VultrにRedmineをインストールしてみた

そろそろ個人のナレッジベース的なものを作りたいなと思って、Vultrという海外のVPSサービスにRedmineをインストールしてみました。その時の手順を備忘録として残します。

1.Vultrとは


いつもはConoHaを使っていますが、今回はVultrを使ってみました。どんな感じのサービスかは下記のURLを参照。

個人的に思う、他のサービスと違う点は下記の通りです。

  • 海外のサービスですが、DigitalOceanと違って日本リージョン(東京)が存在する。
  • 一番安いサーバー(VC2)だと月2.5$で遊べる。(自分が見たときにはTemporality Sold Outとなっていたので選択できませんでした)
  • 2.50$/mo, 20GB SSD, 1CPU, 512MB Memory, 500GB Bandwidth
  • Firewallの設定がGUIで設定可能。ConoHaの場合はGUIだと設定できるポートが限られています。例えばSSHのポートを22以外に変更するとGUIから変更後のポートを許可できません。(python-openstackclientなどのCLIを使えば設定出来ますが初心者向けではない)

2.Redmineのインストール


OSはCentOS 7.4を使用。MariaDB+nginx+unicornでRedmine をインストールしています。手順はどれも参照先のコピペなのであまり理解しておりません(特にunicornの設定まわり)。

2.1.CentOSの設定


パッケージをアップデートする。

[root@redmine ~]# yum -y update

タイムゾーンを日本に変更する。

[root@redmine ~]# timedatectl status
      Local time: Mon 2017-09-18 06:57:22 UTC
  Universal time: Mon 2017-09-18 06:57:22 UTC
        RTC time: Mon 2017-09-18 06:57:21
       Time zone: UTC (UTC, +0000)
     NTP enabled: yes
NTP synchronized: yes
 RTC in local TZ: no
      DST active: n/a
[root@redmine ~]# timedatectl set-timezone Asia/Tokyo
[root@redmine ~]# timedatectl status
      Local time: Mon 2017-09-18 15:58:29 JST
  Universal time: Mon 2017-09-18 06:58:29 UTC
        RTC time: Mon 2017-09-18 06:58:28
       Time zone: Asia/Tokyo (JST, +0900)
     NTP enabled: yes
NTP synchronized: yes
 RTC in local TZ: no
      DST active: n/a

SELinuxの設定を確認(最初から無効化されている)。

[root@redmine ~]# getenforce
Disabled

OSではなく、VultrのFirewall機能を使うつもりなのでfirewalldは停止しました。

[root@redmine ~]# systemctl stop firewalld
[root@redmine ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.

2.2.必要なパッケージのインストール


開発ツール(Cコンパイラ等)をインストールする。

[root@redmine ~]# yum -y groupinstall "Development Tools"

RubyとPassengerのビルドに必要なヘッダファイルなどをインストールする。

[root@redmine ~]# yum -y install openssl-devel readline-devel zlib-devel curl-devel libyaml-devel libffi- devel

MariaDBとヘッダファイルをインストールする。

[root@redmine ~]# yum -y install mariadb-server mariadb-devel

nginxをインストールする。

[root@redmine ~]# yum -y install nginx

ImageMagickとヘッダファイル・日本語フォントをインストールする。

[root@redmine ~]# yum -y install ImageMagick ImageMagick-devel ipa-pgothic-fonts

2.3.MariaDBの設定


デフォルトキャラクタセットをutf8に設定する。

[root@redmine ~]# cp -p /etc/my.cnf /etc/my.cnf.org
[root@redmine ~]# vi /etc/my.cnf
[root@redmine ~]# diff /etc/my.cnf /etc/my.cnf.org
10d9
< character-set-server=utf8
21,22d19
< [mysql]
< default-character-set=utf8
[root@redmine ~]# cat /etc/my.cnf
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd
character-set-server=utf8

[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid

#
# include all files from the config directory
#
!includedir /etc/my.cnf.d

[mysql]
default-character-set=utf8

MariaDBの起動および自動起動を設定する。

[root@redmine ~]# systemctl start mariadb
[root@redmine ~]# systemctl enable mariadb
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.

