そろそろ個人のナレッジベース的なものを作りたいなと思って、Vultrという海外のVPSサービスにRedmineをインストールしてみました。その時の手順を備忘録として残します。

    1.Vultrとは

    いつもはConoHaを使っていますが、今回はVultrを使ってみました。どんな感じのサービスかは下記のURLを参照。

    個人的に思う、他のサービスと違う点は下記の通りです。

    • 海外のサービスですが、DigitalOceanと違って日本リージョン(東京)が存在する。
    • 一番安いサーバー(VC2)だと月2.5$で遊べる。(自分が見たときにはTemporality Sold Outとなっていたので選択できませんでした)
    • 2.50$/mo, 20GB SSD, 1CPU, 512MB Memory, 500GB Bandwidth
    • Firewallの設定がGUIで設定可能。ConoHaの場合はGUIだと設定できるポートが限られています。例えばSSHのポートを22以外に変更するとGUIから変更後のポートを許可できません。(python-openstackclientなどのCLIを使えば設定出来ますが初心者向けではない)

    2.Redmineのインストール

    OSはCentOS 7.4を使用。MariaDB+nginx+unicornでRedmine をインストールしています。手順はどれも参照先のコピペなのであまり理解しておりません(特にunicornの設定まわり)。

    2.1.CentOSの設定

    パッケージをアップデートする。

    [root@redmine ~]# yum -y update
    

    タイムゾーンを日本に変更する。

    [root@redmine ~]# timedatectl status
          Local time: Mon 2017-09-18 06:57:22 UTC
      Universal time: Mon 2017-09-18 06:57:22 UTC
            RTC time: Mon 2017-09-18 06:57:21
           Time zone: UTC (UTC, +0000)
         NTP enabled: yes
    NTP synchronized: yes
     RTC in local TZ: no
          DST active: n/a
    
    [root@redmine ~]# timedatectl set-timezone Asia/Tokyo
    
    [root@redmine ~]# timedatectl status
          Local time: Mon 2017-09-18 15:58:29 JST
      Universal time: Mon 2017-09-18 06:58:29 UTC
            RTC time: Mon 2017-09-18 06:58:28
           Time zone: Asia/Tokyo (JST, +0900)
         NTP enabled: yes
    NTP synchronized: yes
     RTC in local TZ: no
          DST active: n/a
    

    SELinuxの設定を確認(最初から無効化されている)。

    [root@redmine ~]# getenforce
    Disabled
    

    OSではなく、VultrのFirewall機能を使うつもりなのでfirewalldは停止しました。

    [root@redmine ~]# systemctl stop firewalld
    
    [root@redmine ~]# systemctl disable firewalld
    Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
    Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
    
    2.2.必要なパッケージのインストール

    開発ツール(Cコンパイラ等)をインストールする。

    [root@redmine ~]# yum -y groupinstall "Development Tools"
    

    RubyとPassengerのビルドに必要なヘッダファイルなどをインストールする。

    [root@redmine ~]# yum -y install openssl-devel readline-devel zlib-devel curl-devel libyaml-devel libffi- devel
    

    MariaDBとヘッダファイルをインストールする。

    [root@redmine ~]# yum -y install mariadb-server mariadb-devel
    

    nginxをインストールする。

    [root@redmine ~]# yum -y install nginx
    

    ImageMagickとヘッダファイル・日本語フォントをインストールする。

    [root@redmine ~]# yum -y install ImageMagick ImageMagick-devel ipa-pgothic-fonts
    
    2.3.MariaDBの設定

    デフォルトキャラクタセットをutf8に設定する。

    [root@redmine ~]# cp -p /etc/my.cnf /etc/my.cnf.org
    
    [root@redmine ~]# vi /etc/my.cnf
    
    [root@redmine ~]# diff /etc/my.cnf /etc/my.cnf.org
    10d9
    < character-set-server=utf8
    21,22d19
    < [mysql]
    < default-character-set=utf8
    
    [root@redmine ~]# cat /etc/my.cnf
    [mysqld]
    datadir=/var/lib/mysql
    socket=/var/lib/mysql/mysql.sock
    # Disabling symbolic-links is recommended to prevent assorted security risks
    symbolic-links=0
    # Settings user and group are ignored when systemd is used.
    # If you need to run mysqld under a different user or group,
    # customize your systemd unit file for mariadb according to the
    # instructions in http://fedoraproject.org/wiki/Systemd
    character-set-server=utf8
    
