This document explains in details the procedure to setup a subversion repository (with trac) in Linux based environment. Depending on the needs, one of the following three schemes can be selected:
1. Subversion Over ssh
If only one user is going to use the repository, it is easiest to use the subversion server over ssh. In order to do so, you will first need to choose a directory to store all the files of the repository and then initialize it using the following command
mkdir /home/user/myrepo/
svnadmin create /home/user/myrepo/
You may now edit the configuration file to change the access rules. For example the /home/user/myrepo/conf/svnserve.conf can be:
[general]
anon-access = read
auth-access = write
realm = My First Repository
password-db = passwd
In this case, anyone can read the contents of the repository, but only the user who has write permissions to the filesystem where repository is hosted can write to it.
Now the repository can be accessed using the following url
svn+ssh://user@remote.host/home/user/myrepo/
This means that the subversion client will first ssh to remote.host, where the user can login using the system password, and then will start the subversion server in tunnel mode as svnserve -t -r /home/user/repo/.
Further details can be found at http://svnbook.red-bean.com/en/1.1/ch06s03.html
2. Subversion Using svnserve
If fine-grained access control and high security is not an requirement, use of the custom server svnserve is the best choice. The user the user will first need to choose a directory to store all the files of the repository and then initialize it using the following command
mkdir /home/user/myrepo/
svnadmin create /home/user/myrepo/
The user may now edit the configuration file to change the access rules. An example /home/user/myrepo/conf/svnserve.conf will be:
[general]
anon-access = read
auth-access = write
realm = My First Repository
password-db = passwd
In this case, anonymous user can read the contents of the repository, but only an authenticated user can write to it. passwd is the file that will contain the usernames and passwords for all the users. The format of this file is as follows (username followed by the password, separated by colon)
harry:passwd1
sally:passwd2
The password file contains nothing else except a list of user:passwd on each line. Is using svnserve, password needs to be stored in cleartext. Note that an alternate format for this file is possible as suggested elsewhere, but I have not tried using that format (format described above is tested against svn version 1.2.3). To create the encrypted passwords, following small perl script can be used (replace mypasswd with your password)
perl -e '$pass="mypasswd"; print crypt($pass, $pass);'
The subversion server can now be started using the command svnserve -D -r -R /home/user/myrepo/ (this runs on port 631). Since this command needs to be executed every time the system reboots, the user may use the system init scripts. Many linux distributions (like SuSE), which ship with svnserve provide the init script in /etc/init.d/. In this case the server can be started using (after modifying them to adjust the repository path):
chkconfig svnserve on #always start at boot
/etc/init.d/svnserve start #start now
If the init script is not available, following script can be copied to /etc/init.d/svnserve (do not forget to change the permissions to executable)
#!/bin/sh
#File: /etc/init.d/svnserve
REPO_ROOT=/home/user/myrepo/
SVN_UID=user
SVN_GID=user
. /etc/rc.status
rc_reset
case "$1" in
start)
echo -n "Starting svnserve "
startproc -u $SVN_UID -g $SVN_GID -e svnserve -d -R -r $REPO_ROOT
rc_status -v
;;
stop)
echo -n "Shutting down svnserve "
killproc -TERM svnserve
rc_status -v
;;
restart)
$0 stop
$0 start
rc_status
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
rc_exit
The repository can now be accessed using the following url:
svn://username@remote.host/
Installing trac
