| Next revision | Previous revision |
| navody:uzivatele:stepan_schejbal [2015/04/06 21:41] – vytvořeno admin | navody:uzivatele:stepan_schejbal [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1 |
|---|
| <html><head><META http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body> | |
| |
| <div><div title="vps"><div><div><div><h2><a></a>vps</h2></div></div><hr></div><div><div>Table of Contents</div><dl><dt><span><a href="#0.1_idp656">1. Info</a></span></dt><dt><span><a href="#0.1_idp42944">2. Základ</a></span></dt><dd><dl><dt><span><a href="#0.1_idp43584">2.1. Auktualizace systému</a></span></dt><dt><span><a href="#0.1_idp44864">2.2. Základní balíky a nastavení</a></span></dt><dt><span><a href="#0.1_idp51728">2.3. Firewall</a></span></dt><dt><span><a href="#0.1_idp67296">2.4. OpenVPN</a></span></dt><dt><span><a href="#0.1_idp90288">2.5. sendmail interface pro SMTP server</a></span></dt></dl></dd><dt><span><a href="#0.1_idp100384">3. web server</a></span></dt><dd><dl><dt><span><a href="#0.1_idp101056">3.1. Nginx</a></span></dt><dt><span><a href="#0.1_idp108528">3.2. Tomcat</a></span></dt><dt><span><a href="#0.1_idp33040">3.3. Apache + PHP</a></span></dt></dl></dd><dt><span><a href="#0.1_idp37024">4. Git</a></span></dt><dt><span><a href="#0.1_idp139840">5. Mysql</a></span></dt><dt><span><a href="#0.1_idp142304">6. Redmine</a></span></dt><dd><dl><dt><span><a href="#0.1_idp156304">6.1. Passenger v nginx</a></span></dt><dt><span><a href="#0.1_idp160720">6.2. Thin v nginx (primitivni alternativa k passengeru)</a></span></dt></dl></dd><dt><span><a href="#0.1_idp168544">7. nexus (maven repository)</a></span></dt></dl></div><div title="1. Info"><div><div><div><h2 style="clear:both"><a></a>1. Info</h2></div></div></div><p>Nainstalovaný systém je <span><strong>debian 7 | |
| (wheezy)</strong></span>. Původně jsem zkoušel debian 6, ale nefungoval v něm | |
| shorewall. Pak to běželo na arch linuxu, ale ten není od vpsfree moc | |
| podporovaný a navíc má rolling-updates, takže obsahují i hodně velký změny | |
| (upgrade glibc, init systému apod.), což může lehce všechno rozjebat do | |
| stavu, kdy se to musí komplet přeinstalovat.</p></div><div title="2. Základ"><div><div><div><h2 style="clear:both"><a></a>2. Základ</h2></div></div></div><div title="2.1. Auktualizace systému"><div><div><div><h3><a></a>2.1. Auktualizace systému</h3></div></div></div><div>apt-get update # nahraje info o aktualnich verzich | |
| apt-get upgrade # upgraduje baliky na nejnovejsi verze</div></div><div title="2.2. Základní balíky a nastavení"><div><div><div><h3><a></a>2.2. Základní balíky a nastavení</h3></div></div></div><div>apt-get install rsyslog man bzip2 wget sudo htop cron-apt | |
| |
| # Oracle Java: | |
| # je potreba java-package 0.50+ kuli podpore server-jre, tohle je lepsi nez povolovat backports repozitar | |
| wget <a href="http://ftp.cz.debian.org/debian/pool/contrib/j/java-package/java-package_0.53~bpo70+1_all.deb" target="_blank">http://ftp.cz.debian.org/<WBR>debian/pool/contrib/j/java-<WBR>package/java-package_0.53~<WBR>bpo70+1_all.deb</a> | |
| dpkg -i java-package_0.53~bpo70+1_all.<WBR>deb | |
| wget --no-check-certificate --no-cookies - --header "Cookie: oraclelicense=accept-<WBR>securebackup-cookie" \ | |