/etc/my.cnf への設定が反映されていることを確認する。

[root@redmine ~]# mysql -u root
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.56-MariaDB MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show variables like 'character_set%';
+--------------------------+----------------------------+
| Variable_name            | Value                      |
+--------------------------+----------------------------+
| character_set_client     | utf8                       |
| character_set_connection | utf8                       |
| character_set_database   | utf8                       |
| character_set_filesystem | binary                     |
| character_set_results    | utf8                       |
| character_set_server     | utf8                       |
| character_set_system     | utf8                       |
| character_sets_dir       | /usr/share/mysql/charsets/ |
+--------------------------+----------------------------+
8 rows in set (0.00 sec)

MariaDB [(none)]> exit
Bye

初期設定ツール mysql_secure_installationを実行する。

[root@redmine ~]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

Redmine用データベースとユーザーを作成する。

[root@redmine ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 11
Server version: 5.5.56-MariaDB MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database db_redmine default character set utf8;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all on db_redmine.* to user_redmine@localhost identified by 'redmine';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> exit;
Bye

2.4.Rubyのインストール


rubyのソースコードをダウンロードする。

[root@redmine ~]# cd /tmp/
[root@redmine tmp]# curl -O https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.1.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 13.5M  100 13.5M    0     0  23.2M      0 --:--:-- --:--:-- --:--:-- 23.2M
[root@redmine tmp]# ls
firstboot.exec     systemd-private-5ae47086c383401db358ba2fe151c1e6-chronyd.service-0H7OEC
firstboot.log      systemd-private-5ae47086c383401db358ba2fe151c1e6-mariadb.service-ZLKavy
ruby-2.4.1.tar.gz

Rubyをビルドする。

[root@redmine tmp]# tar zxvf ruby-2.4.1.tar.gz
[root@redmine tmp]# cd ruby-2.4.1
[root@redmine ruby-2.4.1]# ./configure --disable-install-doc
[root@redmine ruby-2.4.1]# make
[root@redmine ruby-2.4.1]# make install
[root@redmine ruby-2.4.1]# cd ..
[root@redmine tmp]# rm -rf ruby-2.4.1*
[root@redmine tmp]# ls
firstboot.exec  systemd-private-5ae47086c383401db358ba2fe151c1e6-chronyd.service-0H7OEC
firstboot.log   systemd-private-5ae47086c383401db358ba2fe151c1e6-mariadb.service-ZLKavy
[root@redmine tmp]# ruby -v
ruby 2.4.1p111 (2017-03-22 revision 58053) [x86_64-linux]

bundlerをインストールする。

[root@redmine]# gem install bundler --no-rdoc --no-ri
Fetching: bundler-1.15.4.gem (100%)
Successfully installed bundler-1.15.4
1 gem installed

2.5.Redmineのインストール


Redmineをダウンロードする。

[root@redmine ~]# svn checkout http://svn.redmine.org/redmine/branches/3.4-stable /opt/redmine
[root@redmine ~]# ls /opt/redmine/
app           bin     config.ru        db   extra  Gemfile  log      public    README.rdoc  test  vendor
appveyor.yml  config  CONTRIBUTING.md  doc  files  lib      plugins  Rakefile  script       tmp

データベースへの接続設定をする。

[root@redmine ~]# vi /opt/redmine/config/database.yml
[root@redmine ~]# cat /opt/redmine/config/database.yml
production:
  adapter: mysql2
  database: db_redmine
  host: localhost
  username: user_redmine
  password: "redmine"
  encoding: utf8

設定ファイル config/configuration.yml を作成する。

[root@redmine ~]# vi /opt/redmine/config/configuration.yml
[root@redmine ~]# cat /opt/redmine/config/configuration.yml
production:
  email_delivery:
    delivery_method: :smtp
    smtp_settings:
      address: "localhost"
      port: 25
      domain: "redmine.blackle0pard.net"

  rmagick_font_path: /usr/share/fonts/ipa-pgothic/ipagp.ttf

gemパッケージをインストールする。

[root@redmine ~]# cd /opt/redmine/
[root@redmine redmine]# bundle install --without development test --path vendor/bundle

