This document explains the actions an admin must or should do during a given upgrade.
Note about config files (Tuleap's *.inc): as long as you are OK with the defaults set by the development team, there is no need for you to add those new variables in the corresponding file, the default is automatically set for you.
Note
Tuleap 9.17 is currently under development.
Warning
Tuleap does not support PHP 5.3 anymore. If you have not migrated yet, it is now mandatory otherwise your Tuleap instance will stop working.
Tuleap now comes with php 5.6 (from Software Collections) and nginx packages by default. All new installations defaults to this setup.
You can switch to PHP 5.6 by using:
/usr/share/tuleap/tools/utils/php56/run.phpThis will configure nginx as the new entry point for all HTTP (port 80) and HTTPS (port 443). Your exiting apache will be updated to listen to :8080 and only locally (loopback, 127.0.0.1) for subversion and mailman.
Everything is described in PHP 5.6 on Centos 6<admin_howto_php56-nginx-centos6>
Also, if you use ForumML and have not yet updated the mailman configuration, you need to do it now, in /etc/mailman/mm_cfg.py change the following parameters:
PUBLIC_EXTERNAL_ARCHIVER = 'sudo -u codendiadm /usr/share/tuleap/plugins/forumml/bin/mail2dbng.php %(listname)s ;'
PRIVATE_EXTERNAL_ARCHIVER = 'sudo -u codendiadm /usr/share/tuleap/plugins/forumml/bin/mail2dbng.php %(listname)s ;'To protect users, new cookies protection have been implemented. To make these protections as effective as possible you should make sure the setting sys_https_host is not left empty in your local.inc if your Tuleap instance is reachable over HTTPS.
With this release we have updated the default TLS nginx configuration we provide by default with Tuleap. This change ensure the safest encryption settings will be used between browsers and your Tuleap instance.
All new instances of Tuleap will use this configuration by default but if you already have an installation, your configuration will be left untouched.
We encourage you to update it. To do it, replace the lines ssl_protocols and ssl_ciphers in /etc/nginx/conf.d/tuleap.conf:
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;If your Tuleap instance is quite old, a useless (and heavy) log file could be created under /var/log/tuleap/debug.log This file is no more written since Tuleap 9.15 and could be safely deleted.
All the information about this file could be found in the Tuleap public request
The documentation of the deprecated SOAP API is not anymore displayed. If your users still need it, you can force the display by adding the following statement in the /etc/tuleap/conf/local.inc:
$should_display_documentation_about_deprecated_soap_api = 1;Users should consider using REST API instead.
In /etc/opt/rh/rh-php56/php-fpm.d/tuleap.conf please add/uncomment the following:
php_value[post_max_size] = 256M
php_value[upload_max_filesize] = 256M
php_value[max_input_vars] = 15000In /etc/nginx/conf.d/tuleap.conf please update the client_max_body_size:
client_max_body_size 256M;You should upgrade the way mailman and Tuleap communicates, in /etc/mailman/mm_cfg.py:
PUBLIC_EXTERNAL_ARCHIVER = 'sudo -u codendiadm /usr/share/tuleap/plugins/forumml/bin/mail2dbng.php %(listname)s ;'
PRIVATE_EXTERNAL_ARCHIVER = 'sudo -u codendiadm /usr/share/tuleap/plugins/forumml/bin/mail2dbng.php %(listname)s ;'Attention
You can (and should) do this prior to upgrade so the upgrade will be straightforward.
If your my.cnf on your mysql server contains old_passwords=1 you will have to desactivate it (comment the line) and restart mysql.
Then update your password, as codendiadm and dbauthuser (and openfireadm if you use the IM plugin) DB user:
SET SESSION old_passwords=0;SET PASSWORD = PASSWORD('your_existing_password')
Starting Tuleap 9.14 Software Collections must be enabled on your system if you have not done it yet.
In a CentOS environnement, this could be done with:
shell
#> yum install centos-release-scl
In a RHEL environnement, this could be done with:
shell
#> yum-config-manager --enable rhel-server-rhscl-6-rpms
Note
It's recommended to migrate to PHP 5.6 for better security and performances. Please note that PHP 5.3 will no longer be supported after 9.16 (2 releases).
Tuleap now comes with php 5.6 (from Software Collections) and nginx packages by default. All new installations defaults to this setup.
You can switch to php 5.6 by using:
/usr/share/tuleap/tools/utils/php56/run.phpThis will configure nginx as the new entry point for all HTTP (port 80) and HTTPS (port 443). Your exiting apache will be updated to listen to :8080 and only locally (loopback, 127.0.0.1) for subversion and mailman.
