[rt-users] RT with RHEL4

Phil Lawrence prlawrence at Lehigh.EDU
Fri Jun 3 10:31:41 EDT 2005


Michael T. Halligan wrote:
> Has anybody had any luck with RHEL4 & RT? 

You bet.  Easy as pie.  Here's my install notes, heavily based on the wiki:
Installing RT on RHEL 4 with FastCGI and MySQL:

RHEL4 INSTALL
Boot from RHEL4 CD 1

When partitioning, click "Configure advanced boot loader options"
add vga=773 (or whatever) to kernal parms

Firewall on, allow SSH, HTTP & HTTPS, SMTP
SELINUX=disabled

Customize software packages to be installed
Pick "minimal" set of packages

reboot

SETUP up2date
# rpm --import /usr/share/rhn/RPM-GPG-KEY

upgrade all (you'll be prompted to accept rhndefault
  settings, and for your rhn user info)
# up2date -u

add needed stuff
# up2date         \
   httpd-devel     \
   mod_ssl         \
   mysql           \
   mysqlclient10   \
   mysql-server    \
   mysql-devel     \
   gcc             \
   system-switch-mail \
   postfix

add stuff I like
# up2date         \
   screen          \
   rcs             \
   vim-enhanced

Now we switch from Sendmail to Postscript
# system-switch-mail

start screen (if you like)
# screen

Install FastCGI...
# cd /usr/local/src
# wget http://www.fastcgi.com/dist/mod_fastcgi-2.4.2.tar.gz
# gunzip mod_fastcgi-2.4.2.tar.gz
# tar -xvf mod_fastcgi-2.4.2.tar
# cd mod_fastcgi-2.4.2
# cp Makefile.AP2 Makefile
# edit Makefile:
     ###Modify for location of apache 2 installation:
     top_dir      = /etc/httpd
# make
# make install

FastCGI wants to have a place to put its logs, and permission to do so:
# mkdir /etc/httpd/logs/fastcgi
# mkdir /etc/httpd/logs/fastcgi/dynamic
# chown apache:apache /etc/httpd/logs/fastcgi
# chown apache:apache /etc/httpd/logs/fastcgi/dynamic

Do initial configure for apache
# cd /etc/httpd/conf
# ci -l httpd.conf
# vim httpd.conf
# rcsdiff httpd.conf
===================================================================
RCS file: httpd.conf,v
retrieving revision 1.1
diff -r1.1 httpd.conf
189a190
 > LoadModule fastcgi_module modules/mod_fastcgi.so

Start apache
# service httpd start

Check Apache logs to make sure fastcgi started
   - Should see no lines with [error] referencing FastCGI
   - Should see one line indicating a [notice] and the pid of FastCGI
      [notice] FastCGI: process manager initialized (pid 3478)
# cat /var/log/httpd/error_log

If it worked...
# ci -u /etc/httpd/conf/httpd.conf

NOTE:  always check the group ownership and permissions of files after 
you perform rcs operations on them...  I think your effective ID can 
screw things up, and then you've got to chgrp or whatever.

Set apache and mysql to start automatically
# chkconfig httpd on
# chkconfig mysqld on

Turn on MySQL server, set MySQL root password...
# service mysqld start
# mysqladmin -u root password some_new_password


Do initial CPAN setup
# cd
# perl -MCPAN -e shell

Policy on building prerequisites (follow, ask or ignore)? [ask] follow

cpan> install Bundle::CPAN
cpan> quit

RT Pre-Install...
RT requires its own group, so let's add it now lest we forget:
# groupadd rt

RT gets initiated by apache, so add apache to the rt group:
# vim /etc/group
# grep ^rt /etc/group
rt:x:500:apache

Confirm selinux is disabled
# grep ^SELINUX= /etc/selinux/config
SELINUX=disabled

Change permissions on /etc/httpd/logs from within
$ cd /etc/httpd/logs
$ chmod 755 .