    [mysqld_safe]
    log-error=/var/log/mariadb/mariadb.log
    pid-file=/var/run/mariadb/mariadb.pid
    
    #
    # include all files from the config directory
    #
    !includedir /etc/my.cnf.d
    
    [mysql]
    default-character-set=utf8
    

    MariaDBの起動および自動起動を設定する。

    [root@redmine ~]# systemctl start mariadb
    
    [root@redmine ~]# systemctl enable mariadb
    Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
    

    /etc/my.cnf への設定が反映されていることを確認する。

    [root@redmine ~]# mysql -u root
    Welcome to the MariaDB monitor.  Commands end with ; or \g.
    Your MariaDB connection id is 2
    Server version: 5.5.56-MariaDB MariaDB Server
    
    Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
    
    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
    
    MariaDB [(none)]> show variables like 'character_set%';
    +--------------------------+----------------------------+
    | Variable_name            | Value                      |
    +--------------------------+----------------------------+
    | character_set_client     | utf8                       |
    | character_set_connection | utf8                       |
    | character_set_database   | utf8                       |
    | character_set_filesystem | binary                     |
    | character_set_results    | utf8                       |
    | character_set_server     | utf8                       |
    | character_set_system     | utf8                       |
    | character_sets_dir       | /usr/share/mysql/charsets/ |
    +--------------------------+----------------------------+
    8 rows in set (0.00 sec)
    
    MariaDB [(none)]> exit
    Bye
    

    初期設定ツール mysql_secure_installationを実行する。

    [root@redmine ~]# mysql_secure_installation
    
    NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
          SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!
    
    In order to log into MariaDB to secure it, we'll need the current
    password for the root user.  If you've just installed MariaDB, and
    you haven't set the root password yet, the password will be blank,
    so you should just press enter here.
    
    Enter current password for root (enter for none):
    OK, successfully used password, moving on...
    
    Setting the root password ensures that nobody can log into the MariaDB
    root user without the proper authorisation.
    
    Set root password? [Y/n] y
    New password:
    Re-enter new password:
    Password updated successfully!
    Reloading privilege tables..
     ... Success!
    
    
    By default, a MariaDB installation has an anonymous user, allowing anyone
    to log into MariaDB without having to have a user account created for
    them.  This is intended only for testing, and to make the installation
    go a bit smoother.  You should remove them before moving into a
    production environment.
    
    Remove anonymous users? [Y/n] y
     ... Success!
    
    Normally, root should only be allowed to connect from 'localhost'.  This
    ensures that someone cannot guess at the root password from the network.
    
    Disallow root login remotely? [Y/n] y
     ... Success!
    
    By default, MariaDB comes with a database named 'test' that anyone can
    access.  This is also intended only for testing, and should be removed
    before moving into a production environment.
    
    Remove test database and access to it? [Y/n] y
     - Dropping test database...
     ... Success!
     - Removing privileges on test database...
     ... Success!
    
    Reloading the privilege tables will ensure that all changes made so far
    will take effect immediately.
    
    Reload privilege tables now? [Y/n] y
     ... Success!
    
    Cleaning up...
    
    All done!  If you've completed all of the above steps, your MariaDB
    installation should now be secure.
    
    Thanks for using MariaDB!
    

    Redmine用データベースとユーザーを作成する。

    [root@redmine ~]# mysql -u root -p
    Enter password:
    Welcome to the MariaDB monitor.  Commands end with ; or \g.
    Your MariaDB connection id is 11
    Server version: 5.5.56-MariaDB MariaDB Server
    
    Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
    
    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
    
    MariaDB [(none)]> create database db_redmine default character set utf8;
    Query OK, 1 row affected (0.00 sec)
    
    MariaDB [(none)]> grant all on db_redmine.* to user_redmine@localhost identified by 'redmine';
    Query OK, 0 rows affected (0.00 sec)
    
    MariaDB [(none)]> flush privileges;
    Query OK, 0 rows affected (0.00 sec)
    
    MariaDB [(none)]> exit;
    Bye
    
    2.4.Rubyのインストール

    rubyのソースコードをダウンロードする。

    [root@redmine ~]# cd /tmp/
    
    [root@redmine tmp]# curl -O https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.1.tar.gz
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 13.5M  100 13.5M    0     0  23.2M      0 --:--:-- --:--:-- --:--:-- 23.2M
    