2.6.Redmineの初期設定と初期データ登録


セッション改ざん防止用秘密鍵を作成する。

[root@redmine redmine]# bundle exec rake generate_secret_token

データベースのテーブルを作成する。

[root@redmine redmine]# RAILS_ENV=production bundle exec rake db:migrate

デフォルトデータを登録する。

[root@redmine redmine]# RAILS_ENV=production REDMINE_LANG=ja bundle exec rake redmine:load_default_data
Default configuration data loaded.

2.7.Unicornの設定


[root@redmine redmine]# vi /opt/redmine/Gemfile.local
[root@redmine redmine]# cat /opt/redmine/Gemfile.local
gem "unicorn"
[root@redmine redmine]# bundle update
(略)
Fetching unicorn 5.3.0
Installing unicorn 5.3.0 with native extensions
(略)

動作確認をする。

[root@redmine redmine]# bundle exec unicorn_rails -l 3000 -E production
I, [2017-09-18T13:35:00.053964 #6206]  INFO -- : listening on addr=0.0.0.0:3000 fd=9
I, [2017-09-18T13:35:00.054119 #6206]  INFO -- : worker=0 spawning...
I, [2017-09-18T13:35:00.055006 #6206]  INFO -- : master process ready
I, [2017-09-18T13:35:00.055796 #6208]  INFO -- : worker=0 spawned pid=6208
I, [2017-09-18T13:35:00.055985 #6208]  INFO -- : Refreshing Gem list
I, [2017-09-18T13:35:02.509306 #6208]  INFO -- : worker=0 ready
^CI, [2017-09-18T13:35:20.475433 #6206]  INFO -- : reaped #<Process::Status: pid 6208 exit 0> worker=0
I, [2017-09-18T13:35:20.475679 #6206]  INFO -- : master complete

Redmine用Unicornの設定ファイルを作成する。

[root@redmine redmine]# vi /opt/redmine/config/unicorn.rb
[root@redmine redmine]# cat /opt/redmine/config/unicorn.rb
worker_processes 2

listen "/opt/redmine/tmp/sockets/redmine.sock", :backlog => 32

timeout 30

pid "/opt/redmine/tmp/pids/redmine.pid"

stderr_path 'log/unicorn.stderr.log'
stdout_path 'log/unicorn.stdout.log'

preload_app true

check_client_connection false

before_fork do |server, worker|
  defined?(ActiveRecord::Base) and
    ActiveRecord::Base.connection.disconnect!
end

after_fork do |server, worker|
  defined?(ActiveRecord::Base) and
    ActiveRecord::Base.establish_connection

  begin
    uid, gid = Process.euid, Process.egid
    target_uid = Etc.getpwnam(user).uid
    target_gid = Etc.getgrnam(group).gid
    worker.tmp.chown(target_uid, target_gid)
    if uid != target_uid or gid != target.gid
      Process.initgroups(user, target_gid)
      Process::GID.change_privilege(target_gid)
      Process::UID.change_privilege(target_uid)
    end
  rescue
    if RAILS_ENV = "development"
      STDERR.puts "could not change user, oh well"
    else
      STDERR.puts "could not change user, oh well"
      raise e
    end
  end
end

unicornのサービスファイルを作成する。

[root@redmine redmine]# vi /usr/lib/systemd/system/redmine.service
[root@redmine redmine]# cat /usr/lib/systemd/system/redmine.service
[Unit]
Description=Redmine Unicorn Server

[Service]
WorkingDirectory=/opt/redmine
Environment=RAILS_ENV=production
SyslogIdentifier=redmine
PIDFile=/opt/redmine/tmp/pids/unicorn.pid

ExecStart=/usr/local/bin/bundle exec "unicorn_rails -c config/unicorn.rb -E production"
ExecStop=/usr/bin/kill -QUIT $MAINPID
ExecReload=/bin/kill -USR2 $MAINPID