Install latest RT
# cd /usr/local/src
# wget http://download.bestpractical.com/pub/rt/release/rt-3.4.2.tar.gz
# gunzip rt.tar.gz
# tar -xvf rt.tar
# cd rt-3.4.2/

Set up the makefile for us with the proper settings:
# ./configure \
     --with-web-user=apache \
     --with-web-group=apache \
     --with-mysql \
     --with-fastcgi

Show us what's missing and what's not:
# perl sbin/rt-test-dependencies --with-mysql --with-fastcgi --verbose

Try to install what's missing for us through CPAN:
# perl sbin/rt-test-dependencies --with-mysql --with-fastcgi --install

Test again and only show us the MISSING items this time:
# perl sbin/rt-test-dependencies --with-mysql --with-fastcgi --verbose \
   | grep MISSING

MIME::Entity won't install without MIME::Base64, so install that first
# perl -MCPAN -e 'install MIME::Base64'

Now install MIME::Entity:
# perl -MCPAN -e 'install MIME::Entity'

Try to install anything else missing for us:
# perl sbin/rt-test-dependencies --with-mysql --with-fastcgi --install

Test again and make sure nothing is MISSING:
# perl sbin/rt-test-dependencies --with-mysql --with-fastcgi --verbose \
   | grep MISSING

NOTE: I chose to skip running the Apache test suite to
  simplify things.  YMMV.

Assuming everything is present and it's a go, install and intialize 
database...
# make install

Make a copy of the dist config file to edit:
# cp /opt/rt3/etc/RT_Config.pm /opt/rt3/etc/RT_SiteConfig.pm

Edit your RT config file for your purposes:
# cd /opt/rt3/etc
# ci -l RT_SiteConfig.pm
# vim RT_SiteConfig.pm
# rcsdiff RT_SiteConfig.pm
===================================================================
RCS file: RT_SiteConfig.pm,v
retrieving revision 1.1
diff -r1.1 RT_SiteConfig.pm
27c27
< Set($rtname , "example.com");
---
 > Set($rtname , "rt");
33c33
< Set($Organization , "example.com");
---
 > Set($Organization , "foo.edu");
66c66
< Set($DatabasePassword , 'rt_pass');
---
 > Set($DatabasePassword , 'foo');
122c122
< Set($ParseNewMessageForTicketCcs , undef);
---
 > Set($ParseNewMessageForTicketCcs , 1);
127c127
< Set($RTAddressRegexp , '^rt\@example.com$');
---
 > Set($RTAddressRegexp , '(?i)rt\.bar\.Foo\.EDU$');
215c215
< Set($UseFriendlyToLine , 0);
---
 > Set($UseFriendlyToLine , 1);
274c274
< Set($WebPath , "");
---
 > Set($WebPath , "/rt");
279c279
< Set($WebBaseURL , "http://RT::WebBaseURL.not.configured:80");
---
 > Set($WebBaseURL , "http://rt.bar.foo.edu:80");
303c303
< Set($MessageBoxWrap, "HARD");
---
 > Set($MessageBoxWrap, "SOFT");

Initialize Database
# cd /usr/local/src/rt-3.4.2
# make initialize-database

Now edit your Apache config file some more:
# cd /etc/httpd/conf
# co -l httpd.conf
# vim httpd.conf
# rcsdiff httpd.conf
===================================================================
RCS file: httpd.conf,v
retrieving revision 1.2
diff -r1.2 httpd.conf
1023a1024,1040
 >
 > NameVirtualHost *:80
 > <VirtualHost *:80>
 >   ServerAdmin root
 >   DocumentRoot /var/www/html/
 >   # Adding the following for RT (the ticket tracker)
 >   AddHandler fastcgi-script fcgi
 >   <Directory "/opt/rt3/share/html">
 >     Options FollowSymLinks ExecCGI
 >     AllowOverride None
 >   </Directory>
 >   # Pass through requests to display images
 >   Alias /NoAuth/images/ /opt/rt3/share/html/NoAuth/images/
 > </VirtualHost>
 > FastCgiServer /opt/rt3/bin/mason_handler.fcgi -idle-timeout 120
 > ScriptAlias /rt /opt/rt3/bin/mason_handler.fcgi
 >

Restart Apache and test:
# service httpd restart

Assuming it works:
# ci -u /opt/rt3/etc/RT_SiteConfig.pm
# ci -u /etc/httpd/conf/httpd.conf

Set up SSL cert
# cd /etc/httpd/conf
# openssl genrsa                    \
    -des3                            \
    -out ssl.key/rt.bar.foo.edu.key  \
    1024
Note the password you used for this key!