| <a href="http://download.oracle.com/otn-pub/java/jdk/7u55-b13/server-jre-7u55-linux-x64.tar.gzmake-jpkg" target="_blank">http://download.oracle.com/<WBR>otn-pub/java/jdk/7u55-b13/<WBR>server-jre-7u55-linux-x64.tar.<WBR>gz | |
| make-jpkg</a> server-jre-7u55-linux-x64.tar.<WBR>gz | |
| dpkg -i oracle-java7-jre_7u55_amd64.<WBR>deb</div><div><a></a><div>Example 1. /etc/ssh/sshd_<WBR>config</div><div><p>Zkopirovat klic na prihlaseni napr. ssh-copy-id | |
| <a href="mailto:root@example.com" target="_blank">root@example.com</a>, zkontrolovat, ze to funguje, pak zakazat login s | |
| heslem:</p><div>PasswordAuthentication no</div></div></div><br><div><a></a><div>Example 2. /etc/vim/vimrc</div><div><div>set mouse-=a | |
| colorscheme elflord | |
| syntax on</div></div></div><br><div><a></a><div>Example 3. /etc/cron-apt/<WBR>config</div><div><div>MAILON="upgrade" | |
| MAILTO="<span><strong><a href="mailto:user@example.com" target="_blank">user@example.com</a></strong></span>"</div></div></div><br></div><div title="2.3. Firewall"><div><div><div><h3><a></a>2.3. Firewall</h3></div></div></div><p>Nastavení firewallu se dělá pomocí balíku | |
| <code>shorewall</code>, detaily viz. <a href="#0.1_">http://shorewall.net/<WBR>standalone.htm</a>, <a href="#0.1_">https://wiki.debian.org/HowTo/<WBR>shorewall</a>.</p><div>apt-get install shorewall | |
| cd /etc/shorewall | |
| # adresar by mel byt prazdny, krome shorewall.conf</div><div><a></a><div>Example 4. /etc/shorewall/<WBR>zones</div><div><p>Nastavení zón ($FW v ostatních souborech se automaticky | |
| nahrazuje "fw").</p><div>#ZONE TYPE OPTIONS IN OUT | |
| # OPTIONS OPTIONS | |
| fw firewall | |
| net ipv4 | |
| vpn ipv4</div></div></div><br><div><a></a><div>Example 5. /etc/shorewall/<WBR>policy</div><div><p>Tohle je nastaveni implicitních akcí (vyhodnocuje se v zadaném | |
| pořadí!).</p><div>#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: | |
| # LEVEL BURST MASK | |
| |
| # povol spojeni "ze serveru na internet" | |
| $FW net ACCEPT | |
| |
| # zahod vsechno "z internetu na server" | |
| net all DROP info | |
| |
| # odmitni vsechno "z vpn na internet" (aby si vpn klienti nebrouzdali pres server) | |
| vpn net REJECT info | |
| |
| # povol vsechno ostatni "z vpn" | |
| vpn all ACCEPT | |
| |
| # The FOLLOWING POLICY MUST BE LAST | |
| all all REJECT info</div></div></div><br><div><a></a><div>Example 6. /etc/shorewall/<WBR>interfaces</div><div><div>FORMAT 2 | |
| ##############################<WBR>##############################<WBR>################### | |
| #ZONE INTERFACE OPTIONS | |
| net venet0 tcpflags,logmartians,nosmurfs | |
| vpn tun0</div></div></div><br><div><a></a><div>Example 7. /ets/shorewall/<WBR>rules</div><div><div>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH | |
| # PORT PORT(S) DEST LIMIT GROUP | |
| #SECTION ALL | |
| #SECTION ESTABLISHED | |
| #SECTION RELATED | |
| SECTION NEW | |
| |
| # povoleni SSH sluzby pro klienty z internetu (NEDELAT, v pripade nouze se lze pripojit k terminalu pres administraci VPS) | |
| # - pro vsechny | |
| #ACCEPT net $FW tcp ssh | |
| # - pro urcitou IP adresu | |
| #ACCEPT net:78.80.8.27 $FW tcp ssh | |
| # - pro skupinu IP adres (subnet) | |
| #ACCEPT net:<a href="http://81.25.21.0/24" target="_blank">81.25.21.0/24</a> $FW tcp ssh | |
| |
| # OpenVPN | |
| ACCEPT net $FW udp 1194 | |
| ACCEPT $FW net udp - 1194 | |
