Follow instructions at http://www.bugzilla.org/docs/2.18/html/installation.html, but with the following exceptions and/or additional steps noted for each section:
2.1.2: Ensuring MySQLd Starts when the Server Does
[root@localhost init.d]# chkconfig --list mysqld
mysqld 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@localhost init.d]# chkconfig --level 345 mysqld on
[root@localhost init.d]# chkconfig --list mysqld
mysqld 0:off 1:off 2:off 3:on 4:on 5:on 6:off
[root@localhost init.d]# ./mysqld start
Initializing MySQL database: [ OK ]
Starting MySQL: [ OK ]
2.1.3: Compiling Apache
I downloaded the latest Apache 2.0 source code (2.0.54 at the time of this writing) and copied it to /usr/local/src where I always do my custom-compiling. If your system does not already have this directory, I would encourage you to create it.
(Red Hat / Fedora Core note: distribution RPMs never install in /usr/local, which is nice: after all, /usr/local is for stuff that's "local" to your installation! Red Hat and Fedora Core's packages respect the proper use of local and leave it alone, which is particularly nice at upgrade time: your local modifications to your distribution survive upgrades intact. Complimentarily, almost all software that is custom-compiled and installed from source code uses /usr/local as its base install path.)
Here's what I did to prepare Apache for compilation:
[root@localhost etc]# cp /downloads/httpd-2.0.54.tar.gz /usr/local/src
[root@localhost etc]# cd /usr/local/src
[root@localhost src]# tar -xzvf httpd-2.0.54.tar
[root@localhost src]# cd /usr/local/src/httpd-2.0.54
NOTE: Only GNU tar recognises the -z option. If your Unix has a non-gzip-aware tar, I recommend you do this in place of the tar command above:
[root@localhost src]# gunzip httpd-2.0.54.tar.gz
[root@localhost src]# tar -xvf httpd-2.0.54.tar
[root@localhost src]# # re-gzip to save disc space
[root@localhost src]# gzip httpd-2.0.54.tar
At this point, I was ready to configure Apache. I almost always run ./configure with arguments when I custom-compile software, and over the years I've come to make a wrapper script called ./runconfigure.sh so that I've got a record of what arguments I used when I ran ./configure. So here's the wrapper script that I used, below. In it, I asked for all modules to be shared, for most modules to be compiled in (especially ssl and dav, which are needed by subversion), but for mod_status and mod_userdir to be compiled out. Arguably, other superfluous modules like mod_cgi could have been compiled out as well.
#!/bin/sh
# runconfigure.sh -- wrapper script for ./configure
./configure \
--prefix=/usr/local/apache_ost_bugzilla \
--enable-mods-shared="most ssl" \
--disable-status \
--disable-userdir \
--with-port=2000
# Sadly, there is no way to specify the ssl port;
# we will have to manually modify that later.
Here's what I did to compile and install Apache:
[root@localhost httpd-2.0.54]# chmod +x runconfigure.sh
[root@localhost httpd-2.0.54]# ./runconfigure.sh
[root@localhost httpd-2.0.54]# make
[root@localhost httpd-2.0.54]# make install
A Few Fixes to Apache's Configuration and Startup
Interestingly, the Apache install script did not remove the
mod_userdir configuration from httpd.conf, even when I chose
not to compile that module. So, I had to comment it out manually.
There's only one line that needed to be commented out:
UserDir public_html/.
Here's one way to do so, without having to use an interactive editor:
[root@localhost httpd-2.0.54]# cd /usr/local/apache_ost_bugzilla/conf
[root@localhost conf]# sed -i -e 's/^UserDir public_html/# &/' httpd.conf
There's another small problem I needed to fix with Apache so that
SSL would work smoothly. The apachectl control script needs to define
the property "SSL" on the command line to make Apache read its SSL
configuration from httpd.conf and ssl.conf.
Although "SSL" must be defined for both startup and
shutdown, it is only defined in the startup clause of the Apache control
script. To fix
this problem, I opened /usr/local/apache_ost_bugzilla/bin/apachectl
in a text editor, looked for the line
startssl|sslstart|start-SSL, and added the following lines above
that line:
stopssl|sslstop|stop-SSL)
$HTTPD -k stop -DSSL
ERROR=$?