# openssl req  \
    -new                             \
    -key ssl.key/rt.bar.foo.edu.key  \
    -out ssl.csr/rt.bar.foo.edu.csr

Self-sign
# openssl x509  \
    -req                                 \
    -in       ssl.csr/rt.bar.foo.edu.csr \
    -signkey  ssl.key/rt.bar.foo.edu.key \
    -out      ssl.crt/rt.bar.foo.edu.crt

Edit ssl.conf...
# cd /etc/httpd/conf.d
# ci -l ssl.conf
# vim ssl.conf

Here's the skinny
# grep -v ^# ssl.conf | grep -v ^$
LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
DocumentRoot "/opt/rt3/share/html"
ServerName rt.bar.foo.edu:443
ErrorLog /var/log/httpd/rt.bar.foo.edu_error
CustomLog /var/log/httpd/rt.bar.foo.edu-access_log common
LogLevel warn
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/ssl.crt/rt.bar.foo.edu.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/rt.bar.foo.edu.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
     SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
     SSLOptions +StdEnvVars
</Directory>
<Directory "/opt/rt3/share/html">
     SSLOptions +StdEnvVars
     Options FollowSymLinks ExecCGI
     AllowOverride None
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Alias /NoAuth/images/   /opt/rt3/share/html/NoAuth/images/
AddHandler fastcgi-script fcgi
ScriptAlias / /opt/rt3/bin/mason_handler.fcgi/
<Location />
         AddDefaultCharset UTF-8
</Location>
</VirtualHost>


# cd /etc/httpd/conf
# co -l httpd.conf
# vim httpd.conf
# tail -n 7 httpd.conf
FastCgiServer /opt/rt3/bin/mason_handler.fcgi -idle-timeout 120
NameVirtualHost *:80
<VirtualHost *:80>
   RewriteEngine on
   RewriteCond %{SERVER_PORT} ^80$
   RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>

Modify RT config to now serve out of root dir
# cd /opt/rt3/etc/
# vim RT_SiteConfig.pm
# rcsdiff RT_SiteConfig.pm
===================================================================
RCS file: RT_SiteConfig.pm,v
retrieving revision 1.2
diff -r1.2 RT_SiteConfig.pm
274c274
< Set($WebPath , "/rt");
---
 > Set($WebPath , "");


Makes sure your firewall is ready for HTTPS
# iptables -L
# system-config-securitylevel-tui

test it out (you'll be prompted for your .key file passphrase)
# service httpd restart

Assuming it all worked
# ci -u /etc/httpd/conf.d/ssl.conf
# ci -u /etc/httpd/conf/httpd.conf
# ci -u /opt/rt3/etc/RT_SiteConfig.pm

MAIL SETUP
edit config files
# cd /etc/postfix
# ci -l main.cf
# vim main.cf
# rcsdiff main.cf
===================================================================
RCS file: main.cf,v
retrieving revision 1.1
diff -r1.1 main.cf
106c106
< #inet_interfaces = all
---
 > inet_interfaces = all
109c109
< inet_interfaces = localhost
---
 > #inet_interfaces = localhost
200c200,201
< #local_recipient_maps =
---
 > local_recipient_maps =
 > virtual_alias_maps = hash:/etc/mail/virtusertable
437c438
< #mailbox_command = /some/where/procmail
---
 > mailbox_command = /usr/bin/procmail

# cd /etc/mail
# ci -l virtusertable
# vim virtusertable
# cat virtusertable
postmaster at rt.bar.foo.edu postmaster
@rt.bar.foo.edu rt_dispatcher