| |
| # WEB | |
| ACCEPT all all tcp 80 | |
| ACCEPT all all tcp 443</div></div></div><br><div><a></a><div>Example 8. /etc/shorewall/<WBR>shorewall.conf</div><div><div>STARTUP_ENABLED=Yes</div></div></div><br><div><a></a><div>Example 9. /etc/default/<WBR>shorewall</div><div><div>startup=1</div></div></div><br><p>Pár užitečných příkazů:</p><div>/etc/init.d/shorewall start|stop|restart|... | |
| shorewall status | |
| shorewall show | |
| shorevall safe-start | |
| shorewall safe-restart</div></div><div title="2.4. OpenVPN"><div><div><div><h3><a></a>2.4. OpenVPN</h3></div></div></div><div>apt-get install openvpn | |
| cp -a /usr/share/openvpn/easy-rsa /etc/openvpn | |
| cd /etc/openvpn/easy-rsa</div><div><a></a><div>Example 10. /etc/openvpn/easy-<WBR>rsa/vars</div><div><div>export KEY_SIZE=2048 | |
| export KEY_COUNTRY="<span><strong>CZ</strong></span>" | |
| export KEY_PROVINCE="<span><strong>Czech Republic</strong></span>" | |
| export KEY_CITY="<span><strong>Prague</strong></span>" | |
| export KEY_ORG="<span><strong>MOJE FIRMA s.r.o.</strong></span>" | |
| export KEY_EMAIL="<span><strong><a href="mailto:support@example.com" target="_blank">support@example.com</a></strong></span><WBR>" | |
| export KEY_OU=""</div></div></div><br><div>source vars | |
| ./clean-all | |
| ./build-ca # zadat např. openvpn-ca jako Common Name/Name | |
| ./build-key-server <span><strong>mujserver</strong></span> | |
| ./build-key <span><strong>tonda</strong></span> # nebo build-key-pass pro zaheslovani privatnich klicu | |
| ./build-key <span><strong>cenda</strong></span> | |
| ... | |
| ./build-dh | |
| cd keys | |
| openvpn --genkey --secret ta.key | |
| cp {ca.crt,dh2048.pem,ta.key,<WBR>inter.{crt,key}} /etc/openvpn | |
| chmod 600 /etc/openvpn/{ta.key,inter.<WBR>key}</div><div><a></a><div>Example 11. /etc/openvpn/<WBR>server.conf</div><div><div>dev tun | |
| port 1194 | |
| ;proto tcp | |
| proto udp | |
| # VPN subnet - vybrat neco nahodnyho z <a href="http://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces" target="_blank">http://en.wikipedia.org/wiki/<WBR>Private_network#Private_IPv4_<WBR>address_spaces</a> | |
| # urcite ne 10.0.0.0, 10.1.1.0, 192.168.0.0, 192.168.1.0 - to pouziva vetsina "domacich" siti | |
| server <span><strong>10.134.75</strong></span>.0 255.255.255.0 | |
| ifconfig-pool-persist ipp.txt | |
| ca ca.crt | |
| crl-verify crl.pem # viz. revokace certifikatu | |
| cert inter.crt | |
| key inter.key | |
| dh dh2048.pem | |
| tls-auth ta.key 0 | |
| cipher AES-256-CBC | |
| comp-lzo yes</div></div></div><br><div><a></a><div>Example 12. client.conf</div><div><div>dev tun | |
| port 1194 | |
| proto udp | |
| client | |
| remote <span><strong><a href="http://mujserver.example.com" target="_blank">mujserver.example.com</a></strong></span> | |
| ca ca.crt | |
| cert <span><strong>tonda.crt</strong></span> | |
| key <span><strong>tonda.key</strong></span> | |
| tls-auth ta.key 1 | |
| remote-cert-tls server | |
| cipher AES-256-CBC | |
| comp-lzo yes</div></div></div><br><p>Teď už je třeba jenom poslat každému klientovi | |
| <code>client.conf</code>, <code>ta.key</code> a | |
| odpovídající <code>crt</code> a <code>key</code> soubor. | |
| <span><strong>Doporučuje se přesunout | |
| <code>ca.key</code> na offline úložiště a odstranit | |
