\
  RewriteEngine On\n\
  RedirectMatch permanent (.*)/$ $1/index.html\n\
  AddDefaultCharset UTF-8\n\
\n\
  AuthType Cosign\n\
  AuthName "SL7 Tracker"\n\
  CosignProtected On\n\
  Require valid-user\n\
\n\
    SetHandler modperl\n\
    PerlResponseHandler Plack::Handler::Apache2\n\
    PerlSetVar psgi_app /usr/sbin/rt-server\n\
 </Directory>\n\
 <Directory "/usr/share/rt4/html/REST/1.0/NoAuth">\n\
  CosignProtected Off\n\
  Allow from localhost\n\
  Satisfy any\n\
 </Directory>\n\
\n

Automatic user/group management

Now we've shown RT is working, we can set it up for automatic user/group management. This grants RT privileges to members of various netgroups, notably rt/sl7tracker/operator for those able to manage tickets. You can create subgroups with the RT_MANAGE_GROUP macro (I'd expect Unit membership to be done this way, adding for example rt/sl7tracker/rat to the ratu-member role.

Remember that RT creates users automatically when they visit (based on their cosign-authenticated REMOTE_USER). Accordingly, the group management can only take place AFTER a user has visited the site at least once. So, a newly-added super-user will need to visit the site, wait for a manual or scheduled pgluser run, then visit the site a second time.

#define DICE_OPTIONS_RT_BASECAP sl7tracker  /* enables pgluser management */
[...]
/* Automatic user management */
!pgluser.users_rtsu             mADD(gdutton)  /* Super-users, for setup/testing */

Having added the pgluser ruleset, run it on the server:

$ om pgluser start
$ om pgluser run -- --init # first run flag

Note that until you have defined netgroups containing RT users (superusers, operators or any kind of managed group) pgluser will be running in 'safe mode' and require to be passed the --init flag, which means its scheduled runs will fail. If you'd prefer not to use LDAP to manage things, you can pass --init by default:

!pgluser.defargs    mADD(--init)

...but this isn't recommended.

EMail gateway

TBA

-- GrahamDutton - 04 Feb 2016

Edit | Attach | Print version | History: r6 | r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 04 Feb 2016 - 17:20:13 - GrahamDutton
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies