Perlbrew/cpanm installation on centos 6

hi,

In a test environment I have installed rt 4.0.6 with a local Perl (5.14.2)
from perlbrew. Installing the dependencies with cpanm was a breeze, I must
say, impressive.

My problem is how to get this rt which starts perfectly from
/opt/rt4/sbin/rt-server running with apache2 on centos6. If I install
mod_perl, rt4 will not start because it tries to use the system Perl, and
that will not work because of all the missing dependencies.

If I try mod_fastcgi with the configuration on the web_deployment.pod I get
errors (selinux is disabled):

(13)Permission denied: FastCGI: failed to connect to server
"/opt/rt4/sbin/rt-server.fcgi":

Right now I got it working from a reverse proxy with mod_proxy starting the
webserver on port 8000 with Starman.

I get warnings:
[Fri Jun 8 14:10:59 2012] [warning]: The actual HTTP_HOST (127.0.0.1) does
NOT match the configured WebDomain (host.domain.tld). Perhaps you should
Set($WebDomain, ‘127.0.0.1’); in RT_SiteConfig.pm, otherwise your internal
links may be broken. (/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:1098)

The mod_proxy way looks promissing, but is it a correct way? Is anyone else
running rt from a non system Perl and apache2 in rhel/centos?

Groeten,
natxo

In a test environment I have installed rt 4.0.6 with a local Perl
(5.14.2) from perlbrew. Installing the dependencies with cpanm was a
breeze, I must say, impressive.

Yep, I wish more folks used this setup. It’s never resulted in
dependency hell for me.

If I try mod_fastcgi with the configuration on the web_deployment.pod I
get errors (selinux is disabled):

(13)Permission denied: FastCGI: failed to connect to server
"/opt/rt4/sbin/rt-server.fcgi":

So, did you try to fix the permissions? I suspect it’s as simple as the
user apache is running as can’t read/execute rt-server.fcgi and the
whole directory tree above it. You may need to change the group on files.

To do that easily, re-run ./configure from the source tarball with the
appropriate --with-web-user and/or --with-web-group options and then run
make install again. You can find your original configure options at the
top of /opt/rt4/etc/RT_Config.pm.

SELinux makes things slightly harder and more frustrating, though still
possible of course, but it’s disabled, so you don’t have to worry about
that.

The mod_proxy way looks promissing, but is it a correct way? Is anyone
else running rt from a non system Perl and apache2 in rhel/centos?

Reverse proxying is certainly an option, but apache + fastcgi is a very
very common setup that works solidly.

Thomas

If I try mod_fastcgi with the configuration on the web_deployment.pod I
get errors (selinux is disabled):

(13)Permission denied: FastCGI: failed to connect to server
"/opt/rt4/sbin/rt-server.fcgi":

So, did you try to fix the permissions? I suspect it’s as simple as the
user apache is running as can’t read/execute rt-server.fcgi and the
whole directory tree above it. You may need to change the group on files.

To do that easily, re-run ./configure from the source tarball with the
appropriate --with-web-user and/or --with-web-group options and then run
make install again. You can find your original configure options at the
top of /opt/rt4/etc/RT_Config.pm.

these are the permissions in /opt/rt4/sbin:

ls -l /opt/rt4/sbin/
total 216
-rwxr-xr-x. 1 root apache 3690 Jun 8 21:11 rt-attributes-viewer
-rwxr-xr-x. 1 root apache 5511 Jun 8 21:11 rt-clean-sessions
-rwxr-xr-x. 1 root apache 7816 Jun 8 21:11 rt-dump-metadata
-rwxr-xr-x. 1 root apache 4966 Jun 8 21:11 rt-email-dashboards
-rwxr-xr-x. 1 root apache 11886 Jun 8 21:11 rt-email-digest
-rwxr-xr-x. 1 root apache 13054 Jun 8 21:11 rt-email-group-admin
-rwxr-xr-x. 1 root apache 11797 Jun 8 21:11 rt-fulltext-indexer
-rwxr-xr-x. 1 root apache 4664 Jun 8 21:11 rt-preferences-viewer
-rwxr-xr-x. 1 root apache 8032 Jun 8 21:11 rt-server
-rwxr-xr-x. 1 root apache 8032 Jun 8 21:11 rt-server.fcgi
-rwxr-xr-x. 1 root apache 3684 Jun 8 21:11 rt-session-viewer
-rwxr-xr-x. 1 root apache 17612 Jun 8 21:11 rt-setup-database
-rwxr-xr-x. 1 root apache 20761 Jun 8 21:11 rt-setup-fulltext-index
-rwxr-xr-x. 1 root apache 8439 Jun 8 21:11 rt-shredder
-rwxr-xr-x. 1 root apache 15790 Jun 8 21:11 rt-test-dependencies
-rwxr-xr-x. 1 root apache 38439 Jun 8 21:11 rt-validator
-rwxr-xr-x. 1 root apache 8032 Jun 8 21:11 standalone_httpd