| <code>key</code> soubory všech klientů.</strong></span></p><div># predpoklada nastaveni sendmailu (dale v navodu) | |
| cd keys | |
| key="<span><strong>tonda</strong></span>" email="<span><strong><a href="mailto:tonda@example.com" target="_blank">tonda@example.com</a></strong></span>" | |
| zippwd=$(dd if=/dev/urandom bs=1 count=10 2>/dev/null | base64 | head -c 8) | |
| rm -v $key.7z; 7z a -p $zippwd ca.crt $key.{crt,key} ta.key && mailx -s "openvpn keys" -a $key.7z $email <<<"heslo k archivu dodam"; rm -v $key.7z | |
| echo "heslo na rozbaleni $key.7z: $zippwd"</div><div title="2.4.1. Revokace certifikátů"><div><div><div><h4><a></a>2.4.1. Revokace certifikátů</h4></div></div></div><div>cd /etc/openvpn/easy-rsa | |
| source vars | |
| ./revoke-full <span><strong>jmeno_certifikátu</strong></span> | |
| cp -v crl.pem /etc/openvpn</div></div></div><div title="2.5. sendmail interface pro SMTP server"><div><div><div><h3><a></a>2.5. sendmail interface pro SMTP server</h3></div></div></div><p>Některé komponenty (např. redmine) potřebují posílat emaily přes | |
| sendmail interface (např. jejich SMTP klient z nějakého důvodu nefunguje | |
| se SMTP serverem). Proto se dá nainstalovat lepší SMTP klient, který | |
| podporuje sendmail interface. Detaily viz. <a href="#0.1_">http://msmtp.sourceforge.net/<WBR>doc/msmtp.html</a>.</p><div>apt-get purge exim4-config exim4 exim4-base exim4-daemon-light | |
| apt-get install msmtp-mta | |
| ls -l /usr/sbin/sendmail | |
| # musi ukazovat na /usr/msmtp</div><div><a></a><div>Example 13. /etc/msmtprc</div><div><div># Accounts will inherit settings from this section | |
| defaults | |
| auth on | |
| tls on | |
| tls_certcheck off | |
| #tls_trust_file /usr/share/ca-certificates/<WBR>mozilla/Thawte_Premium_Server_<WBR>CA.crt | |
| |
| account <span><strong>blackhole</strong></span> | |
| host <span><strong><a href="http://smtp.example.com" target="_blank">smtp.example.com</a></strong></span> | |
| port <span><strong>465</strong></span> | |
| from <span><strong><a href="mailto:blackhole@example.com" target="_blank">blackhole@example.com</a></strong></span> | |
| user <span><strong><a href="mailto:blackhole@example.com" target="_blank">blackhole@example.com</a></strong></span> | |
| password <span><strong>my_password</strong></span> | |
| tls_starttls <span><strong>off</strong></span> | |
| |
| account default : <span><strong>blackhole</strong></span></div></div></div><br></div></div><div title="3. web server"><div><div><div><h2 style="clear:both"><a></a>3. web server</h2></div></div></div><div title="3.1. Nginx"><div><div><div><h3><a></a>3.1. Nginx</h3></div></div></div><p>Nginx krom jiného umožňuje provozovat více různých web serverů na | |
| stejném portu (např. tomcat pro java web aplikace + apache pro php + | |
| passenger pro ruby aplikace).</p><p>Protoze potrebujem <span><em>passenger</em></span> pro | |
| <span><em>ruby</em></span> aplikace (napr. <span><em>redmine</em></span>), | |
| neda se to instalovat z debianich balicku.</p><div>apt-key adv --keyserver <a href="http://keyserver.ubuntu.com" target="_blank">keyserver.ubuntu.com</a> --recv-keys 561F9B9CAC40B2F7 | |
| apt-get install apt-transport-https ca-certificates | |
| echo "deb <a href="https://oss-binaries.phusionpassenger.com/apt/passenger" target="_blank">https://oss-binaries.<WBR>phusionpassenger.com/apt/<WBR>passenger</a> wheezy main" > /etc/apt/sources.list.d/<WBR>passenger.list | |
| chmod 600 /etc/apt/sources.list.d/<WBR>passenger.list | |
| apt-get update | |
| apt-get install nginx-extras passenger</div><p>Pokud se bude pouzivat SSL, tak je potreba vygenerovat | |
| certifikat:</p><div>openssl req -new -x509 -nodes -out /etc/nginx/server.crt -keyout /etc/nginx/server.key</div><div><a></a><div>Example 14. /etc/nginx/conf/<WBR>nginx.conf</div><div><div>#user nobody; | |
| worker_processes 1; | |
| |
| error_log /var/log/nginx/error.log; | |
| pid /var/run/nginx.pid; | |
| |
| #error_log logs/error.log notice; | |
| #error_log logs/error.log info; | |
| |
| #pid logs/nginx.pid; | |
| |
| |
| events { | |
| worker_connections 128; # maximalni pocet spojeni - <a href="http://wiki.nginx.org/EventsModule#worker_connections" target="_blank">http://wiki.nginx.org/<WBR>EventsModule#worker_<WBR>connections</a> | |
| } | |
| |
| |
| http { | |
| passenger_root /usr/lib/ruby/vendor_ruby/<WBR>phusion_passenger/locations.<WBR>ini; | |
| passenger_ruby /usr/bin/ruby; | |
| |
| include mime.types; | |
| default_type application/octet-stream; | |
| |
| #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |
| # '$status $body_bytes_sent "$http_referer" ' | |
| # '"$http_user_agent" "$http_x_forwarded_for"'; | |
| |
| #access_log logs/access.log main; | |
| |
| sendfile on; | |
| #tcp_nopush on; | |
| |
| #keepalive_timeout 0; | |
| keepalive_timeout 65; | |
| |
| #gzip on; | |
| |
| ssl_certificate server.crt; | |
| ssl_certificate_key server.key; | |
| |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $http_host; | |
| }</div></div></div><br></div><div title="3.2. Tomcat"><div><div><div><h3><a></a>3.2. Tomcat</h3></div></div></div><p>Web server je tomcat 7, protožev něm chceme provozovat jednoduchý | |
| javovský web aplikace (tzn. potřebujeme něco v javě, ale nepotřebujeme | |
| super-druper aplikační server).</p><div>apt-get install tomcat7</div><div><a></a><div>Example 15. conf/server.xml</div><div><div><Server port="8005" shutdown="SHUTDOWN"> | |
| <Service name="Catalina"> | |
| <Connector port="<span><strong>8081</strong></span>" protocol="org.apache.coyote.<WBR>http11.Http11NioProtocol" | |
| connectionTimeout="20000" | |
| redirectPort="<span><strong>443</strong></span>" | |
| minSpareThreads="2" maxThreads="10" /> | |
| <Engine name="Catalina" defaultHost="<span><strong><a href="http://www.example.com" target="_blank">www.example.com</a></strong></span>"> | |
| <Host name="<span><strong><a href="http://www.example.com" target="_blank">www.example.com</a></strong></span>" appBase="<span><strong>webapps-moje</strong></span>" | |
| unpackWARs="true" autoDeploy="true"> | |
| <Valve className="org.apache.<WBR>catalina.valves.<WBR>AccessLogValve" directory="logs" | |
| prefix="access_log." suffix=".log" | |
| pattern="%h %l %u %t &quot;%r&quot; %s %b" /> | |
| </Host> | |
| </Engine> | |
| </Service> | |
| </Server></div><p><code>appBase</code> je zmenena, protoze upgrade tomcatu | |
| by mohl prepsat aplikace ve | |
| <code>/var/lib/tomcat7/webapps</code> (minimalne nektery | |
| distribuce to delaly).</p></div></div><br><div><a></a><div>Example 16. /etc/default/<WBR>tomcat7</div><div><div>JAVA_HOME=/usr/lib/jvm/jre-7-<WBR>oracle-x64 | |