[Install]
WantedBy=multi-user.target

サービスを起動する。

[root@redmine redmine]# systemctl start redmine

サービスの状態を確認する。

[root@redmine redmine]# systemctl status redmine
 redmine.service - Redmine Unicorn Server
   Loaded: loaded (/usr/lib/systemd/system/redmine.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2017-09-18 13:38:27 JST; 14s ago
 Main PID: 6249 (ruby)
   CGroup: /system.slice/redmine.service
           ├─6249 unicorn_rails master -c config/unicorn.rb -E production
           ├─6255 unicorn_rails worker[0] -c config/unicorn.rb -E production
           └─6257 unicorn_rails worker[1] -c config/unicorn.rb -E production

Sep 18 13:38:27 redmine.blackle0pard.net systemd[1]: Started Redmine Unicorn Server.
Sep 18 13:38:27 redmine.blackle0pard.net systemd[1]: Starting Redmine Unicorn Server...

サービスの自動起動を有効化する。

[root@redmine redmine]# systemctl enable redmine
Created symlink from /etc/systemd/system/multi-user.target.wants/redmine.service to /usr/lib/systemd/system/redmine.service.

2.8.nginxの設定


設定ファイルを作成する。

[root@redmine ~]# vi /etc/nginx/conf.d/redmine.conf
[root@redmine ~]# cat /etc/nginx/conf.d/redmine.conf
upstream redmine {
    server unix:/opt/redmine/tmp/sockets/redmine.sock;
}
server {
    listen       80;
    server_name  redmine.blackle0pard.net;

    root /opt/redmine/public;
    client_max_body_size 1G;

    location / {
        try_files $uri/index.html $uri.html $uri @app;
    }

    location @app {
        proxy_redirect off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_connect_timeout 60;
        proxy_read_timeout 60;
        proxy_send_timeout 600;
        proxy_pass http://redmine;
    }

    error_page 500 502 503 504 /500.html;

}
[root@redmine ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

サービスを起動する。

[root@redmine ~]# systemctl start nginx

サービスの自動起動を有効化する。

[root@redmine ~]# systemctl enable nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.

Webブラウザでhttp://redmine.blackle0pard.net/にアクセスしてadmin/adminでログインできたらOK。ログイン後の初期設定は下記を参照。

2.9.HTTPS


HTTPSでアクセス出来るように、Let's Encryptを使います。

[root@redmine ~]# yum -y install certbot-nginx
[root@redmine ~]# certbot --nginx -d redmine.blackle0pard.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):hoge@redmine.blackle0pard.net
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: n
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for redmine.blackle0pard.net
Waiting for verification...
Cleaning up challenges
Deployed Certificate to VirtualHost /etc/nginx/conf.d/redmine.conf for set(['redmine.blackle0pard.net'])

Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/redmine.conf

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://redmine.blackle0pard.net

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=redmine.blackle0pard.net
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/redmine.blackle0pard.net/fullchain.pem. Your
   cert will expire on 2017-12-17. To obtain a new or tweaked version
   of this certificate in the future, simply run certbot again with
   the "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
[root@redmine ~]# cat /etc/nginx/conf.d/redmine.conf
upstream redmine {
    server unix:/opt/redmine/tmp/sockets/redmine.sock;
}
server {
    listen       80;
    server_name  redmine.blackle0pard.net;

    root /opt/redmine/public;
    client_max_body_size 1G;

    location / {
        try_files $uri/index.html $uri.html $uri @app;
    }

    location @app {
        proxy_redirect off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_connect_timeout 60;
        proxy_read_timeout 60;
        proxy_send_timeout 600;
        proxy_pass http://redmine;
    }

    error_page 500 502 503 504 /500.html;


    listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/redmine.blackle0pard.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/redmine.blackle0pard.net/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot


    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

}

3.Env.


[root@redmine ~]# uname -a
Linux redmine.blackle0pard.net 3.10.0-514.26.2.el7.x86_64 #1 SMP Tue Jul 4 15:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@redmine ~]# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)

links

social