;;
Once you have installed your own custom-compiled Apache with mod_ssl,
don't forget to start and stop Apache with the commands
/usr/local/apache_ost_bugzilla/bin/apachectl startssl and
/usr/local/apache_ost_bugzilla/bin/apachectl stopssl, not
/usr/local/apache_ost_bugzilla/bin/apachectl startand
/usr/local/apache_ost_bugzilla/bin/apachectl stop.
Securing Apache Conveniently
To run using https, Apache needs a certificate to give to browsers. This certificate is not generated when Apache is compiled; I had to create one myself.
First, I created the directories ssl.crt and ssl.key in the default locations expected by /usr/local/apache_ost_bugzilla/conf/ssl.conf, (which is included by /usr/local/apache_ost_bugzilla/conf/httpd.conf):
[root@localhost conf]# cd /usr/local/apache_ost_bugzilla/conf
[root@localhost conf]# mkdir ssl.crt
[root@localhost conf]# mkdir ssl.key
My project only required a self-signed certificate, not a certificate from a bona fide certificate generating authority. Interestingly, there's a lot of confusing information on the internet on just how to generate a self-signed certificate for Apache, and, sadly, most of that information is way more complicated than it has to be. It turns out I was able to generate the key and the cert all in a single openssl command (note that, after some output, you will be prompted for a pass phrase twice):
[root@localhost conf]# openssl req -new -x509 -days 3650 \
-keyout ./ssl.key/server.key \
-out ./ssl.crt/server.crt \
-subj '/CN=Test-Only Certificate'
Because of the certificate, whenever Apache started, it prompted me for the pass phrase. This was not useful, because I planned on using apachectl (or some form of it) in my server's startup and shutdown scripts: I didn't want my server to stop and prompt me for a password every time I rebooted it --- after all, what if I had to reboot it remotely? I wouldn't be at the console to enter the pass phrase. Happily, there's a way to get around this problem (note that the openssl command prompted me for the pass phrase I selected above):
[root@localhost conf]# cp ssl.key/server.key ssl.key/server.key.org
[root@localhost conf]# openssl rsa -in ssl.key/server.key.org -out ssl.key/server.key
[root@localhost conf]# chmod 400 ssl.key/server.key
Note that the new ssl.key/server.key above is insecure, so that's why I protected it by permissioning the file as restrictively as possible.
Remember, above, how we were not able to specify an ssl port in the runconfigure script? Well, we will fix that now:
[root@localhost conf]# sed -i -e 's/443/2001/g' ssl.conf
At the very end of /usr/local/apache_ost_bugzilla/conf/httpd.conf, add these mod-rewrite lines as a nice way to forward browsers from http to https:
# redirect all port 2000 requests to 2001
RewriteEngine on
RewriteCond "%{SERVER_PORT}" "^2000$"
RewriteRule "^(.*)$" "https://%{SERVER_NAME}:2001/$1" [R,L]
Ensuring Apache Starts when the Server Does
Chances are, your Linux/Unix installation shipped with Apache already installed. My Fedora Core system did, so I wanted to disable it to keep it from interfering with my custom Apache. (Although, at least my custom Apache is using different ports in case the original installation is ever accidentally started.)
The method for disabling the automatic startup of Apache is different from system to system, but let me show you how I disabled the Apache that shipped with my Fedora Core system.
Fedora Core uses a spiffy system utility called chkconfig to manage the starting and stopping of system services at various runlevels. I asked chkconfig what runlevels Apache was running at:
[root@localhost etc]# chkconfig --list httpd
httpd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
I told chkconfig not to run Apache at the three runlevels where it was on, and then I manually shut down Apache (seeing as it was currently running).