Everything is described in PHP 5.6 on Centos 6<admin_howto_php56-nginx-centos6>
Note
This module is part of Tuleap Entreprise <tuleap-enterprise>. It might not be available on your installation of Tuleap.
The crosstracker plugin is now part of Tuleap Entreprise <tuleap-enterprise> only. You will have to install the new plugin called tuleap-plugin-crosstracker. Once done, you can migrate your old widget to the new format, please run:
shell
cd /usr/share/tuleap src/utils/php-launcher.sh plugins/crosstracker/bin/migrate_old_crosstracker_widgets.php
In order to help the deprecation usage of the SOAP API, we do not deliver anymore the CLI tool, nor its documentation. This tool was here to help Tuleap SOAP API adoption in the early days. Users that downloaded the CLI in the past can still use it, the SOAP API has not been changed yet.
Users should consider using REST API instead.
Since Tuleap 9.14 we can search in artifacts follow-up comments in TQL. In order to achieve this, the existing comments must be indexed. Since we don't know how much it can take on your instance (there is high chance that indexing all comments of 1M+ artifcats will take some time), we prefer to delegate the migration to site administrator instead of relying on our standard database upgrade process (forgeupgrade).
When the usage of your server is low, you can launch the following script:
shell
cd /usr/share/tuleap src/utils/php-launcher.sh plugins/tracker/bin/store_stripped_body_of_comments.php
The script will display how much comments it will have to store. You can safely cancel the execution of the script at any moment with ctrl-c and relaunch it later.
If you use the Bugzilla reference plugin, it is recommended you change the API keys used until now. These keys are now stored encrypted instead of in cleartext in the database. You can do that as a site administrator in the plugin configuration.
Tuleap now forces the use of the HTTPS protocol if the parameter sys_https_host is not set to an empty value in the local.inc configuration file. Consequently, the parameter sys_force_ssl is no more needed as it becomes the only possible behavior and could safely be removed from your configuration file.
It's strongly recommended to migrate all your mediawiki databases to 1.23 (LTS) in order to prepare PHP 5.6 compatibility.
The Test Management<testmgmt> plugin is only available with Tuleap Enterprise<tuleap-enterprise>.
Instances with the Test Management<testmgmt> plugin installed and activated must execute the following command before running the forgeupgrade command during the update procedure:
shell
#> sed -i 's#/usr/share/tuleap/plugins/trafficlights#/usr/share/tuleap/plugins/testmanagement#' /etc/tuleap/forgeupgrade/config.ini
Instances with the plugin installed should update their repo file (probably /etc/yum.repos.d/tuleap.repo) to set the base URL of the Test Management repository to something like: https://<companyname>:<password>@my.enalean.com/pub/tuleap-by-enalean/tuleap-testmanagement/current/rhel6/noarch/. If you encounter troubles to update your configuration, please contact your Tuleap Enterprise<tuleap-enterprise> support.
After the upgrade, when you access for the first time in each project Test Management, a project administrator will need to link the service to a tracker to collect issues in the service administration. The tracker can be a tracker already existing or you can create a new one dedicated to issues found while executing a test suite.
If you have the package tuleap-plugin-git-gitolite3 installed you will need to enable the Software Collections repositories to be able to retrieve Git 2.9.
In a CentOS environnement, this could be done with:
shell
#> yum install centos-release-scl
In a RHEL environnement, this could be done with:
shell
#> yum-config-manager --enable rhel-server-rhscl-6-rpms
The configuration of Gitolite must also been manually updated to take into account the new path to the Git binaries. The update can be done with the following command:
shell
#> sed -i "s#/opt/rh/git19/root/usr/bin#/opt/rh/rh-git29/root/usr/bin#" /var/lib/gitolite/.gitolite.rc
- Direct Database Access is disabled by default, and will be removed in a next release. If users complain, you can enable the feature by adding
$sys_enable_deprecated_feature_database_export = 1;into/etc/tuleap/conf/local.incfile. Please contact us if it is the case, else we will remove completely the feature.
We have done some code clean up in plugins management. You may be interested if you have custom plugins installed on your platform: starting Tuleap 9.9.99.73, we removed the deprecated method _addHook (replaced by addHook). Your platform will display a blank page if you are still using the former version.
In order to fix the issue (if any), please replace all occurrences of _addHook by addHook in your custom plugins.
Tuleap 9.9 introduces a new dashboard system for users and projects. The migration of the existing dashboard can take some time depending on the number of users and projects on your Tuleap instance. Plan your update accordingly.
If you had configured Bugzilla servers you must edit them to provide an API key instead of the user's password that was previously used. Please refer to the Bugzilla documentation if you need help to get an API key.
The packages of the Tuleap repository are now signed so you can be sure that the packages you got has not been altered.
We suggest you modify your repository configuration (/etc/yum.repos.d/Tuleap.repo) to:
ini
[Tuleap] name=Tuleap baseurl=https://ci.tuleap.net/yum/tuleap/rhel/6/dev/$basearch enabled=1 gpgcheck=1 gpgkey=https://ci.tuleap.net/yum/tuleap/gpg.key
On the first run after the modification, Yum will ask if the key used to sign the packages is trusted.
The key has the short ID ADB0D167 and the fingerprint 3D03 B41A 172A 7FB9 4F1E 9E9E C0B5 E775 ADB0 D167.
It is strongly recommended to disable the web editing of plugin properties for security reasons. You can disable the feature by adding into your local.inc the following parameter:
php
$sys_plugins_editable_configuration = 0;
Starting 9.8, the footer has been changed to respect BurningParrot style guide. This means that if you customized the footer (in /etc/tuleap/site-content/…/layout/), then there are high changes that its style will be broken. If this is the case, then we suggest that you take a look at the new version of the layout to be compatible (see /usr/share/tuleap/site-content/…/layout/).
This also applies to the following pages:
- /contact.php
- /help/
If you customized them, you will have to apply the new look and feel or they will appear broken.
Starting Tuleap 9.7, it is not possible to merge or abandon a pull request in repository using fine grained permissions with tuleap-plugin-git. To make it works, you need to upgrade to tuleap-plugin-git-gitolite3. You can find more information on how to do the migration from Gitolite 2 to Gitolite 3 in the administration guide.
Starting Tuleap 9.7 the logs of git read access (gitolite) change to save disk space and improve parsing time. As the time to convert existing logs might be quite long (estimated to ~20 hours for dataset of 34GB) it's available in a dedicated convertion script meant to be run after the upgrade during a quiet moment (during week-end for instance).
shell
#> /usr/share/tuleap/src/utils/php-launcher.sh /usr/share/tuleap/plugins/git/bin/convert_gitolite_full_logs.php
To avoid getting your Gitolite configuration broken by users that are Git administrators, it is recommend to change the unsafe pattern:
shell
#> sed -i "s/$UNSAFE_PATT = qr();/$UNSAFE_PATT = qr([\n]);/" /var/lib/gitolite/.gitolite.rc
If you use the userlog plugin the data stored in the database can grow quite big. We have introduced a new utility to help you clean it. You can call it this way:
shell
#> /usr/share/tuleap/src/utils/php-launcher.sh /usr/share/tuleap/plugins/userlog/bin/clean_userlog_request.php
In Tuleap 9.5 the remaining SVN repositories still not using modperl as the authentication mod will be migrated and modmysql and modldap will not be available anymore.
To ease the migration, we encourage you to make the switch today by setting in your local.inc the parameter sys_auth_svn_mod to modperl.
Tuleap 9.4 introduces a change on the way mail notifications are handled. You can choose to never send notifications to non projects member of private project.
This feature is disabled by default, if you want to enable it, update local.inc and set sys_mail_secure_mode to 1.
php
// When 0 mail sent to everybody can lead to information leak, non projects members can receive mails of private projects $sys_mail_secure_mode = 1;
With this release we have updated the default TLS Apache configuration we provide with Tuleap. This change can result in small performance gain and use the safest cipher suite we have available.
All new instances of Tuleap will use this new configuration but if you already have an installation, your configuration will be left untouched.
We encourage you to update it. To do it, replace the line SSLCipherSuite in /etc/httpd/conf/ssl.conf or /etc/httpd/conf.d/tuleap-vhost.conf, depending how old your installation is, by:
ApacheConf
# SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
Since Tuleap 9.3 the fusionforge_compat plugin has been merged with the Mediawiki plugin. As a result the package tuleap-plugin-fusionforge_compat is an empty shell that can be safely removed with yum remove tuleap-plugin-fusionforge_compat.
The package tuleap-plugin-fusionforge_compat is going to be removed completely in the next version of Tuleap.
Tuleap 9.4 introduces a change in the way the user sessions are handled. All existing user sessions are flushed during this upgrade, this will force your users to log in again.
If you use the IM plugin you also must redeploy the authentication provider:
shell
#> /usr/share/tuleap/src/utils/php-launcher.sh /usr/share/tuleap/plugins/IM/bin/redeploy_auth_provider.php
Since Tuleap 8.19, Tuleap is able to use the package viewvc provided by EPEL. Starting Tuleap 9.4, the package viewvc-tuleap is removed from the official Tuleap repository. For those of you that have still not made the switch, we urge you to do it for security reasons. The swap of the packages can be done this way:
shell
#> yum shell -y <<EOF remove viewvc-tuleap install viewvc run quit EOF
The snippets are now disabled unless specifically forced and this feature will be completely removed in Tuleap 9.5. If you think you have a valid use case and think this feature should be kept, please manifest yourself on the tuleap-devel mailing list. In the meantime, if you really need it, the feature can be force activated by setting $sys_use_snippet to 'force'.
The default Apache configuration that is deployed during Tuleap installation now enable HTTP persistent connection. We encourage existing instances to do the same as it can improve performance by setting the option KeepAlive to On in the configuration file /etc/httpd/conf/httpd.conf.
We put some gloss, makeup and rhinestones on site administration. This is the introduction of a new theme named BurningParrot. It is transparent for the users – no need to change the user preferences, however it comes as a dependency of tuleap-all package. When you upgrade to 9.1, if you don't have/upgrade tuleap-all package then you should manually install tuleap-theme-burningparrot package. Enjoy <3
In the same vein, we removed the old and nasty theme named 'Tuleap'. You must issue the following command if you have installed it: yum remove tuleap-theme-tuleap.
This release can only work with the password storage introduced in Tuleap 8.3. You must ensure that you have properly updated the IM and Proftpd plugin.
For the IM plugin you must have executed the following script:
shell
#> /usr/share/tuleap/src/utils/php-launcher.sh /usr/share/tuleap/plugins/IM/bin/redeploy_auth_provider.php
For the Proftpd plugin you must have executed this script:
shell
#> /usr/share/tuleap/plugins/proftpd/bin/switch_to_unix_password.php
You must also check that in /etc/proftpd.conf, the parameter SQLAuthTypes is set to Crypt and not MD5.
You can parse all your gitolite3 log by running next script, logs previsously parsed won't be taken in account.
bash
$> su - codendiadm $ > cd /usr/share/tuleap/ $> ./src/utils/php-launcher.sh plugins/git/bin/import_all_giotlite3_logs.php
We now use the package viewvc from the EPEL repository instead of the package viewvc-tuleap to CVS and SVN repositories. The switch between the two packages is not automatic for now but we encourage you to do it to benefit of a nicer integration of ViewVC into Tuleap.
To do that, you must swap the packages once you have updated Tuleap:
shell
#> yum shell -y <<EOF remove viewvc-tuleap install viewvc run quit EOF
Please note that EPEL repositories must be enabled before doing this yum transaction.
Once you have swapped the packages, you should if do have a line saying Include conf.d/viewvc.conf in your Apache configuration (/etc/httpd/conf/httpd.conf). If that's the case, please remove it and reload Apache.
The option sys_strip_outlook has been removed and the behavior this option activated is now enabled by default.
Since this option is not used anymore, you can remove it from your configuration file (local.inc).
Tuleap instances installed between Tuleap 8.14.99.59 and now are impacted by a bug leaving the SVN specific access logfile always empty (/var/log/httpd/svn_log).
The issue impacts the generation of usage statistics for SVN.
The bug has been fixed for new installations but requires a manual modification for impacted instances. In the configuration file /etc/httpd/conf.d/tuleap-vhost.conf, you should look for 2 sections like:
ApacheConf
LogFormat "%v %h %l %u %t "%r" %>s %b" commonvhost CustomLog logs/access_log commonvhost
#Uncomment the two following lines in order to display the username newt to the access url #LogFormat "%h %l %{username}n %t "%r" %>s %b" common_with_tuleap_unix_username #CustomLog logs/access_log_with_username common_with_tuleap_unix_username
And then replace these 2 sections by:
ApacheConf
LogFormat "%v %h %l %u %t "%r" %>s %b" commonvhost CustomLog logs/access_log commonvhost CustomLog logs/svn_log "%h %l %u %t %U %>s "%{SVN-ACTION}e"" env=SVN-ACTION
Tuleap starts using Guzzle package from the EPEL repository (php-guzzle-Guzzle) instead of the package provided until now by the Tuleap repository (php-guzzle). You should check if this package is not ignored by your yum configuration.
Now setup.sh is checking if your domain name is valid. And for your automation or if you are sure, you can still bypass the check with option:
shell
#> setup.sh --disable-domain-name-check
For Urls, Git plugin uses local.inc sys_default_domain instead of apache SERVER_NAME.
The public URL for repositories changes. All users will have to update their checkout/checkin links.
Tuleap now requires the package php-paragonie-random-compat to work. If you have followed the installation guide, the package will be installed automatically from the EPEL repository if you use CentOS 6 or from the Tuleap repository if you use CentOS 5.
If you have not followed the installation guide and the dependency can not be found you must install it by hand.
Agile Dashboard Planning v1 (deprecated since 2 releases) is not anymore available. You can safely remove the following variable from your /etc/tuleap/conf/local.inc file:
php
// Display deprecated planning V1 $sys_showdeprecatedplanningv1 = 0;
Few themes are removed:
- CodexSTN (tuleap-theme-codexstn)
- Dawn (tuleap-theme-dawn)
- savannah (tuleap-theme-savannah)
- Steerforge (tuleap-theme-steerforge)
- STTab (tuleap-theme-sttab)
They are automatically replaced by FlammingParrot, if you don't have it installed yet it should be automatically fetched as a dependency. However, if it's not, you should install it by hand:
shell
#> yum install tuleap-theme-flamingparrot
For end users that where using the old theme, they are automatically switch to the default theme defined in local.inc. If the default theme was one of them, it's flaming parrot that is used in last resort.
OpenId (tuleap-plugin-openid) is gone. You can try OpenID connect instead (require manual setup as of 8.11).
Due to a packaging issue we strongly suggest you install or force the reinstall of the following packages: tuleap-core-subversion and tuleap-core-subversion-modperl.
Meaning that if these packages are not installed you can install them with:
shell
#> yum install tuleap-core-subversion tuleap-core-subversion-modperl
If the packages are already installed, you can reinstall them with:
shell
#> yum reinstall tuleap-core-subversion tuleap-core-subversion-modperl
It is now possible to use a token instead of a password to authenticate users for SVN operations. In order to make that possible, it is necessary to grant more rights to the database user used to authenticate a user. You must run the following commands on your database with a privileged user:
sql
GRANT SELECT,UPDATE ON svn_token TO dbauthuser; FLUSH PRIVILEGES;
If you use the LDAP plugin, you also need to grant this privilege:
sql
GRANT SELECT ON plugin_ldap_user TO dbauthuser; FLUSH PRIVILEGES;
To find a workaround a system bug, we have been forced to introduce a change. To kept the Git plugin fully functional, you must edit your sudoers file to match the following informations:
bash
Defaults:gitolite !requiretty Defaults:gitolite !env_reset gitolite ALL= (codendiadm) SETENV: NOPASSWD: /usr/share/codendi/src/utils/php-launcher.sh /usr/share/codendi/plugins/git/hooks/post-receive.php*
Now that it is possible to import a git repository alongside a project archive, you must edit your sudoers file to match the following informations:
bash
Defaults:codendiadm !requiretty Defaults:codendiadm !env_reset
# Gitolite restore tar repository Cmnd_Alias RESTORE_TAR_REPO_CMD = %libbin_dir%/restore-tar-repository.php
# Gitolite clone bundle Cmnd_Alias BUNDLE_CMD = /usr/share/tuleap/plugins/git/bin/gl-clone-bundle.sh
codendiadm ALL= (gitolite) SETENV: NOPASSWD: RESTORE_TAR_REPO_CMD, BUNDLE_CMD
New configuration parameter in local.inc when Tuleap is behind a reverse proxy, check Deploy Tuleap behind a reverse proxy <admin_howto_reverseproxy> in Administration guide.
A new feature adding the possibility of creating an artifact by email has been added. check Activate reply to artifacts by email <admin_tracker_reply_by_email> in Administration guide.
With the introduction of the truncated notifications in the Git plugin, we have been forced to do some changes. To kept the Git plugin fully functional, you must add the following informations at the end of your sudoers file which is generally located at /etc/sudoers:
bash
Defaults:gitolite !requiretty Defaults:gitolite !env_reset gitolite ALL= (codendiadm) SETENV: NOPASSWD: /usr/share/codendi/plugins/git/hooks/post-receive.php
Note that only Tuleap instances running on CentOS 5 are concerned.
A new template has been added to help configure Tuleap with Active Directory. You can find it in the sources plugins/ldap/etc/ActiveDirectory.inc.dist
If you have an existing ldap set-up and wish to be compatible with Active Directory then you will need to update the file /etc/tuleap/plugins/ldap/etc/ldap.inc with these extra properties
php
// The type of the ldap server $sys_ldap_server_type = 'ActiveDirectory';
// The identifier of a user group $sys_ldap_grp_uid = 'sAMAccountName';
We have updated the API Explorer. The package restler-api-explorer must be considered deprecated. To update to the new Explorer install the package tuleap-api-explorer and remove or at least comment the old Apache configuration. You probably have copied this configuration at /etc/httpd/conf.d/tuleap-plugins/tuleap-api-explorer.conf. After the removal, you need to restart Apache.