This is my ./configure incantation:

$ ./configure --with-db-type=Pg --with-db-host=host.domain.tld

–with-db-rt-pass=password --with-web-user=apache --with-web-group=apache
–with-apachectl=/usr/sbin/apachectl --with-web-handler=fastcgi

My rt.conf apache virtual host config:

FastCgiServer /opt/rt4/sbin/rt-server -processes 5 -idle-timeout 300

<VirtualHost *:80>
ServerName rt.domain.tld
### Optional apache logs for RT
# Ensure that your log rotation scripts know about these files
ErrorLog /opt/rt4/var/log/apache2.error
TransferLog /opt/rt4/var/log/apache2.access
LogLevel debug

AddDefaultCharset UTF-8

Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/
ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/

DocumentRoot "/opt/rt4/share/html"
<Location />
    Order allow,deny
    Allow from all

    Options +ExecCGI
    AddHandler fastcgi-script fcgi
</Location>

In the apache error log I get plenty of these:

Fri Jun 08 22:01:02 2012] [crit] (13)Permission denied: FastCGI: can’t
create server “/opt/rt4/sbin/rt-server”: bind() failed
[/etc/httpd/logs/fastcgi/5ca4b3adecea1bd2fa8ffd8f7584ca93]
[Fri Jun 08 22:01:03 2012] [crit] (13)Permission denied: FastCGI: can’t
create server “/opt/rt4/sbin/rt-server”: bind() failed
[/etc/httpd/logs/fastcgi/5ca4b3adecea1bd2fa8ffd8f7584ca93]

in the /opt/rt4/var/log/apache2.error

Fri Jun 08 21:58:29 2012] [alert] [client 192.168.0.21] (13)Permission
denied: FastCGI: failed to connect to (dynamic) server
"/opt/rt4/sbin/rt-server.fcgi": something is seriously wrong, any chance
the socket/named_pipe directory was removed?, see the FastCgiIpcDir
directive
[Fri Jun 08 21:58:29 2012] [error] [client 192.168.0.21] FastCGI:
incomplete headers (0 bytes) received from server
"/opt/rt4/sbin/rt-server.fcgi"

I am afraid my fastcgi fu is close to zero. Learning as I go. If any one
can shed light on this, that would be great.

TIA.

groet,
natxo

Fri Jun 08 21:58:29 2012] [alert] [client 192.168.0.21] (13)Permission
denied: FastCGI: failed to connect to (dynamic) server
“/opt/rt4/sbin/rt-server.fcgi”: something is seriously wrong, any chance
the socket/named_pipe directory was removed?, see the FastCgiIpcDir
directive
[Fri Jun 08 21:58:29 2012] [error] [client 192.168.0.21] FastCGI:
incomplete headers (0 bytes) received from server
“/opt/rt4/sbin/rt-server.fcgi”

If I define the FastCgiDir directive and chmod -R 777 that directory, then
it works:

FastCgiIpcDir /var/www/html/fastcgi-rt/

If this directory is apache:apache 770, it doesn’t work.