Trac is an web-based software development management system built around subversion. First download Trac from http://projects.edgewall.com/trac/wiki/TracDownload. Check http://projects.edgewall.com/trac/wiki/TracInstall for additional packages that may be required. Subversion and python are usually available in all the distributions. To install clearsilver:
wget http://www.clearsilver.net/downloads/clearsilver-0.10.2.tar.gz
tar zxvf clearsilver-0.10.2.tar.gz
cd clearsilver-0.10.2/
./configure --with-python=/usr/bin/python
make
su -c "make install"
If trac complains about missing neo package, you may have to copy neo_cgi.so manually to /usr/lib/python2.3/site-packages/. To install the PySQLite project first install SQLite3
wget http://www.sqlite.org/sqlite-3.2.8.tar.gz
tar zxvf sqlite-3.2.8.tar.gz ; cd sqlite-3.2.8
./configure --prefix=/usr/ --disable-tcl
make && make install
and now install PySQLite
wget http://initd.org/pub/software/pysqlite/releases/2.0/2.0.5/pysqlite-2.0.5
tar zxvf pysqlite-2.0.5.tar.gz ; cd pysqlite-2.0.5
python ./setup.py install
To install Trac
wget http://ftp.edgewall.com/pub/trac/trac-0.9.2.tar.gz
tar zxvf trac-0.8.4.tar.gz
cd trac-0.8.4
python ./setup.py install
Run ldconfig if Trac complains about missing libraries
Trac environment can now be initialized as
trac-admin /home/user/trac-env/ initenv
Trac standalone server can now be started as
tracd --port 8080 /home/user/trac-env/
Then, fire up a browser and visit http://remote.host:8080/. A simple listing of all environments that tracd knows about should be displayed. Note that, both svnserve and tracd should run with uid, otherwise their may be permission conflicts.
Since the Trac server needs to started after every boot, user may copy the following to /etc/init.d/tracd and run chkconfig tracd on.
#!/bin/sh
#File: /etc/init.d/tracd
REPO_ROOT=/home/user/myrepo/
SVN_UID=user
SVN_GID=user
. /etc/rc.status
rc_reset
case "$1" in
start)
echo -n "Starting tracd"
startproc -u $SVN_UID -g $SVN_GID -e tracd -d -R -r $REPO_ROOT
rc_status -v
;;
stop)
echo -n "Shutting down tracd"
killproc -TERM tracd
rc_status -v
;;
restart)
$0 stop
$0 start
rc_status
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
rc_exit
3. Subversion With Apache and SSL
If you need to host a repository that is going to be used by many projects and users and require fine grained access control, you may choose to use apache httpd with ssl to host it. In this case, since the rpms for some required packages may not be available, you may need to compile everything from source.
First install apache httpd
wget http://apache.mirrored.ca/httpd/httpd-2.0.55.tar.gz
tar zxvf httpd-2.0.55.tar.gz; cd httpd-2.0.55
./configure --prefix=/usr/local/subversion/ --enable-dav --enable-so --enable-ssl
make && make install
Now install subversion
wget http://subversion.tigris.org/downloads/subversion-1.2.3.tar.gz
tar zxvf subversion-1.2.3.tar.gz ; cd subversion-1.2.3
./configure --prefix=/usr/local/subversion/ --with-apxs=/usr/local/subversion/bin/apxs --with-ssl
make && make install
make swig-py && make install-swig-py
Create a new user and group to run the server for repository
groupadd svn
useradd -m -d /srv/svn/ -g svn svn
Create the repositories. Lets assume that we need two repositories named mars and venus.
su - svn
mkdir /srv/svn/repositories/
mkdir /srv/svn/repositories/mars/
mkdir /srv/svn/repositories/venus/
svnadmin create /srv/svn/repositories/mars/
svnadmin create /srv/svn/repositories/venus/
Now edit /usr/local/subversion/conf/httpd.conf to include following lines
ServerRoot "/usr/local/subversion/"
User svn
Group svn
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
Turn SSL on by including the following lines
Listen 443
SSLEngine On
SSLCertificateFile /usr/local/subversion/cert/server.crt
SSLCertificateKeyFile /usr/local/subversion/cert/server.key
Where server.crt contains the SSL certificate. To create a self signed certificate refer to http://www.akadia.com/services/ssh_test_certificate.html.
Now include the following lines in httpd.conf to allow access to svn repository
Order allow,deny
Allow from all
DAV svn
SVNParentPath /srv/svn/repositories/
# our access control policy
AuthzSVNAccessFile /srv/svn/conf/users-access-file
#try anonymous access first, resort to real
#authentication if necessary.
Satisfy Any
Require valid-user
# how to authenticate a user
AuthType Basic
AuthName "My Subversion repository"
AuthUserFile /srv/svn/conf/passwd
passwd (as discussed earlier in this document) file contains username and password pairs and user-access-file will contain access rules. Unlike svnserve, password can be encrypted using one of many encryption algorithms supported (including the one used by UNIX for /etc/passwd). An example user-access-file will be as follows:
[/]
* =
[mars:/]
harry = r
sally = rw
[venus:/]
sally = rw
[venus:/bugs/]
sally =
harry = rw
The first line means that anonymous user ("*") has no access to the repository. harry can read while sally can both read and write in mars repository. sally can also read and write in venus repository (except for directory bugs which only harry can access and modify).
Now create the init script /etc/init.d/apache
#!/bin/sh
#File: /etc/init.d/apache
. /etc/rc.status
HTTPD = /usr/local/subversion/bin/httpd
CONFFILE=/usr/local/subversion/conf/httpd.conf
rc_reset
case "$1" in
start)
echo -n "Starting httpd"
startproc -e $HTTPD
rc_status -v
;;
stop)
echo -n "Shutting down httpd"
killproc -TERM httpd
rc_status -v
;;
restart)
$0 stop
$0 start
rc_status
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
rc_exit
and start the server by
chkconfig apache on
/etc/init.d/apache start
Now the repositories should be accessible on
https://remote.host/svn/mars/
https://remote.host/svn/venus/
Installing trac
First follow the instructions discussed earlier in this document to install trac. Once trac in installed, create trac environments for each of the repositories.
su - svn
mkdir /srv/svn/tracenv
mkdir /srv/svn/tracenv/mars
mkdir /srv/svn/tracenv/venus
trac-admin /srv/svn/tracenv/mars initenv
trac-admin /srv/svn/tracenv/venus initenv
Add the following lines to httpd.conf to make these repositories available
ScriptAlias /trac /usr/local/trac/share/trac/cgi-bin/trac.cgi
SetEnv TRAC_ENV_PARENT_DIR "/srv/svn/tracenv/"
AuthType Basic
AuthName "My Trac"
AuthUserFile /srv/svn/conf/passwd
Require valid-user
This will allow everyone to acces the repositories at https://remote.host/trac/. If you do not want anonymous access, instead include something like:
ScriptAlias /trac/mars /usr/local/trac/share/trac/cgi-bin/trac.cgi
SetEnv TRAC_ENV "/srv/svn/tracenv/mars"
Require user harry
AuthType Basic
AuthName "My Trac"
AuthUserFile /srv/svn/conf/passwd
ScriptAlias /trac/venus /usr/local/trac/share/trac/cgi-bin/trac.cgi
SetEnv TRAC_ENV "/srv/svn/tracenv/venus"
Require user sally
AuthType Basic
AuthName "My Trac"
AuthUserFile /srv/svn/conf/passwd
In this case, harry can access trac for mars and sally can access trac for venus. Require clause in above rules can also be preceded by valid-user instead of list of users to allow access by everyone in the passwd file.
trac-admin can be used to grant privileges to users on trac
trac-admin /srv/svn/tracenv/venus permission list
trac-admin /srv/svn/tracenv/venus permission add sally TRAC_ADMIN
Notes
• All init scripts in this document are SuSE style. They may require editing before they can be used with other distributions.
• If you find an error, please email me, or leave a comment at my blog, and I will update the document.