    [root@redmine tmp]# ls
    firstboot.exec     systemd-private-5ae47086c383401db358ba2fe151c1e6-chronyd.service-0H7OEC
    firstboot.log      systemd-private-5ae47086c383401db358ba2fe151c1e6-mariadb.service-ZLKavy
    ruby-2.4.1.tar.gz
    

    Rubyをビルドする。

    [root@redmine tmp]# tar zxvf ruby-2.4.1.tar.gz
    
    [root@redmine tmp]# cd ruby-2.4.1
    
    [root@redmine ruby-2.4.1]# ./configure --disable-install-doc
    
    [root@redmine ruby-2.4.1]# make
    
    [root@redmine ruby-2.4.1]# make install
    
    [root@redmine ruby-2.4.1]# cd ..
    
    [root@redmine tmp]# rm -rf ruby-2.4.1*
    
    [root@redmine tmp]# ls
    firstboot.exec  systemd-private-5ae47086c383401db358ba2fe151c1e6-chronyd.service-0H7OEC
    firstboot.log   systemd-private-5ae47086c383401db358ba2fe151c1e6-mariadb.service-ZLKavy
    
    [root@redmine tmp]# ruby -v
    ruby 2.4.1p111 (2017-03-22 revision 58053) [x86_64-linux]
    

    bundlerをインストールする。

    [root@redmine]# gem install bundler --no-rdoc --no-ri
    Fetching: bundler-1.15.4.gem (100%)
    Successfully installed bundler-1.15.4
    1 gem installed
    
    2.5.Redmineのインストール

    Redmineをダウンロードする。

    [root@redmine ~]# svn checkout http://svn.redmine.org/redmine/branches/3.4-stable /opt/redmine
    
    [root@redmine ~]# ls /opt/redmine/
    app           bin     config.ru        db   extra  Gemfile  log      public    README.rdoc  test  vendor
    appveyor.yml  config  CONTRIBUTING.md  doc  files  lib      plugins  Rakefile  script       tmp
    

    データベースへの接続設定をする。

    [root@redmine ~]# vi /opt/redmine/config/database.yml
    
    [root@redmine ~]# cat /opt/redmine/config/database.yml
    production:
      adapter: mysql2
      database: db_redmine
      host: localhost
      username: user_redmine
      password: "redmine"
      encoding: utf8
    

    設定ファイル config/configuration.yml を作成する。

    [root@redmine ~]# vi /opt/redmine/config/configuration.yml
    
    [root@redmine ~]# cat /opt/redmine/config/configuration.yml
    production:
      email_delivery:
        delivery_method: :smtp
        smtp_settings:
          address: "localhost"
          port: 25
          domain: "redmine.blackle0pard.net"
    
      rmagick_font_path: /usr/share/fonts/ipa-pgothic/ipagp.ttf
    

    gemパッケージをインストールする。

    [root@redmine ~]# cd /opt/redmine/
    
    [root@redmine redmine]# bundle install --without development test --path vendor/bundle
    
    2.6.Redmineの初期設定と初期データ登録

    セッション改ざん防止用秘密鍵を作成する。

    [root@redmine redmine]# bundle exec rake generate_secret_token
    

    データベースのテーブルを作成する。

    [root@redmine redmine]# RAILS_ENV=production bundle exec rake db:migrate
    

    デフォルトデータを登録する。

    [root@redmine redmine]# RAILS_ENV=production REDMINE_LANG=ja bundle exec rake redmine:load_default_data
    Default configuration data loaded.
    
    2.7.Unicornの設定
    [root@redmine redmine]# vi /opt/redmine/Gemfile.local
    
    [root@redmine redmine]# cat /opt/redmine/Gemfile.local
    gem "unicorn"
    
    [root@redmine redmine]# bundle update
    (略)
    Fetching unicorn 5.3.0
    Installing unicorn 5.3.0 with native extensions
    (略)
    

    動作確認をする。

    [root@redmine redmine]# bundle exec unicorn_rails -l 3000 -E production
    I, [2017-09-18T13:35:00.053964 #6206]  INFO -- : listening on addr=0.0.0.0:3000 fd=9
    I, [2017-09-18T13:35:00.054119 #6206]  INFO -- : worker=0 spawning...
    I, [2017-09-18T13:35:00.055006 #6206]  INFO -- : master process ready
    I, [2017-09-18T13:35:00.055796 #6208]  INFO -- : worker=0 spawned pid=6208
    I, [2017-09-18T13:35:00.055985 #6208]  INFO -- : Refreshing Gem list
    I, [2017-09-18T13:35:02.509306 #6208]  INFO -- : worker=0 ready
    ^CI, [2017-09-18T13:35:20.475433 #6206]  INFO -- : reaped #<Process::Status: pid 6208 exit 0> worker=0
    I, [2017-09-18T13:35:20.475679 #6206]  INFO -- : master complete
    