With this release we have updated the default TLS Apache configuration we provide with Tuleap. All new instances of Tuleap will use this one but if you already have an installation, your configuration will be left untouched. However, we encourage you to update your configuration for security reasons. As a side effect, this change also prevents Internet Explorer 7 and Internet Explorer 8 on Windows XP to be able to connect to the HTTPS server.
If you want to update your configuration, replace the line SSLProtocol and SSLCipherSuite /etc/httpd/conf/ssl.conf by:
apacheconf
# SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 and SSLv3 access by default: SSLProtocol all -SSLv2 -SSLv3
# SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on
We have added a new and more secure way to store passwords in Tuleap. This feature is activated default on new intalls but the legacy way is kept on the already running instances for compatibility purposes. We greatly advise to use this new functionality if you can.
To activate the new password storage on a already existing instance you must add the following line in your local.inc:
php
$sys_keep_md5_hashed_password = 0;
Execute this script if you have the IM plugin installed:
shell
#> /usr/share/tuleap/src/utils/php-launcher.sh /usr/share/tuleap/plugins/IM/bin/redeploy_auth_provider.php
Execute this script if you have the Proftpd plugin installed:
shell
#> /usr/share/tuleap/plugins/proftpd/bin/switch_to_unix_password.php
- Upgrade to mediawiki 1.23 check
Administration guide <admin_service_mediawiki>
A new parameter in local.inc allow users to query api in HTTP without SSL. By default HTTPS is enforced.
php
// Can query REST API without using HTTPS // /!This is unsafe unless you have something else (reverse-proxy) // providing the SSL Layer between you and the server /!$sys_rest_api_over_http = 0;
Logrotate might be configured to use "dateext" instead of .X. This might create garbage in logs and can be an issue when attempting to copy logs from /var/log/httpd/blalba.1 to /var/log/tuleap/YYYY/MM/blalba_YYYYMMDD.log. We prevent now this behavior by adding "nodateext" option to /etc/logrotate.d/httpd.
See /usr/share/tuleap/src/etc/logrotate.httpd.conf for reference.
We have enabled Tuleap to deal with incoming CVS commits from Windows machines. You can now toggle between allowing Windows encoding of the commit messages and utf-8 encoding. To set this up (CentOS 6):
Local.inc:
- Add
$sys_cvs_convert_cp1252_to_utf8 = 1;at the end of the file.
- System:
shell
# Note: for CentOS 5, you need to manually source and install the package 'perl-Text-Iconv'
$> yum install perl-Text-Iconv $ > cp /usr/share/tuleap/src/utils/cvs1/log_accum /usr/lib/tuleap/bin/log_accum
It was reported that certain versions of elasticsearch do not allow for the indexation of files above, say, 100 MB. In order to prevent these files being mistakingly indexed and causing the operation to fail, we did several things:
- All files above a certain size are skipped;
- The corresponding system event contains a warning;
- The system administrator is notified by mail
- In order for this to work you need to add the following lines to
/etc/tuleap/plugins/fulltextsearch/etc/fulltextsearch.inc shell
// The maximum file size (in bytes) that can be indexed- be careful // not to go above your server limits $fulltextsearch_max_indexed_file_size = 100000000;
This value can then be managed via the Tuleap Admin area -> plugin adminstration -> FullText Search.
- We drop the embedded version of gitphp in favor of the packaged one. This is reflected by the
$gitphp_pathin/etc/tuleap/plugins/git/etc/config.inc - New installations have git HTTP access activated.
- Existing installations without HTTP access can enable it by setting
$git_http_url = "https://%server_name%/plugins/git";in/etc/tuleap/plugins/git/etc/config.inc - Existing installations with HTTP access should keep existing HTTP access as default (without anonymous access) but can communicate to their users about the new URL
https://%server_name%/plugins/git/%repo_path%for test. - gitolite3 path in
sudoers.d/gitolite3-httpfile has been changed:codendiadm ALL= (gitolite) SETENV: NOPASSWD: /usr/share/gitolite3/gitolite-shell
- Default search for daily syncho is now the whole LDAP subtree.
- If
$sys_ldap_daily_syncwas enabled (= 1), you should monitor duration ofROOT_DAILYsystem event (each night at 00:10)- If duration is the same after upgrade, everything is fine
- If duration is really longer (20-30% longer). You can switch back to previous mode with
$search_depth = 'onelevel';in ldap configuration/etc/tuleap/plugins/ldap/etc/ldap.inc
- If
$sys_ldap_daily_syncwas disabled ( = 0), you should be able to enable it- Do it first on a QA server
- You should expect some people to be suspended on first run
- If most users get suspended, there is something wrong and you should keep the synchro disabled and report the issue
- If
The default backup path for deleted projects is /var/tmp. See $sys_project_backup_path in /etc/tuleap/conf/local.inc.