| CATALINA_OPTS=-Djava.awt.<WBR>headless=true -Xmx80m -XX:+UseConcMarkSweepGC | |
| # povolit pro remote management (napr. jconsole nebo jvisualvm) | |
| #JAVA_OPTS="${JAVA_OPTS} -Djava.rmi.server.hostname=<span><strong><a href="http://mujserver.example.com" target="_blank">muj<WBR>server.example.com</a></strong></span> -Djava.net.preferIPv4Stack=<WBR>true -Dcom.sun.management.<WBR>jmxremote.ssl=false -Dcom.sun.management.<WBR>jmxremote.port=5000 -Dcom.sun.management.<WBR>jmxremote.authenticate=false"</div></div></div><br><p>Nastavit nginx, aby pozadavky preposilal na tomcat:</p><div><a></a><div>Example 17. /etc/nginx/conf/<WBR>nginx.conf</div><div><div> server { | |
| # JAVA web server - treba Tomcat | |
| listen *:80 default_server; | |
| listen *:443 ssl; | |
| |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $http_host; | |
| |
| location / { | |
| proxy_pass <a href="http://127.0.0.1:8081" target="_blank">http://127.0.0.1:8081</a>; | |
| } | |
| }</div></div></div><br></div><div title="3.3. Apache + PHP"><div><div><div><h3><a></a>3.3. Apache + PHP</h3></div></div></div><p>Pro PHP experimenty:</p><div><a></a><div>Example 18. /etc/nginx/conf/<WBR>nginx.conf</div><div><div> server { | |
| # PHP + phpmyadmin | |
| listen *:80; | |
| listen *:443 ssl; | |
| server_name <span><strong><a href="http://php.example.com" target="_blank">php.example.com</a></strong></span>; # tohle je dalsi DNS jmeno pro verrejnou adresu vps serveru | |
| |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $http_host; | |
| |
| location / { | |
| proxy_pass <a href="http://127.0.0.1:8082" target="_blank">http://127.0.0.1:8082</a>; | |
| } | |
| |
| # PHPmyadmin jenom pres SSL | |
| location /phpmyadmin { | |
| if ($scheme = "http") { | |
| rewrite ^ https://$http_host$request_uri permanent; | |
| } | |
| if ($scheme = "https") { | |
| proxy_pass <a href="http://127.0.0.1:8082" target="_blank">http://127.0.0.1:8082</a>; | |
| } | |
| } | |
| }</div></div></div><br></div></div><div title="4. Git"><div><div><div><h2 style="clear:both"><a></a>4. Git</h2></div></div></div><p>Přístup k repozitářům gitu řídí | |
| <span><em>gitolite</em></span>.</p><div># zkopirovat id_rsa.pub spravce gitu do /root/spravcegitu.pub | |
| apt-get install gitolite | |
| dpkg-reconfigure gitolite | |
| # zmenit user na <span><strong>git</strong></span></div><div><a></a><div>Example 19. /var/lib/gitolite/<WBR>.gitolite.rc</div><div><div>$REPO_UMASK = 0027; # nastavi soubory g+rx, aby k tomu mel pristup napr. redmine</div></div></div><br><div><a></a><div>Example 20. /etc/ssh/sshd_<WBR>config</div><div><p>Zakáže se autentikace heslem (všechno běží pouze přes | |
| certifikáty):</p><div>Match User git | |
| PasswordAuthentication no</div></div></div><br></div><div title="5. Mysql"><div><div><div><h2 style="clear:both"><a></a>5. Mysql</h2></div></div></div><p>Mysql je potřeba např. pro redmine (viz. níže). Více na <a href="#0.1_">https://wiki.archlinux.org/<WBR>index.php/MySQL</a>.</p><div>apt-get install mysql-server | |
| mysql_secure_installation</div></div><div title="6. Redmine"><div><div><div><h2 style="clear:both"><a></a>6. Redmine</h2></div></div></div><p>Podrobnosti viz. <a href="#0.1_">http://www.redmine.org/<WBR>projects/redmine/wiki/<WBR>RedmineInstall</a>.</p><div>apt-get install ruby ruby-dev make imagemagick libmagickcore-dev libmagickwand-dev libmysqlclient-dev | |