    Redmine用Unicornの設定ファイルを作成する。

    [root@redmine redmine]# vi /opt/redmine/config/unicorn.rb
    
    [root@redmine redmine]# cat /opt/redmine/config/unicorn.rb
    worker_processes 2
    
    listen "/opt/redmine/tmp/sockets/redmine.sock", :backlog => 32
    
    timeout 30
    
    pid "/opt/redmine/tmp/pids/redmine.pid"
    
    stderr_path 'log/unicorn.stderr.log'
    stdout_path 'log/unicorn.stdout.log'
    
    preload_app true
    
    check_client_connection false
    
    before_fork do |server, worker|
      defined?(ActiveRecord::Base) and
        ActiveRecord::Base.connection.disconnect!
    end
    
    after_fork do |server, worker|
      defined?(ActiveRecord::Base) and
        ActiveRecord::Base.establish_connection
    
      begin
        uid, gid = Process.euid, Process.egid
        target_uid = Etc.getpwnam(user).uid
        target_gid = Etc.getgrnam(group).gid
        worker.tmp.chown(target_uid, target_gid)
        if uid != target_uid or gid != target.gid
          Process.initgroups(user, target_gid)
          Process::GID.change_privilege(target_gid)
          Process::UID.change_privilege(target_uid)
        end
      rescue
        if RAILS_ENV = "development"
          STDERR.puts "could not change user, oh well"
        else
          STDERR.puts "could not change user, oh well"
          raise e
        end
      end
    end
    

    unicornのサービスファイルを作成する。

    [root@redmine redmine]# vi /usr/lib/systemd/system/redmine.service
    
    [root@redmine redmine]# cat /usr/lib/systemd/system/redmine.service
    [Unit]
    Description=Redmine Unicorn Server
    
    [Service]
    WorkingDirectory=/opt/redmine
    Environment=RAILS_ENV=production
    SyslogIdentifier=redmine
    PIDFile=/opt/redmine/tmp/pids/unicorn.pid
    
    ExecStart=/usr/local/bin/bundle exec "unicorn_rails -c config/unicorn.rb -E production"
    ExecStop=/usr/bin/kill -QUIT $MAINPID
    ExecReload=/bin/kill -USR2 $MAINPID
    
    [Install]
    WantedBy=multi-user.target
    

    サービスを起動する。

    [root@redmine redmine]# systemctl start redmine
    

    サービスの状態を確認する。

    [root@redmine redmine]# systemctl status redmine
     redmine.service - Redmine Unicorn Server
       Loaded: loaded (/usr/lib/systemd/system/redmine.service; disabled; vendor preset: disabled)
       Active: active (running) since Mon 2017-09-18 13:38:27 JST; 14s ago
     Main PID: 6249 (ruby)
       CGroup: /system.slice/redmine.service
               ├─6249 unicorn_rails master -c config/unicorn.rb -E production
               ├─6255 unicorn_rails worker[0] -c config/unicorn.rb -E production
               └─6257 unicorn_rails worker[1] -c config/unicorn.rb -E production
    
    Sep 18 13:38:27 redmine.blackle0pard.net systemd[1]: Started Redmine Unicorn Server.
    Sep 18 13:38:27 redmine.blackle0pard.net systemd[1]: Starting Redmine Unicorn Server...
    

    サービスの自動起動を有効化する。

    [root@redmine redmine]# systemctl enable redmine
    Created symlink from /etc/systemd/system/multi-user.target.wants/redmine.service to /usr/lib/systemd/system/redmine.service.
    