[root@localhost etc]# chkconfig --level 345 httpd off
[root@localhost etc]# chkconfig --list httpd
httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@localhost etc]# /etc/rc.d/init.d/httpd stop
Stopping httpd: [ OK ]
Now what I needed to do was put a different script in /etc/rc.d/init.d to start and stop my custom Apache. Fortunately, /usr/local/apache_ost_bugzilla/bin/apachectl is a shell script that already mostly follows the conventions of a Unix init script: it already takes "start" and "stop" as arguments. However, the non-standard "startssl" and "stopssl" are used to get Apache to use SSL, so I had to do some editing.
First, I copied Apache's control script into Fedora Core's standard location for init scripts:
[root@localhost etc]# cp /usr/local/apache_ost_bugzilla/bin/apachectl /etc/rc.d/init.d/apache_ost_bugzilla
Next, I borrowed, in altered form, the first few lines of Fedora Core's /etc/rc.d/init.d/httpd script and put them at the top of /etc/rc.d/init.d/apache_ost_bugzilla, so that apache_ost_bugzilla would be usable by Fedora Core's spiffy chkconfig programme. (Note that chkconfig's parameters in init scripts seem only to be comments, but they are not just comments.) Here are the lines I added just below the "#!/bin/sh" in /etc/rc.d/init.d/apache_ost_bugzilla:
#
# apache_ost_bugzilla Startup script for the Apache HTTP Server
#
# chkconfig: - 85 15
# description: This Apache installation is really a Bugzilla repository.
# processname: httpd
# config: /usr/local/apache_ost_bugzilla/conf/httpd.conf
Then, I removed these two stanzas:
stopssl|sslstop|stop-SSL)
$HTTPD -k stop -DSSL
ERROR=$?
;;
startssl|sslstart|start-SSL)
$HTTPD -k start -DSSL
ERROR=$?
;;
Next, I changed this stanza:
start|stop|restart|graceful)
$HTTPD -k $ARGV
ERROR=$?
;;
to this:
start|stop|restart|graceful)
echo -n "Apache + Bugzilla $ARGV, status: "
$HTTPD -k $ARGV -DSSL
ERROR=$?
[ "$ERROR" -eq 0 ] && echo "OK" || echo "FAILED"
;;
so that the property "SSL" was defined for all four targets captured by that stanza, and so that we get some feedback on the command-line (though not as pretty as Fedora Core's scripts).
Next, I told chkconfig to add apache_ost_bugzilla to its setup, and to make it active at runlevels 3, 4, and 5:
[root@localhost init.d]# chkconfig --add apache_ost_bugzilla
[root@localhost init.d]# chkconfig --list apache_ost_bugzilla
apache_ost_bugzilla 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@localhost init.d]# chkconfig --level 345 apache_ost_bugzilla on
[root@localhost init.d]# chkconfig --list apache_ost_bugzilla
apache_ost_bugzilla 0:off 1:off 2:off 3:on 4:on 5:on 6:off
Then I started Apache using its new init script.
[root@localhost init.d]# /etc/rc.d/init.d/apache_ost_bugzilla start
Apache + Bugzilla start, status: OK
...and then turned it off again before going to the next step.
[root@localhost init.d]# /etc/rc.d/init.d/apache_ost_bugzilla stop
Apache + Bugzilla stop, status: OK
2.1.4: Where I Unzipped Bugzilla
/usr/local/apache_ost_bugzilla/htdocs/ost/bugzilla-2.18.3
2.1.5: checksetup.pl
The first time I ran ./checksetup.pl, I was missing two necessary perl modules. So I ran the CPAN command to get the first of the two modules, and CPAN had never before been used. So the CPAN setup programme started asking me questions, and it could not find ncftpget. So I downloaded the rpm for ncftpget (http://download.fedora.redhat.com/pub/fedora/linux/core/2/i386/os/Fedora/RPMS/ncftp-3.1.7-2.i386.rpm for Fedora Core 2) and installed it.
When I ran CPAN for the second module, the second module asked to install all sorts of optional stuff; just say no to the optional stuff.