| cd | |
| VER=2.5.1 | |
| wget <a href="http://www.redmine.org/releases/redmine-$VER.tar.gz" target="_blank">http://www.redmine.org/<WBR>releases/redmine-$VER.tar.gz</a> | |
| tar xzf redmine-$VER.tar.gz -C /opt | |
| chown -R root:root /opt/redmine-$VER</div><div>mysql -p # zepta se na heslo (viz. instalace mysql) | |
| create database redmine character set utf8; | |
| create user 'redmine'@'localhost' identified by '<span><strong>my_password</strong></span>'; | |
| grant all privileges on redmine.* to 'redmine'@'localhost';</div><div><a></a><div>Example 21. config/database.<WBR>yml</div><div><div>production: | |
| adapter: mysql2 | |
| database: redmine | |
| host: localhost | |
| username: redmine | |
| password: <span><strong>my_password</strong></span> | |
| encoding: utf8</div></div></div><br><div><a></a><div>Example 22. config/<WBR>configuration.yml</div><div><div>production: | |
| email_delivery: | |
| delivery_method: :sendmail</div></div></div><br><p>Tohle je potreba udelat az po | |
| <code>config/database.yml</code>, aby to nahralo vsechny potrebny | |
| doplnky (hlavne teda ty na pristup k databazi).</p><div>cd /opt/redmine-$VER | |
| gem install --no-user-install bundler | |
| bundle install --system --without development test postgresql sqlite | |
| rake generate_secret_token | |
| useradd -m --home-dir /var/lib/redmine-$VER --shell /bin/bash --system redmine | |
| usermod -a -G git redmine | |
| mkdir -p /var/lib/redmine-$VER/{tmp,<WBR>public/plugin_assets} | |
| tar c files log tmp public/plugin_assets | tar xv -C /var/lib/redmine-$VER | |
| for i in files log tmp public/plugin_assets; do rm -Rf $i; ln -nfs /var/lib/redmine-$VER/$i $i; done | |
| chown -R redmine:redmine /var/lib/redmine-$VER | |
| chmod -R ugo+r /var/lib/redmine-$VER</div><p>Zkopírují se data ze starého serveru:</p><div><span><strong># nejak dostat data z <code>files</code> do <code>/var/lib/redmine-1.4/files</code></strong></span> | |
| mysql -u redmine -p redmine < dump_redmine_default_2012-05-<WBR>28.sql | tee restore.log | |
| RAILS_ENV=production rake db:migrate</div><div title="Note" style="margin-left:0.5in;margin-right:0.5in"><h3>Note</h3><p>Novou databázi lze vytvořit pomocí:</p><div>RAILS_ENV=production rake db:migrate | |
| RAILS_ENV=production rake redmine:load_default_data</div></div><p>Instalaci lze otestovat spuštěním jednoduchého web serveru (podívat | |
| se na projekty a jestli funguje integrace s gitem a posílání | |
| emailů):</p><div>su - -s /bin/bash redmine | |
| ruby script/rails server webrick -e production</div><div title="6.1. Passenger v nginx"><div><div><div><h3><a></a>6.1. Passenger v nginx</h3></div></div></div><p>Detaily viz. <a href="#0.1_">http://www.modrails.com/<WBR>documentation/Users%20guide%<WBR>20Nginx.html#install_on_<WBR>debian_ubuntu</a>.</p><div>apt-get install ruby-passenger</div><div><a></a><div>Example 23. /etc/nginx/conf/<WBR>nginx.conf</div><div><div>http { | |
| # POZOR: musi byt zapnuty passenger (viz. instalace nginx) | |
| |
| server { | |
| listen 8080 default_server; | |
| root /opt/redmine-2.5.1/public; | |
| passenger_enabled on; | |
| # implicitne se pouzije aktualni owner/group souboru <code>config/environment.rb</code> | |
| passenger_user redmine; | |