    2.8.nginxの設定

    設定ファイルを作成する。

    [root@redmine ~]# vi /etc/nginx/conf.d/redmine.conf
    
    [root@redmine ~]# cat /etc/nginx/conf.d/redmine.conf
    upstream redmine {
        server unix:/opt/redmine/tmp/sockets/redmine.sock;
    }
    server {
        listen       80;
        server_name  redmine.blackle0pard.net;
    
        root /opt/redmine/public;
        client_max_body_size 1G;
    
        location / {
            try_files $uri/index.html $uri.html $uri @app;
        }
    
        location @app {
            proxy_redirect off;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_connect_timeout 60;
            proxy_read_timeout 60;
            proxy_send_timeout 600;
            proxy_pass http://redmine;
        }
    
        error_page 500 502 503 504 /500.html;
    
    }
    
    [root@redmine ~]# nginx -t
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful
    

    サービスを起動する。

    [root@redmine ~]# systemctl start nginx
    

    サービスの自動起動を有効化する。

    [root@redmine ~]# systemctl enable nginx
    Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
    

    Webブラウザでhttp://redmine.blackle0pard.net/にアクセスしてadmin/adminでログインできたらOK。ログイン後の初期設定は下記を参照。

    2.9.HTTPS

    HTTPSでアクセス出来るように、Let's Encryptを使います。

    [root@redmine ~]# yum -y install certbot-nginx
    
    [root@redmine ~]# certbot --nginx -d redmine.blackle0pard.net
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Enter email address (used for urgent renewal and security notices) (Enter 'c' to
    cancel):hoge@redmine.blackle0pard.net
    Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    
    -------------------------------------------------------------------------------
    Please read the Terms of Service at
    https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
    in order to register with the ACME server at
    https://acme-v01.api.letsencrypt.org/directory
    -------------------------------------------------------------------------------
    (A)gree/(C)ancel: a
    
    -------------------------------------------------------------------------------
    Would you be willing to share your email address with the Electronic Frontier
    Foundation, a founding partner of the Let's Encrypt project and the non-profit
    organization that develops Certbot? We'd like to send you email about EFF and
    our work to encrypt the web, protect its users and defend digital rights.
    -------------------------------------------------------------------------------
    (Y)es/(N)o: n
    Obtaining a new certificate
    Performing the following challenges:
    tls-sni-01 challenge for redmine.blackle0pard.net
    Waiting for verification...
    Cleaning up challenges
    Deployed Certificate to VirtualHost /etc/nginx/conf.d/redmine.conf for set(['redmine.blackle0pard.net'])
    
    Please choose whether HTTPS access is required or optional.
    -------------------------------------------------------------------------------
    1: Easy - Allow both HTTP and HTTPS access to these sites
    2: Secure - Make all requests redirect to secure HTTPS access
    -------------------------------------------------------------------------------
    Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
    Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/redmine.conf
    
    -------------------------------------------------------------------------------
    Congratulations! You have successfully enabled https://redmine.blackle0pard.net
    
    You should test your configuration at:
    https://www.ssllabs.com/ssltest/analyze.html?d=redmine.blackle0pard.net
    -------------------------------------------------------------------------------
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/redmine.blackle0pard.net/fullchain.pem. Your
       cert will expire on 2017-12-17. To obtain a new or tweaked version
       of this certificate in the future, simply run certbot again with
       the "certonly" option. To non-interactively renew *all* of your
       certificates, run "certbot renew"
     - Your account credentials have been saved in your Certbot
       configuration directory at /etc/letsencrypt. You should make a
       secure backup of this folder now. This configuration directory will
       also contain certificates and private keys obtained by Certbot so
       making regular backups of this folder is ideal.
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    
    [root@redmine ~]# cat /etc/nginx/conf.d/redmine.conf
    upstream redmine {
        server unix:/opt/redmine/tmp/sockets/redmine.sock;
    }
    server {
        listen       80;
        server_name  redmine.blackle0pard.net;
    
        root /opt/redmine/public;
        client_max_body_size 1G;
    
        location / {
            try_files $uri/index.html $uri.html $uri @app;
        }
    
        location @app {
            proxy_redirect off;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_connect_timeout 60;
            proxy_read_timeout 60;
            proxy_send_timeout 600;
            proxy_pass http://redmine;
        }
    
        error_page 500 502 503 504 /500.html;
    
    
        listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/redmine.blackle0pard.net/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/redmine.blackle0pard.net/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    
    
        if ($scheme != "https") {
            return 301 https://$host$request_uri;
        } # managed by Certbot
    
    }
    

    3.Env.

    [root@redmine ~]# uname -a
    Linux redmine.blackle0pard.net 3.10.0-514.26.2.el7.x86_64 #1 SMP Tue Jul 4 15:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
    
    [root@redmine ~]# cat /etc/redhat-release
    CentOS Linux release 7.4.1708 (Core)