The default time-out for a request to an elasticsearch server is 5 seconds. Now, administrators can choose the maximum time-out value in the configuration of the the fullTextSearch plugin.
For upgrades, you need to copy a variable from /usr/share/codendi/plugins/fulltextsearch/etc/fulltextsearch.inc.dist to /etc/tuleap/plugins/fulltextsearch/etc/fulltextsearch.inc
php
$max_seconds_for_request = 10;
Starting this release, the tuleap system logs are handled by logrotate. The default configuration is to rotate on weekly basis and to keep 4 weeks of logs.
Local.inc:
-
$sys_create_project_in_one_stepis no longer needed as legacy project creation is gone. - New option
$sys_strip_outlook = 0;allow to test removal of outlook quote in tracker email reply (experimental) - New option
$sys_default_mail_domain = "";Define the email domain for email gateway feature (By default, email domain = default Tuleap domain )
You need to clean and re-index all previously indexed projects:
shell
# Of course, you need to adapt username, password, servers and port to # your configuration
$> curl -u superuser:Adm1n -X DELETE "localhost:9200/tracker" $ > curl -u superuser:Adm1n -X DELETE "localhost:9200/docman"$> curl -u superuser:Adm1n -X DELETE "localhost:9200/wiki" $ > curl -u superuser:Adm1n -X PUT "localhost:9200/tracker" -d '{ "settings" : { "index" : { "number_of_shards" : 1, "number_of_replicas" : 0 }} }'$> curl -u superuser:Adm1n -X PUT "localhost:9200/docman" -d '{ "settings" : { "index" : { "number_of_shards" : 1, "number_of_replicas" : 0 }} }' $ > curl -u superuser:Adm1n -X PUT "localhost:9200/wiki" -d '{ "settings" : { "index" : { "number_of_shards" : 1, "number_of_replicas" : 0 }} }'
Then, as a site admin, trigger re-index of projects.
You can configure git and http urls in git/etc/config.inc:
php
// Urls // By default, only ssh is available for use and you can setup HTTP(s) access // to your server. // For convenience, you can either hardcode the URLs or you can use %server_name% // variable that will be replace automatically by the value of $_SERVER['SERVER_NAME'] // this is typical the URL the user see in location bar of the browser // Tell to Tuleap that an HTTPS server for git is available at the given // address // $git_http_url = "https://%server_name%/git";
// Define a custom ssh URL to get access to the sources // You can disable display of this url by activating this variable and setting // to '' (empty string) // // $git_ssh_url = 'ssh://gitolite@%server_name%:2222';
The $grokmanifest_path is no longer needed on server (you can remove grokmirror too).
This release comes with a tool to assist admin of very old Tuleap to migrate from docman v1 to docman v2 (plugin). This might be relevant to you if you installed Tuleap before 2009. Check Administration guide <admin_howto_docmanv1_to_docmanv2>
Another change in this release is a dependency on a recent version of git. We know for sure that there are issues with git <= 1.7.4.1
If in doubt, then you should upgrade to the latest version.
shell
$> yum update git
The index mapping for artifact'ss follow-up comments changed, you need to delete the current index and to create an empty new one (all previously indexed comments will be lost):
shell
# Of course, you need to adapt username, password, servers and port to # your configuration
$> curl -u superuser:Adm1n -X DELETE "localhost:9200/tracker" $ > curl -u superuser:Adm1n -X PUT "localhost:9200/tracker" -d '{ "settings" : { "index" : { "number_of_shards" : 1, "number_of_replicas" : 0 }} }'
Tuleap 7.4 comes with a maturity about the limits of integrating Medaiwiki and its numerous plugins such as "wiki editor" into Tuleap. In order to avoid impossible javascript and css conflicts there is now a compatibility that can be enabled if needed. It needs to be enabled at a forge level before it can be enabled at a project level and this is how:
- New option in /etc/<tuleap|codendi>/plugins/mediawiki/etc/mediawiki.inc
php
$enable_compatibility_view = true;
This option can then be toggled by site administrators in the "plugins administration" area.
Activating the compatibility view for a project is then done in the "Administration" section of a given mediawiki in the UI.
For Tuleap 7.3, we updated our mediawiki package by adding new modules. For a new extension, we create a dependency with a packahe named htmldoc
This package is only available in EPEL repositories. So, in order to be able to update your Tuleap, you have to activate EPEL on your server.