# ci -l local-host-names
# vim local-host-names
# cat local-host-names
# rcsdiff local-host-names
===================================================================
RCS file: local-host-names,v
retrieving revision 1.1
diff -r1.1 local-host-names
1a2
 > rt.BAR.Foo.EDU

rt-mailgate will be talking with RT over HTTPS, so we need Crypt::SSLeay
# up2date perl-Crypt-SSLeay

per http://www.geert.triple-it.nl/node/rt_procmail.html...
Create an account which is to gather all RT-mail.
# useradd rt_dispatcher -G rt

Create utility perl scripts and the .procmailrc
# su - rt_dispatcher
$ vim get_action.pl
$ cat get_action.pl
#!/usr/bin/env perl

@arr = <STDIN>;
$action = "correspond";
foreach (@arr) {
         if (/\s*.*<([^@]+)-comment at .*>/g) {
                 $action = "comment";
         } else {
                 if (/\s*([^@]+)-comment at .*/g) {
                         $action = "comment";
                 }
         }
}
print "$action";
$ chmod 700 get_action.pl
$ ci -u get_action.pl

$ vim get_queue.pl
$ cat get_queue.pl
#!/usr/bin/env perl

@arr = <STDIN>;
$queue = 'general';
foreach (@arr) {
         if (/\s*.*<([^@]+)@.*>/g) {
                 $queue = $1;
                 } else {
                         if (/\s*([^@]+)@.*/g) {
                                 $queue= $1;
                         }
                 }
         }
if ($queue =~ /(.*)-comment/)
{
         $queue = $1;
}
print "$queue";
$ chmod 700 get_queue.pl
$ ci -u get_queue.pl

$ vim .procmailrc
$ cat .procmailrc
#Preliminaries
SHELL=/bin/bash
MAILDIR=${HOME}
LOGFILE=${MAILDIR}/procmail.log
LOG="--- Logging ${LOGFILE} for ${LOGNAME}, "
VERBOSE=yes
MAILDOMAIN=rt.bar.foo.edu
RT_MAILGATE="/opt/rt3/bin/rt-mailgate"
RT_URL="https://rt.bar.foo.edu"

LOGABSTRACT=all


:0
{
# the following line extracts the recipient from Received-headers.
# Simply using the To: does not work, as tickets are often created
# by sending a CC/BCC to RT
TO=`formail -c -xReceived: |grep $MAILDOMAIN |sed -e 's/.*for 
*<*\(.*\)>* *;.*$/\1/'`
QUEUE=`echo $TO| $HOME/get_queue.pl`
ACTION=`echo $TO| $HOME/get_action.pl`
:0 Wa
| $RT_MAILGATE --queue $QUEUE --action $ACTION --url $RT_URL
}
$ chmod 600 .procmailrc
$ ci -u .procmailrc
$ exit

# service postfix restart
# postmap hash:/etc/mail/virtusertable

Now, using a web browser, log into RT as root (pass: password) and:
  - CHANGE the password!
  - create a test queue, e.g.
     Queue Name:       test_queue
     Description:      Queue for Testing
     Reply Address:    test_queue
     Comment Address:  test_queue-comment
  - create a test user with an email address that you control
  - Create group 'FOO Staff'
  - Configuration | Global | Group Rights
	Everyone:
		CreateTicket
		ModifySelf
		ReplyToTicket
		SeeQueue
				
	Requestor:
		ShowTicket
	FOO Staff:
		AssignCustomFields
		CommentOnTicket
		CreateSavedSearch
		DeleteTicket
		EditSavedSearches
		LoadSavedSearch
		ModifyCustomField
		ModifyTicket
		OwnTicket
		ReplyToTicket
		SeeCustomField
		SeeGroup
		ShowOutgoingEmail
		ShowSavedSearches
		ShowTicket
		ShowTicketComments
		StealTicket
		TakeTicket
		Watch

  - send an email to test_queue at rt.bar.foo.edu from the test user's 
email account

There's loads more after this, but it starts to get real specific to our 
customizations.



More information about the rt-users mailing list