Configuration

Data Store

For the file storage we need to mount a volume at the following location.

• /home/redmine/data

NOTE

Existing users need to move the existing files directory inside /opt/redmine/data/.

mkdir -p /opt/redmine/data
mv /opt/redmine/files /opt/redmine/data

SELinux users are also required to change the security context of the mount point so that it plays nicely with selinux.

mkdir -p /opt/redmine/data
sudo chcon -Rt svirt_sandbox_file_t /opt/redmine/data

Volumes can be mounted in docker by specifying the '-v' option in the docker run command.

docker run --name=redmine -it --rm \
  -v /opt/redmine/data:/home/redmine/data dockerimages/redmine:2.5.2-2

PostgreSQL

The image also supports using an external PostgreSQL Server. This is also controlled via environment variables.

CREATE ROLE redmine with LOGIN CREATEDB PASSWORD 'password';
CREATE DATABASE redmine_production;
GRANT ALL PRIVILEGES ON DATABASE redmine_production to redmine;

We are now ready to start the redmine application.

docker run --name=redmine -it --rm \
  -e "DB_TYPE=postgres" -e "DB_HOST=192.168.1.100" \
  -e "DB_NAME=redmine_production" -e "DB_USER=redmine" -e "DB_PASS=password" \
  -v /opt/redmine/data:/home/redmine/data \
  dockerimages/redmine:2.5.2-2

This will initialize the redmine database and after a couple of minutes your redmine instance should be ready to use.

Linking to PostgreSQL Container

You can link this image with a postgresql container for the database requirements. The alias of the postgresql server container should be set to postgresql while linking with the redmine image.

If a postgresql container is linked, only the DB_TYPE, DB_HOST and DB_PORT settings are automatically retrieved using the linkage. You may still need to set other database connection parameters such as the DB_NAME, DB_USER, DB_PASS and so on.

To illustrate linking with a postgresql container, we will use the dockerimages/postgresql image. When using postgresql image in production you should mount a volume for the postgresql data store. Please refer the README of docker-postgresql for details.

First, lets pull the postgresql image from the docker index.

docker pull dockerimages/postgresql:latest

For data persistence lets create a store for the postgresql and start the container.

SELinux users are also required to change the security context of the mount point so that it plays nicely with selinux.

mkdir -p /opt/postgresql/data
sudo chcon -Rt svirt_sandbox_file_t /opt/postgresql/data

The updated run command looks like this.

docker run --name postgresql -it --rm \
  -v /opt/postgresql/data:/var/lib/postgresql \
  dockerimages/postgresql:latest

You should now have the postgresql server running. The password for the postgres user can be found in the logs of the postgresql image.

docker logs postgresql

Now, lets login to the postgresql server and create a user and database for the redmine application.

docker run -it --rm dockerimages/postgresql:latest psql -U postgres -h $(docker inspect --format {{.NetworkSettings.IPAddress}} postgresql)

CREATE ROLE redmine with LOGIN CREATEDB PASSWORD 'password';
CREATE DATABASE redmine_production;
GRANT ALL PRIVILEGES ON DATABASE redmine_production to redmine;

We are now ready to start the redmine application.

docker run --name=redmine -it --rm --link postgresql:postgresql \
  -e "DB_USER=redmine" -e "DB_PASS=password" \
  -e "DB_NAME=redmine_production" \
  -v /opt/redmine/data:/home/redmine/data \
  dockerimages/redmine:2.5.2-2

Memcached (Optional)

This image can (optionally) be configured to use a memcached server to speed up Redmine. This is particularly useful when you have a large number users.

External Memcached Server

The image can be configured to use an external memcached server. The memcached server host and port configuration should be specified using environment variables MEMCACHE_HOST and MEMCACHE_PORT like so:

Assuming that the memcached server host is 192.168.1.100

docker run --name=redmine -it --rm \
  -e 'MEMCACHE_HOST=192.168.1.100' -e 'MEMCACHE_PORT=11211' \
  dockerimages/redmine:2.5.2-2

Linking to Memcached Container

Alternately you can link this image with a memcached container. The alias of the memcached server container should be set to memcached while linking with the redmine image.

To illustrate linking with a memcached container, we will use the dockerimages/memcached image. Please refer the README of docker-memcached for details.

First, lets pull and launch the memcached image from the docker index.

docker run --name=memcached -d dockerimages/memcached:latest

Now you can link memcached to the redmine image:

docker run --name=redmine -it --rm --link memcached:memcached \
  dockerimages/redmine:2.5.2-2

Mail

The mail configuration should be specified using environment variables while starting the redmine image. The configuration defaults to using gmail to send emails and requires the specification of a valid username and password to login to the gmail servers.