It bloks th best practical logo too:

[Fri Jun 08 22:33:14 2012] [error] [client 192.168.0.160] FastCGI: invalid
(dynamic) server
“/opt/rt4/share/html/NoAuth/images/jquery_ui/ui-bg_flat_75_ffffff_40x100.png”:
access for server (uid 48, gid 48) not allowed: execute not allowed,
referer: http://rt.ipa.asenjo.nx/
[Fri Jun 08 22:34:34 2012] [error] [client 192.168.0.21] FastCGI: invalid
(dynamic) server “/opt/rt4/share/html/NoAuth/images/bpslogo.png”: access
for server (uid 48, gid 48) not allowed: execute not allowed, referer:
http://rt.ipa.asenjo.nx/

Quite weird.

natxo

My rt.conf apache virtual host config:

FastCgiServer /opt/rt4/sbin/rt-server -processes 5 -idle-timeout 300

<VirtualHost *:80>
ServerName rt.domain.tld
### Optional apache logs for RT
# Ensure that your log rotation scripts know about these files
ErrorLog /opt/rt4/var/log/apache2.error
TransferLog /opt/rt4/var/log/apache2.access
LogLevel debug

AddDefaultCharset UTF-8

Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/
ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/

DocumentRoot "/opt/rt4/share/html"
<Location />
    Order allow,deny
    Allow from all

    Options +ExecCGI
    AddHandler fastcgi-script fcgi
</Location>

Your FastCgiServer line looks different from the one in
docs/web_deployment.pod.

-kevin

My rt.conf apache virtual host config:

FastCgiServer /opt/rt4/sbin/rt-server -processes 5 -idle-timeout 300

<VirtualHost *:80>
ServerName rt.domain.tld
### Optional apache logs for RT
# Ensure that your log rotation scripts know about these files
ErrorLog /opt/rt4/var/log/apache2.error
TransferLog /opt/rt4/var/log/apache2.access
LogLevel debug

AddDefaultCharset UTF-8

Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/
ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/

DocumentRoot "/opt/rt4/share/html"
<Location />
    Order allow,deny
    Allow from all

    Options +ExecCGI
    AddHandler fastcgi-script fcgi
</Location>

Your FastCgiServer line looks different from the one in
docs/web_deployment.pod.

you are right, I had bee trying stuff and forgotten to set it back:

FastCgiIpcDir /var/www/html/fastcgi-rt/
FastCgiServer /opt/rt4/sbin/rt-server.fcgi -processes 5 -idle-timeout 300

SetHandler fastcgi-script

<VirtualHost *:80>
ServerName rt.ipa.asenjo.nx
### Optional apache logs for RT
# Ensure that your log rotation scripts know about these files
ErrorLog /opt/rt4/var/log/apache2.error
TransferLog /opt/rt4/var/log/apache2.access
LogLevel debug

AddDefaultCharset UTF-8

Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/
ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/

DocumentRoot "/opt/rt4/share/html"
<Location />
    Order allow,deny
    Allow from all

    Options +ExecCGI
    AddHandler fastcgi-script fcgi
</Location>

If I do not set the FastCgiIpcDir directive it does not work at all.

Without FastCgiIpcDir:

/opt/rt4/var/log/apache2.error:

[Sat Jun 09 08:12:34 2012] [error] [client 192.168.0.160] (13)Permission
denied: FastCGI: failed to connect to server
“/opt/rt4/sbin/rt-server.fcgi”: connect() failed
[Sat Jun 09 08:12:34 2012] [error] [client 192.168.0.160] FastCGI:
incomplete headers (0 bytes) received from server
“/opt/rt4/sbin/rt-server.fcgi”

/var/log/httpd/error.log
[Sat Jun 09 08:13:29 2012] [crit] (13)Permission denied: FastCGI: can’t
create server “/opt/rt4/sbin/rt-server.fcgi”: bind() failed
[/etc/httpd/logs/fastcgi/f758b05f8779532382e3166ad1890013]
[Sat Jun 09 08:13:30 2012] [crit] (13)Permission denied: FastCGI: can’t
create server “/opt/rt4/sbin/rt-server.fcgi”: bind() failed
[/etc/httpd/logs/fastcgi/f758b05f8779532382e3166ad1890013]

With FastCgiIpcDir and the dir with permissions 777, it works blocking
some images:

[Sat Jun 09 08:15:28 2012] [error] [client 192.168.0.160] FastCGI: invalid
(dynamic) server “/opt/rt4/share/html/NoAuth/images/bpslogo.png”: access
for server (uid -1, gid -1) not allowed: execute not allowed, referer:
http://rt.ipa.asenjo.nx/
[Sat Jun 09 08:15:28 2012] [error] [client 192.168.0.160] FastCGI: invalid
(dynamic) server “/opt/rt4/share/html/NoAuth/images/bpslogo.png”: access
for server (uid -1, gid -1) not allowed: execute not allowed, referer:
http://rt.ipa.asenjo.nx/

If the FastCgiIpcDir has perms 770 for apache:apache , it does not work.