References
• Subversion Redbook - http://svnbook.red-bean.com/
• TracInstall - http://projects.edgewall.com/trac/wiki/TracInstall
• Multiuser Subversion - http://www.onlamp.com/pub/a/apache/2002/12/19/svn2.html
1. Subversion Over ssh
If only one user is going to use the repository, it is easiest to use the subversion server over ssh. In order to do so, you will first need to choose a directory to store all the files of the repository and then initialize it using the following command
mkdir /home/user/myrepo/
svnadmin create /home/user/myrepo/
You may now edit the configuration file to change the access rules. For example the /home/user/myrepo/conf/svnserve.conf can be:
[general]
anon-access = read
auth-access = write
realm = My First Repository
password-db = passwd
In this case, anyone can read the contents of the repository, but only the user who has write permissions to the filesystem where repository is hosted can write to it.
Now the repository can be accessed using the following url
svn+ssh://user@remote.host/home/user/myrepo/
This means that the subversion client will first ssh to remote.host, where the user can login using the system password, and then will start the subversion server in tunnel mode as svnserve -t -r /home/user/repo/.
Further details can be found at http://svnbook.red-bean.com/en/1.1/ch06s03.html
2. Subversion Using svnserve
If fine-grained access control and high security is not an requirement, use of the custom server svnserve is the best choice. The user the user will first need to choose a directory to store all the files of the repository and then initialize it using the following command
mkdir /home/user/myrepo/
svnadmin create /home/user/myrepo/
The user may now edit the configuration file to change the access rules. An example /home/user/myrepo/conf/svnserve.conf will be:
[general]
anon-access = read
auth-access = write
realm = My First Repository
password-db = passwd
In this case, anonymous user can read the contents of the repository, but only an authenticated user can write to it. passwd is the file that will contain the usernames and passwords for all the users. The format of this file is as follows (username followed by the password, separated by colon)
harry:passwd1
sally:passwd2
The password file contains nothing else except a list of user:passwd on each line. Is using svnserve, password needs to be stored in cleartext. Note that an alternate format for this file is possible as suggested elsewhere, but I have not tried using that format (format described above is tested against svn version 1.2.3). To create the encrypted passwords, following small perl script can be used (replace mypasswd with your password)
perl -e '$pass="mypasswd"; print crypt($pass, $pass);'
The subversion server can now be started using the command svnserve -D -r -R /home/user/myrepo/ (this runs on port 631). Since this command needs to be executed every time the system reboots, the user may use the system init scripts. Many linux distributions (like SuSE), which ship with svnserve provide the init script in /etc/init.d/. In this case the server can be started using (after modifying them to adjust the repository path):
chkconfig svnserve on #always start at boot
/etc/init.d/svnserve start #start now
If the init script is not available, following script can be copied to /etc/init.d/svnserve (do not forget to change the permissions to executable)
#!/bin/sh
#File: /etc/init.d/svnserve
REPO_ROOT=/home/user/myrepo/
SVN_UID=user
SVN_GID=user
. /etc/rc.status
rc_reset
case "$1" in
start)
echo -n "Starting svnserve "
startproc -u $SVN_UID -g $SVN_GID -e svnserve -d -R -r $REPO_ROOT
rc_status -v
;;
stop)
echo -n "Shutting down svnserve "
killproc -TERM svnserve
rc_status -v
;;
restart)
$0 stop
$0 start
rc_status
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
rc_exit
The repository can now be accessed using the following url:
svn://username@remote.host/
Installing trac
Trac is an web-based software development management system built around subversion. First download Trac from http://projects.edgewall.com/trac/wiki/TracDownload. Check http://projects.edgewall.com/trac/wiki/TracInstall for additional packages that may be required. Subversion and python are usually available in all the distributions. To install clearsilver:
wget http://www.clearsilver.net/downloads/clearsilver-0.10.2.tar.gz
tar zxvf clearsilver-0.10.2.tar.gz
cd clearsilver-0.10.2/
./configure --with-python=/usr/bin/python
make
su -c "make install"
If trac complains about missing neo package, you may have to copy neo_cgi.so manually to /usr/lib/python2.3/site-packages/. To install the PySQLite project first install SQLite3
wget http://www.sqlite.org/sqlite-3.2.8.tar.gz
tar zxvf sqlite-3.2.8.tar.gz ; cd sqlite-3.2.8
./configure --prefix=/usr/ --disable-tcl
make && make install
and now install PySQLite
wget http://initd.org/pub/software/pysqlite/releases/2.0/2.0.5/pysqlite-2.0.5
tar zxvf pysqlite-2.0.5.tar.gz ; cd pysqlite-2.0.5
python ./setup.py install
To install Trac
wget http://ftp.edgewall.com/pub/trac/trac-0.9.2.tar.gz
tar zxvf trac-0.8.4.tar.gz
cd trac-0.8.4
python ./setup.py install
Run ldconfig if Trac complains about missing libraries
Trac environment can now be initialized as
trac-admin /home/user/trac-env/ initenv
Trac standalone server can now be started as
tracd --port 8080 /home/user/trac-env/
Then, fire up a browser and visit http://remote.host:8080/. A simple listing of all environments that tracd knows about should be displayed. Note that, both svnserve and tracd should run with uid, otherwise their may be permission conflicts.
Since the Trac server needs to started after every boot, user may copy the following to /etc/init.d/tracd and run chkconfig tracd on.
#!/bin/sh
#File: /etc/init.d/tracd
REPO_ROOT=/home/user/myrepo/
SVN_UID=user
SVN_GID=user
. /etc/rc.status
rc_reset
case "$1" in
start)
echo -n "Starting tracd"
startproc -u $SVN_UID -g $SVN_GID -e tracd -d -R -r $REPO_ROOT
rc_status -v
;;
stop)
echo -n "Shutting down tracd"
killproc -TERM tracd
rc_status -v
;;
restart)
$0 stop
$0 start
rc_status
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
rc_exit
3. Subversion With Apache and SSL
If you need to host a repository that is going to be used by many projects and users and require fine grained access control, you may choose to use apache httpd with ssl to host it. In this case, since the rpms for some required packages may not be available, you may need to compile everything from source.
First install apache httpd
wget http://apache.mirrored.ca/httpd/httpd-2.0.55.tar.gz
tar zxvf httpd-2.0.55.tar.gz; cd httpd-2.0.55
./configure --prefix=/usr/local/subversion/ --enable-dav --enable-so --enable-ssl
make && make install
Now install subversion
wget http://subversion.tigris.org/downloads/subversion-1.2.3.tar.gz
tar zxvf subversion-1.2.3.tar.gz ; cd subversion-1.2.3
./configure --prefix=/usr/local/subversion/ --with-apxs=/usr/local/subversion/bin/apxs --with-ssl
make && make install
make swig-py && make install-swig-py
Create a new user and group to run the server for repository
groupadd svn
useradd -m -d /srv/svn/ -g svn svn
Create the repositories. Lets assume that we need two repositories named mars and venus.
su - svn
mkdir /srv/svn/repositories/
mkdir /srv/svn/repositories/mars/
mkdir /srv/svn/repositories/venus/
svnadmin create /srv/svn/repositories/mars/
svnadmin create /srv/svn/repositories/venus/
Now edit /usr/local/subversion/conf/httpd.conf to include following lines
ServerRoot "/usr/local/subversion/"
User svn
Group svn
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
Turn SSL on by including the following lines
Listen 443
SSLEngine On
SSLCertificateFile /usr/local/subversion/cert/server.crt
SSLCertificateKeyFile /usr/local/subversion/cert/server.key
Where server.crt contains the SSL certificate. To create a self signed certificate refer to http://www.akadia.com/services/ssh_test_certificate.html.
Now include the following lines in httpd.conf to allow access to svn repository
Order allow,deny
Allow from all
DAV svn
SVNParentPath /srv/svn/repositories/
# our access control policy
AuthzSVNAccessFile /srv/svn/conf/users-access-file
#try anonymous access first, resort to real
#authentication if necessary.