Tuleap 7.3 introduce new FlamingParrot theme variants. To be more concrete, new colors are available for our new theme.
You are able to choose which variants you want to enable on your Tuleap by adding a new enrty in the local.inc file (by default, all variants are activated):
php
// List of available theme variant in forge // Available variants: // * FlamingParrot_Orange // * FlamingParrot_Blue // * FlamingParrot_Green // * FlamingParrot_BlueGrey // * FlamingParrot_Purple // * FlamingParrot_Red // * FlamingParrot_DarkOrange // * FlamingParrot_DarkBlue // * FlamingParrot_DarkGreen // * FlamingParrot_DarkBlueGrey // * FlamingParrot_DarkPurple // * FlamingParrot_DarkRed $sys_available_theme_variants = 'FlamingParrot_Orange,FlamingParrot_Blue,FlamingParrot_Green,FlamingParrot_BlueGrey,FlamingParrot_Purple,FlamingParrot_Red,FlamingParrot_DarkOrange,FlamingParrot_DarkBlue,FlamingParrot_DarkGreen,FlamingParrot_DarkBlueGrey,FlamingParrot_DarkPurple,FlamingParrot_DarkRed';
In addition, you can choose your default color for the whole platforme by adding a variable in your local.inc file:
php
// Default theme variant in forge $sys_default_theme_variant = 'FlamingParrot_Orange';
New option in local.inc
php
// Allow users to reply by mail to artifact notifications // As of today only adding a follow-up comment is supported $sys_enable_reply_by_mail = 0;
See plugins/tracker/README.emailgateway.mkd for details about sudoers deployment.
New option in local.inc
php
// Allow (or not) users to do a SVN commit without any commit message // Set to 0 to force commit message to not be empty $sys_allow_empty_svn_commit_message = 1;
A lot of changes on full text search
- Elasticsearch must now be 1.2.x version
- The index mapping for docman was totally rewamped. Hence, all previously indexed documents will no longer be reachable and admin should re-do the mapping.
Tuleap now depends on Elasticsearch 1.2. In the meantime, we no longer ship elasticsearch pacakges as the upstream project already does it.
The main consequence are:
- that plugin should be installed by hand instead of having RPMs.
- we can no longer use jetty to restrict access to elasticsearch cluster. It's replaced by nginx as a filtering reverse proxy
The requirement for elasticsearch is a RHEL/CentOs 6.5 or newer server.
Update of elasticsearch:
- Setup yum repsitory as described on Elasticsearch repositories page
-
Then install elasticsearch:
shell
$> yum install java-1.7.0-openjdk $ > yum install elasticsearch $> /usr/share/elasticsearch/bin/plugin -install elasticsearch/elasticsearch-mapper-attachments/2.0.0
Note, ensure your elasticsearch cluster uniqueness, in /etc/elasticsearch/elasticsearch.yml
shell
cluster.name: <unique-name>
Then you shall setup nginx for security.
We use nginx for its reverse proxy capabilities, the installation package comes from RedHat controlled Software Collections
shell
$> yum install scl-utils $ > rpm -i https://www.softwarecollections.org/en/scls/rhscl/nginx14/epel-6-x86_64/download/rhscl-nginx14-epel-6-x86_64-1-2.noarch.rpm$> yum install nginx14-nginx $ > yum install httpd-tools # needed to generate htpassword file
Generate a password file:
shell
$> htpasswd -c /opt/rh/nginx14/root/etc/nginx/htpasswd elasticsearch
Then, setup reverse proxy. Edit /opt/rh/nginx14/root/etc/nginx/nginx.conf and add following snippet in http section:
shell
listen 9222;
- location / {
proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://127.0.0.1:9200/; proxy_redirect off;
# Password auth_basic "Elasticsearch for Tuleap Restricted"; auth_basic_user_file /opt/rh/nginx14/root/etc/nginx/htpasswd;
# Don't forward auth header proxy_set_header Authorization "";
}
Finally, start the proxy (password is the one you defined in previous step):
shell
$> chkconfig nginx14-nginx on $ > service nginx14-nginx start $> curl -u elasticsearch:password http://localhost:9222/
Note: you might need to adjust the server name and port for your elasticsearch server in /etc/tuleap/plugins/fulltextsearch/etc/fulltextsearch.inc
Delete existing docman mapping and setup a new one
shell
$> curl -X DELETE "localhost:9222/tuleap/docman" $ > curl -u elasticsearch:password -X PUT "localhost:9222/docman" -d '{ "settings" : { "index" : { "number_of_shards" : 1, "number_of_replicas" : 0 }} }'