2.1.6: sendmail
I usually disable sendmail on my servers. Alas, I had to re-enable it for Bugzilla:
[root@localhost root]# cd /etc/rc.d/init.d/
[root@localhost init.d]# chkconfig --list sendmail
service sendmail supports chkconfig, but is not referenced in any runlevel (run 'chkconfig --add sendmail')
[root@localhost init.d]# chkconfig --add sendmail
[root@localhost init.d]# chkconfig --list sendmail
sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@localhost init.d]# ./sendmail start
Starting sendmail: [ OK ]
Starting sm-client: [ OK ]
[root@localhost init.d]#
2.2.1: bugs database
OK, so basically, for 2.2.1, you have to create the bugs db and user in mysql, but nothing actually explicitly says you have to. Go figure. This way, because you created the user yourself, you know what username and password you need to put into the localconfig file you are supposed to edit at this step.
Here's how to create the bugs database user:
[root@localhost etc] mysqladmin -u root -p create bugs
NOTE when it asks you for a password, just hit enter, because I have not assigned a password to the root user yet.
It is also unclear as to *where* the bugs user is created, but apparently you can connect to mysql and not connect to a particular database and run this command (from 2.2.2.4) to create the user:
[root@localhost bugzilla-2.18.3]# mysql -u root -p
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 7 to server version: 3.23.58
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> GRANT SELECT, INSERT,
-> UPDATE, DELETE, INDEX, ALTER, CREATE, DROP,
-> REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY
-> 'bugs';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)
mysql> \q
Bye
[root@localhost bugzilla-2.18.3]#
2.2.2.3: Doesn't work
Section 2.2.2.3 does not work because the db tables have not been created yet. Duh. Run section 2.2.2.3 after 2.2.3, and run it on the bugs database that will be created, logged on as the bugs user!
2.2.2.4: Skip it
Skip section 2.2.2.4: you've already run the user creation stuff in my notes on section 2.2.1.
2.2.3: Now you fix the attachments table; optionally, restore DB
2.2.3 says to run checksetup.pl to make the db, and that's what it does, now that you've created the user for it to use. Now you are ready to run the commands from earlier step 2.2.2.3:
[root@localhost bugzilla-2.18.3]# mysql -u bugs -p bugs
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 12 to server version: 3.23.58
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> ALTER TABLE attachments
-> AVG_ROW_LENGTH=1000000, MAX_ROWS=20000;
Query OK, 0 rows affected (0.00 sec)
Records: 0 Duplicates: 0 Warnings: 0
mysql> \q
Bye
[root@localhost bugzilla-2.18.3]#
Also, please note that if you have a backup of a bugzilla database, this is probably the best time to restore it. A sample command would be:
cat bugs.dump | mysql -u bugs -p bugs
I suppose too you may want to manually alter the bugs.dump file so that the "alter table attachments" thingie from 2.2.2.3 executes before loading in any attachments. Just a thought.
Finally, you're probably curious as to the best way to get a dump of any current bugzilla database you may have. This command does the trick, making sure to drop any tables before (re-)running the create table commands and then the table populate commands:
mysqldump -u bugs -p --add-drop-table bugs > bugs.mysqldump
Finally, note that bugs.mysqldump will contain table drop, build, and population SQL statements in alphabetical order, not in any order that might ensure referential integrity and other constraints are observed. Interestingly, this still seems to work fine. Go figure.
2.2.4.1: Dir changes
For 2.2.4.1, I applied the changes to directory /usr/local/apache_ost_bugzilla/htdocs/ost/bugzilla-2.18.3, because that's where I unzipped bugzilla.
Also note that I changed httpd.conf's and ssl.conf's group from #-1 to nobody. I also changed $webservergroup = "nobody"; in bugzilla's localconfig file to match the Apache group.
That makes this necessary:
chown -R nobody:nobody /usr/local/apache_ost_bugzilla/htdocs/ost
Also note that I changed httpd.conf's and ssl.conf's Listen and ServerName parameters to exact values.
2.2.4.*: Start Apache!
This section does not say to start or restart apache, but, obviously, you would.
The url will be https://localhost:2001/ost/bugzilla-2.18.3/.
Notes on Section 4.2.3:
Section 4.2.3 has a great no-brainer on killing network access to MySQL. I implemented that.