The following environment variables need to be specified to get mail support to work.

• SMTP_ENABLED (defaults to true if SMTP_USER is defined, else defaults to false)
• SMTP_DOMAIN (defaults to www.gmail.com)
• SMTP_HOST (defaults to smtp.gmail.com)
• SMTP_PORT (defaults to 587)
• SMTP_USER
• SMTP_PASS
• SMTP_STARTTLS (defaults to true)
• SMTP_AUTHENTICATION (defaults to :login if SMTP_USER is set)

docker run --name=redmine -it --rm \
  -e "[email protected]" -e "SMTP_PASS=PASSWORD" \
  -v /opt/redmine/data:/home/redmine/data dockerimages/redmine:2.5.2-2

If you are not using google mail, then please configure the SMTP host and port using the SMTP_HOST and SMTP_PORT configuration parameters.

NOTE:

I have only tested standard gmail and google apps login. I expect that the currently provided configuration parameters should be sufficient for most users. If this is not the case, then please let me know.

SSL

Access to the redmine application can be secured using SSL so as to prevent unauthorized access. While a CA certified SSL certificate allows for verification of trust via the CA, a self signed certificates can also provide an equal level of trust verification as long as each client takes some additional steps to verify the identity of your website. I will provide instructions on achieving this towards the end of this section.

To secure your application via SSL you basically need two things:

• Private key (.key)
• SSL certificate (.crt)

When using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip the following section if you are armed with CA certified SSL certificates.

Jump to the Using HTTPS with a load balancer section if you are using a load balancer such as hipache, haproxy or nginx.

Generation of Self Signed Certificates

Generation of self-signed SSL certificates involves a simple 3 step procedure.

STEP 1: Create the server private key

openssl genrsa -out redmine.key 2048

STEP 2: Create the certificate signing request (CSR)

openssl req -new -key redmine.key -out redmine.csr

STEP 3: Sign the certificate using the private key and CSR

openssl x509 -req -days 365 -in redmine.csr -signkey redmine.key -out redmine.crt

Congratulations! you have now generated an SSL certificate thats valid for 365 days.

Strengthening the server security

This section provides you with instructions to strengthen your server security. To achieve this we need to generate stronger DHE parameters.

openssl dhparam -out dhparam.pem 2048

Installation of the SSL Certificates

Out of the four files generated above, we need to install the redmine.key, redmine.crt and dhparam.pem files at the redmine server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again).

The default path that the redmine application is configured to look for the SSL certificates is at /home/redmine/data/certs, this can however be changed using the SSL_KEY_PATH, SSL_CERTIFICATE_PATH and SSL_DHPARAM_PATH configuration options.

If you remember from above, the /home/redmine/data path is the path of the data store, which means that we have to create a folder named certs inside /opt/redmine/data/ and copy the files into it and as a measure of security we will update the permission on the redmine.key file to only be readable by the owner.

mkdir -p /opt/redmine/data/certs
cp redmine.key /opt/redmine/data/certs/
cp redmine.crt /opt/redmine/data/certs/
cp dhparam.pem /opt/redmine/data/certs/
chmod 400 /opt/redmine/data/certs/redmine.key

Great! we are now just one step away from having our application secured.

Enabling HTTPS support

HTTPS support can be enabled by setting the REDMINE_HTTPS option to true.

docker run --name=redmine -d \
  -e 'REDMINE_HTTPS=true' \
  -v /opt/redmine/data:/home/redmine/data \
  dockerimages/redmine:2.5.2-2

In this configuration, any requests made over the plain http protocol will automatically be redirected to use the https protocol. However, this is not optimal when using a load balancer.

Using HTTPS with a load balancer

Load balancers like nginx/haproxy/hipache talk to backend applications over plain http and as such the installation of ssl keys and certificates are not required and should NOT be installed in the container. The SSL configuration has to instead be done at the load balancer. Hoewever, when using a load balancer you MUST set REDMINE_HTTPS to true.

With this in place, you should configure the load balancer to support handling of https requests. But that is out of the scope of this document. Please refer to Using SSL/HTTPS with HAProxy for information on the subject.

When using a load balancer, you probably want to make sure the load balancer performs the automatic http to https redirection. Information on this can also be found in the link above.

