JedMeister
commented
11 months ago Thanks for taking the time to share your feedback. Although for what it's worth, we've been providing an OTRS appliance for at least 10 years, using the package from the Debian repos.
This is the first I'm hearing some of these issues, so I've done a bit of reading.
It turns out that some of the "issues" you refer to are the result of conscious Debian decisions to lock things down to harden security. As you are hopefully already aware, security isn't a binary on/off thing and almost all security hardening introduces user limitations. FWIW there is a Debian bug which covers the arguments (from both sides). The changes made do limit the ability of OTRS to do things that it wants to do, but it also reduces the chances of something really bad happening if a bad actor gets access to your OTRS/Znuny app.
When we set it up, we run the otrs.SetPermissions.pl script - which I would have assumed resolved the issues?! Clearly that is not the case - at least for you...
It is also noted in Debian readme (/usr/share/doc/otrs2/README.Debian):
OTRS package manager:
---------------------
otrs2 includes by default a package manager. This will not work with the Debian
package, because to have it work, we need to relax too many file permissions.
Also have a look here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475737
But if you are aware of the security issues and you realy need the integrated
package manager, then execute the following:
chmod g+w -R /usr/share/otrs/
chmod g+w -R /var/lib/otrs/
chgrp www-data -R /var/lib/otrs/
chgrp www-data -R /usr/share/otrs/
Note that the bug URL is the same as the link I provided above.
I'm guessing that you didn't follow (or probably even find) those instructions?
As for a non working cron job, I'm almost certain that is just a bug. We tweak the cron job as part of the install, but perhaps things have changed with Znuny and we missed something?
Could you please clarify the problems any further? Details on how to reproduce the specific issues you note would be very warmly welcomed (i.e. which url/page, what options/config needs to be done to make the issues appear). I'm particularly interested in getting more detail on these 2 as they seem like particularly easy ones to address (if I can understand them better):
- Many Perl Packages are missing; but are available in Debian (wrong / missing dependencies)
- Missing MySQL Settings
I am particularly curious about the "missing mysql settings" as there was one pivotal setting that we were having issues applying (it appeared to work, but was then causing error messages in mysql and making mysql-admin commands fail). It turned out that the Znuny docs were wrong - but we spoke with them about that and they have since fixed it. AFAIK, we're applying all the recommendations from Znuny?!
I do agree with you re improving documentation. I was of the understanding, that running the setPermissons script would have applied settings as desired, although adding a note re enabling the "package manager" is probably a good idea. It's perhaps worth even considering a first boot script to make that super easy (and also note the security implications as well). At then end of the day, we want our servers to be as secure as possible, but sometimes compromising a little security for convenience and/or usability is a good move.
Armed with some clear info of what is actually wrong, we would almost certainly be able to patch and/or work around any issues. Plus if there are default packaging shortcomings, then we could assist the packager to improve the package (and then we all win).
We could consider moving to an upstream install, but unless there is a really clear reason why that is "better" I would prefer to avoid it. It will increase maintenance - for both us and users.
Regardless, thanks again for your feedback.
geraldurbas
As far I understand, the TK Image concept are meant to be pre productive images. But this OTRS Package is only capable as a preview. First look is working, but a more scratchy technical review shows problems.
This Issue is not related to the TK Image "itself" - its working; But the chosen install style won’t become an "easygoing" future Znuny install.
After a short fact finding mission related to a OTRS migration, I discovered some problems with the default Debian Package for otrs2 Errors discovered:
I recommend noting this in the Image description to be more accurate and give more/less Power users a hint.
(My plan is to figure out if a OTRS/Znuny installation over a LAMP Image is a working approach; or it's better to go with clean D11 images; and leave a note here)