Is this normal behaviour?

Thanks for your help.
natxo

-kevin

With FastCgiIpcDir and the dir with permissions 777, it works blocking
some images:

[Sat Jun 09 08:15:28 2012] [error] [client 192.168.0.160] FastCGI: invalid
(dynamic) server “/opt/rt4/share/html/NoAuth/images/bpslogo.png”: access
for server (uid -1, gid -1) not allowed: execute not allowed, referer:
http://rt.ipa.asenjo.nx/
[Sat Jun 09 08:15:28 2012] [error] [client 192.168.0.160] FastCGI: invalid
(dynamic) server “/opt/rt4/share/html/NoAuth/images/bpslogo.png”: access
for server (uid -1, gid -1) not allowed: execute not allowed, referer:
http://rt.ipa.asenjo.nx/

If the FastCgiIpcDir has perms 770 for apache:apache , it does not work.

by the way, the permissions for those images are:

ls -l /opt/rt4/share/html/NoAuth/images/
total 40
-rw-r–r–. 1 root bin 334 Jun 8 21:11 autohandler
-rw-r–r–. 1 root bin 3929 Jun 8 21:11 bpslogo.png
drwxr-xr-x. 2 root bin 4096 Jun 8 21:11 css
-rw-r–r–. 1 root bin 914 Jun 8 21:11 empty_star.gif
drwxr-xr-x. 2 root bin 4096 Jun 8 21:11 farbtastic
-rw-r–r–. 1 root bin 335 Jun 8 21:11 favicon.png
drwxr-xr-x. 2 root bin 4096 Jun 8 21:11 jquery_ui
-rw-r–r–. 1 root bin 161 Jun 8 21:11 star.gif
drwxr-xr-x. 2 root bin 4096 Jun 8 21:11 tablesorter
-rw-r–r–. 1 root bin 81 Jun 8 21:11 test.png

So they are world readable and still being blocked. Perhaps they should be
owned by apache?

With FastCgiIpcDir and the dir with permissions 777, it works blocking
some images:

[Sat Jun 09 08:15:28 2012] [error] [client 192.168.0.160] FastCGI:
invalid (dynamic) server “/opt/rt4/share/html/NoAuth/images/bpslogo.png”:
access for server (uid -1, gid -1) not allowed: execute not allowed,
referer: http://rt.ipa.asenjo.nx/
[Sat Jun 09 08:15:28 2012] [error] [client 192.168.0.160] FastCGI:
invalid (dynamic) server “/opt/rt4/share/html/NoAuth/images/bpslogo.png”:
access for server (uid -1, gid -1) not allowed: execute not allowed,
referer: http://rt.ipa.asenjo.nx/

If the FastCgiIpcDir has perms 770 for apache:apache , it does not work.

by the way, the permissions for those images are:

ls -l /opt/rt4/share/html/NoAuth/images/
total 40
-rw-r–r–. 1 root bin 334 Jun 8 21:11 autohandler
-rw-r–r–. 1 root bin 3929 Jun 8 21:11 bpslogo.png
drwxr-xr-x. 2 root bin 4096 Jun 8 21:11 css
-rw-r–r–. 1 root bin 914 Jun 8 21:11 empty_star.gif
drwxr-xr-x. 2 root bin 4096 Jun 8 21:11 farbtastic
-rw-r–r–. 1 root bin 335 Jun 8 21:11 favicon.png
drwxr-xr-x. 2 root bin 4096 Jun 8 21:11 jquery_ui
-rw-r–r–. 1 root bin 161 Jun 8 21:11 star.gif
drwxr-xr-x. 2 root bin 4096 Jun 8 21:11 tablesorter
-rw-r–r–. 1 root bin 81 Jun 8 21:11 test.png

So they are world readable and still being blocked. Perhaps they should be
owned by apache?

found it:

http://requesttracker.wikia.com/wiki/ApacheConfig#How_to_avoid_processing_images_like_dynamic_content

natxo