In summation, when using a load balancer, the docker command would look for the most part something like this:

docker run --name=redmine -d -p 10080:80 \
  -e 'REDMINE_HTTPS=true' \
  -v /opt/redmine/data:/home/redmine/data \
  dockerimages/redmine:2.5.2-2

Deploy to a subdirectory (relative url root)

By default redmine expects that your application is running at the root (eg. /). This section explains how to run your application inside a directory.

Let's assume we want to deploy our application to '/redmine'. Redmine needs to know this directory to generate the appropriate routes. This can be specified using the REDMINE_RELATIVE_URL_ROOT configuration option like so:

docker run --name=redmine -d -p 10080:80 \
  -e 'REDMINE_RELATIVE_URL_ROOT=/redmine' \
  -v /opt/redmine/data:/home/redmine/data \
  dockerimages/redmine:2.5.2-2

Redmine will now be accessible at the /redmine path, e.g. http://www.example.com/redmine.

Note: The REDMINE_RELATIVE_URL_ROOT parameter should always begin with a slash and SHOULD NOT have any trailing slashes.

Putting it all together

docker run --name=redmine -d -h redmine.local.host \
  -v /opt/redmine/data:/home/redmine/data \
  -v /opt/redmine/mysql:/var/lib/mysql \
  -e "[email protected]" -e "SMTP_PASS=PASSWORD" \
  dockerimages/redmine:2.5.2-2

If you are using an external mysql database

docker run --name=redmine -d -h redmine.local.host \
  -v /opt/redmine/data:/home/redmine/data \
  -e "DB_HOST=192.168.1.100" -e "DB_NAME=redmine_production" -e "DB_USER=redmine" -e "DB_PASS=password" \
  -e "[email protected]" -e "SMTP_PASS=PASSWORD" \
  dockerimages/redmine:2.5.2-2

Available Configuration Parameters

Please refer the docker run command options for the --env-file flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command.

Below is the complete list of parameters that can be set using environment variables.

• REDMINE_HTTPS: Enable HTTPS (SSL/TLS) port on server. Defaults to false.
• REDMINE_PORT: The port of the Redmine server. Defaults to 80 for plain http and 443 when https is enabled.
• REDMINE_RELATIVE_URL_ROOT: The relative url of the Redmine server, e.g. /redmine. No default.
• REDMINE_FETCH_COMMITS: Setup cron job to fetch commits. Possible values disable, hourly, daily or monthly. Disabled by default.
• DB_TYPE: The database type. Possible values: mysql, postgres. Defaults to mysql.
• DB_HOST: The database server hostname. Defaults to localhost.
• DB_PORT: The database server port. Defaults to 3306.
• DB_NAME: The database name. Defaults to redmine_production
• DB_USER: The database user. Defaults to root
• DB_PASS: The database password. Defaults to no password
• DB_POOL: The database connection pool count. Defaults to 5.
• NGINX_MAX_UPLOAD_SIZE: Maximum acceptable upload size. Defaults to 20m.
• NGINX_X_FORWARDED_PROTO: Advanced configuration option for the proxy_set_header X-Forwarded-Proto setting in the redmine nginx vHost configuration. Defaults to https when REDMINE_HTTPS is true, else defaults to $scheme.
• UNICORN_WORKERS: The number of unicorn workers to start. Defaults to 2.
• UNICORN_TIMEOUT: Sets the timeout of unicorn worker processes. Defaults to 60 seconds.
• MEMCACHE_HOST: The host name of the memcached server. No defaults.
• MEMCACHE_PORT: The connection port of the memcached server. Defaults to 11211.
• SSL_CERTIFICATE_PATH: The path to the SSL certificate to use. Defaults to /app/setup/certs/redmine.crt.
• SSL_KEY_PATH: The path to the SSL certificate's private key. Defaults to /app/setup/certs/redmine.key.
• SSL_DHPARAM_PATH: The path to the Diffie-Hellman parameter. Defaults to /app/setup/certs/dhparam.pem.
• SMTP_ENABLED: Enable mail delivery via SMTP. Defaults to true if SMTP_USER is defined, else defaults to false.
• SMTP_DOMAIN: SMTP domain. Defaults to www.gmail.com
• SMTP_HOST: SMTP server host. Defaults to smtp.gmail.com
• SMTP_PORT: SMTP server port. Defaults to 587.
• SMTP_USER: SMTP username.
• SMTP_PASS: SMTP password.
• SMTP_STARTTLS: Enable STARTTLS. Defaults to true.
• SMTP_AUTHENTICATION: Specify the SMTP authentication method. Defaults to :login if SMTP_USER is set.