Satisfy Any
Require valid-user
# how to authenticate a user
AuthType Basic
AuthName "My Subversion repository"
AuthUserFile /srv/svn/conf/passwd
passwd (as discussed earlier in this document) file contains username and password pairs and user-access-file will contain access rules. Unlike svnserve, password can be encrypted using one of many encryption algorithms supported (including the one used by UNIX for /etc/passwd). An example user-access-file will be as follows:
[/]
* =
[mars:/]
harry = r
sally = rw
[venus:/]
sally = rw
[venus:/bugs/]
sally =
harry = rw
The first line means that anonymous user ("*") has no access to the repository. harry can read while sally can both read and write in mars repository. sally can also read and write in venus repository (except for directory bugs which only harry can access and modify).
Now create the init script /etc/init.d/apache
#!/bin/sh
#File: /etc/init.d/apache
. /etc/rc.status
HTTPD = /usr/local/subversion/bin/httpd
CONFFILE=/usr/local/subversion/conf/httpd.conf
rc_reset
case "$1" in
start)
echo -n "Starting httpd"
startproc -e $HTTPD
rc_status -v
;;
stop)
echo -n "Shutting down httpd"
killproc -TERM httpd
rc_status -v
;;
restart)
$0 stop
$0 start
rc_status
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
rc_exit
and start the server by
chkconfig apache on
/etc/init.d/apache start
Now the repositories should be accessible on
https://remote.host/svn/mars/
https://remote.host/svn/venus/
Installing trac
First follow the instructions discussed earlier in this document to install trac. Once trac in installed, create trac environments for each of the repositories.
su - svn
mkdir /srv/svn/tracenv
mkdir /srv/svn/tracenv/mars
mkdir /srv/svn/tracenv/venus
trac-admin /srv/svn/tracenv/mars initenv
trac-admin /srv/svn/tracenv/venus initenv
Add the following lines to httpd.conf to make these repositories available
ScriptAlias /trac /usr/local/trac/share/trac/cgi-bin/trac.cgi
SetEnv TRAC_ENV_PARENT_DIR "/srv/svn/tracenv/"
AuthType Basic
AuthName "My Trac"
AuthUserFile /srv/svn/conf/passwd
Require valid-user
This will allow everyone to acces the repositories at https://remote.host/trac/. If you do not want anonymous access, instead include something like:
ScriptAlias /trac/mars /usr/local/trac/share/trac/cgi-bin/trac.cgi
SetEnv TRAC_ENV "/srv/svn/tracenv/mars"
Require user harry
AuthType Basic
AuthName "My Trac"
AuthUserFile /srv/svn/conf/passwd
ScriptAlias /trac/venus /usr/local/trac/share/trac/cgi-bin/trac.cgi
SetEnv TRAC_ENV "/srv/svn/tracenv/venus"
Require user sally
AuthType Basic
AuthName "My Trac"
AuthUserFile /srv/svn/conf/passwd
In this case, harry can access trac for mars and sally can access trac for venus. Require clause in above rules can also be preceded by valid-user instead of list of users to allow access by everyone in the passwd file.
trac-admin can be used to grant privileges to users on trac
trac-admin /srv/svn/tracenv/venus permission list
trac-admin /srv/svn/tracenv/venus permission add sally TRAC_ADMIN
Notes
• All init scripts in this document are SuSE style. They may require editing before they can be used with other distributions.
• If you find an error, please email me, or leave a comment at my blog, and I will update the document.
References
• Subversion Redbook - http://svnbook.red-bean.com/
• TracInstall - http://projects.edgewall.com/trac/wiki/TracInstall
• Multiuser Subversion - http://www.onlamp.com/pub/a/apache/2002/12/19/svn2.html
hi
ReplyDelete