| passenger_group redmine; | |
| client_max_body_size 100M; # nektere uploady do redmine budou vetsi nez default limit | |
| } | |
| }</div></div></div><br></div><div title="6.2. Thin v nginx (primitivni alternativa k passengeru)"><div><div><div><h3><a></a>6.2. Thin v nginx (primitivni alternativa k passengeru)</h3></div></div></div><div>gem install --no-user-install thin | |
| thin install</div><p>Pridat nasledujici:</p><div><a></a><div>Example 24. /opt/redmine-1.4/<WBR>Gemfile</div><div><div>gem 'thin'</div></div></div><br><div><a></a><div>Example 25. /etc/thin/redmine.<WBR>yml</div><div><div>--- | |
| chdir: /opt/redmine-1.4 | |
| environment: production | |
| timeout: 30 | |
| log: /var/log/thin/redmine.log | |
| pid: /var/lib/redmine-1.4/thin.pid # musi byt zapisovatelny userem redmine | |
| max_conns: 1024 | |
| max_persistent_conns: 100 | |
| require: [] | |
| wait: 30 | |
| socket: /var/lib/redmine-1.4/thin.sock # musi byt zapisovatelny userem redmine | |
| daemonize: true | |
| user: redmine | |
| group: redmine | |
| servers: 1</div></div></div><br><p>A nakonec v <code>/etc/rc.conf</code> přidat | |
| <code>thin</code> do <code>DAEMONS</code>.</p><div><a></a><div>Example 26. /etc/nginx/conf/<WBR>nginx.conf</div><div><div> upstream redmine { | |
| server unix:/var/lib/redmine-1.4/<WBR>thin.0.sock; | |
| } | |
| |
| server { | |
| listen *:8080 default_server; | |
| client_max_body_size 100M; | |
| |
| location / { | |
| proxy_pass <a href="http://redmine" target="_blank">http://redmine</a>; | |
| } | |
| }</div></div></div><br></div></div><div title="7. nexus (maven repository)"><div><div><div><h2 style="clear:both"><a></a>7. nexus (maven repository)</h2></div></div></div><div title="Note" style="margin-left:0.5in;margin-right:0.5in"><h3>Note</h3><p>Mozna by stalo za uvahu jenom hodit war do tomcatu, at tam | |
| zbytecne nejede 2x JVM.</p></div><div>useradd --system --shell /bin/bash --home-dir /var/lib/nexus -m nexus | |
| wget <a href="http://www.sonatype.org/downloads/nexus-latest-bundle.tar.gz" target="_blank">http://www.sonatype.org/<WBR>downloads/nexus-latest-bundle.<WBR>tar.gz</a> | |
| tar xzf nexus-latest-bundle.tar.gz -C /opt | |
| ln -nfsv /opt/nexus-2.7.0-05 /opt/nexus | |
| mkdir /var/run/nexus | |
| chown nexus:nexus /var/run/nexus | |
| mkdir /var/lib/nexus/{logs,tmp} | |
| chown nexus:nexus /var/lib/nexus/{logs,tmp} | |
| rm -rfv /opt/nexus/{logs,tmp} | |
| ln -fsv /var/lib/nexus/logs /opt/nexus | |
| ln -fsv /var/lib/nexus/tmp /opt/nexus | |
| cp /opt/nexus/bin/nexus /etc/init.d | |
| chmod ugo+x /etc/init.d/nexus | |
| update-rc.d nexus defaults</div><div><a></a><div>Example 27. /etc/init.d/nexus</div><div><div>NEXUS_HOME="/opt/nexus" | |
| #JAVA_HOME="/opt/jdk-7" | |
| RUN_AS_USER="nexus" | |
| PIDDIR="/var/lib/nexus" # musi byt writeable uzivatelem nexus</div></div></div><br><div><a></a><div>Example 28. /opt/nexus/conf/<WBR>nexus.properties</div><div><div>application-port=8083 | |
| nexus-work=/var/lib/nexus</div></div></div><br><div><a></a><div>Example 29. /opt/nexus/bin/<WBR>jsw/conf/wrapper.conf</div><div><div>wrapper.java.maxmemory=80</div></div></div><br><p>Zbytek viz. <a href="#0.1_">http://books.sonatype.com/<WBR>nexus-book/reference/install-<WBR>sect-repoman-post-install.html</a></p></div></div></div> | |
| </body></html> | |
