9.7.10

HOWTO: Hosting a Subversion Repository

Author: Nilesh Bansal, Created: December 2005, Updated: $Date: 2007-06-03 02:13:49 -0400 (Sun, 03 Jun 2007) $. Leave your feedback.


This document explains in details the procedure to setup a subversion repository (with trac) in Linux based environment. Depending on the needs, one of the following three schemes can be selected:

 

1. Subversion Over ssh

If only one user is going to use the repository, it is easiest to use the subversion server over ssh. In order to do so, you will first need to choose a directory to store all the files of the repository and then initialize it using the following command

mkdir /home/user/myrepo/
svnadmin create /home/user/myrepo/

You may now edit the configuration file to change the access rules. For example the /home/user/myrepo/conf/svnserve.conf can be:

[general]
anon-access = read
auth-access = write
realm = My First Repository
password-db = passwd

In this case, anyone can read the contents of the repository, but only the user who has write permissions to the filesystem where repository is hosted can write to it.

Now the repository can be accessed using the following url

svn+ssh://user@remote.host/home/user/myrepo/

This means that the subversion client will first ssh to remote.host, where the user can login using the system password, and then will start the subversion server in tunnel mode as svnserve -t -r /home/user/repo/.

Further details can be found at http://svnbook.red-bean.com/en/1.1/ch06s03.html

 

2. Subversion Using svnserve

If fine-grained access control and high security is not an requirement, use of the custom server svnserve is the best choice. The user the user will first need to choose a directory to store all the files of the repository and then initialize it using the following command

mkdir /home/user/myrepo/
svnadmin create /home/user/myrepo/

The user may now edit the configuration file to change the access rules. An example /home/user/myrepo/conf/svnserve.conf will be:

[general]
anon-access = read
auth-access = write
realm = My First Repository
password-db = passwd

In this case, anonymous user can read the contents of the repository, but only an authenticated user can write to it. passwd is the file that will contain the usernames and passwords for all the users. The format of this file is as follows (username followed by the password, separated by colon)

harry:passwd1
sally:passwd2

The password file contains nothing else except a list of user:passwd on each line. Is using svnserve, password needs to be stored in cleartext. Note that an alternate format for this file is possible as suggested elsewhere, but I have not tried using that format (format described above is tested against svn version 1.2.3). To create the encrypted passwords, following small perl script can be used (replace mypasswd with your password)

perl -e '$pass="mypasswd"; print crypt($pass, $pass);'

The subversion server can now be started using the command svnserve -D -r -R /home/user/myrepo/ (this runs on port 631). Since this command needs to be executed every time the system reboots, the user may use the system init scripts. Many linux distributions (like SuSE), which ship with svnserve provide the init script in /etc/init.d/. In this case the server can be started using (after modifying them to adjust the repository path):

chkconfig svnserve on    #always start at boot
/etc/init.d/svnserve start    #start now

If the init script is not available, following script can be copied to /etc/init.d/svnserve (do not forget to change the permissions to executable)

#!/bin/sh
#File: /etc/init.d/svnserve
REPO_ROOT=/home/user/myrepo/
SVN_UID=user
SVN_GID=user
. /etc/rc.status
rc_reset
case "$1" in
   start)
     echo -n "Starting svnserve "
     startproc -u $SVN_UID -g $SVN_GID -e svnserve -d -R -r $REPO_ROOT
     rc_status -v
     ;;
   stop)
     echo -n "Shutting down svnserve "
     killproc -TERM svnserve
     rc_status -v
     ;;
   restart)
     $0 stop
     $0 start
     rc_status
     ;;
   *)
     echo "Usage: $0 {start|stop|restart}"
     exit 1
     ;;
esac
rc_exit

The repository can now be accessed using the following url:

svn://username@remote.host/

 

Installing trac

Trac is an web-based software development management system built around subversion. First download Trac from http://projects.edgewall.com/trac/wiki/TracDownload. Checkhttp://projects.edgewall.com/trac/wiki/TracInstall for additional packages that may be required. Subversion and python are usually available in all the distributions. To install clearsilver:

wget http://www.clearsilver.net/downloads/clearsilver-0.10.2.tar.gz
tar zxvf clearsilver-0.10.2.tar.gz
cd clearsilver-0.10.2/
./configure --with-python=/usr/bin/python
make
su -c "make install"

If trac complains about missing neo package, you may have to copy neo_cgi.so manually to /usr/lib/python2.3/site-packages/. To install the PySQLite project first install SQLite3

wget http://www.sqlite.org/sqlite-3.2.8.tar.gz
tar zxvf sqlite-3.2.8.tar.gz ; cd sqlite-3.2.8
./configure --prefix=/usr/ --disable-tcl
make && make install

and now install PySQLite

wget http://initd.org/pub/software/pysqlite/releases/2.0/2.0.5/pysqlite-2.0.5
tar zxvf pysqlite-2.0.5.tar.gz ; cd pysqlite-2.0.5
python ./setup.py install

To install Trac

wget http://ftp.edgewall.com/pub/trac/trac-0.9.2.tar.gz
tar zxvf trac-0.8.4.tar.gz
cd trac-0.8.4
python ./setup.py install

Run ldconfig if Trac complains about missing libraries

Trac environment can now be initialized as

trac-admin /home/user/trac-env/ initenv

Trac standalone server can now be started as

tracd --port 8080 /home/user/trac-env/

Then, fire up a browser and visit http://remote.host:8080/. A simple listing of all environments that tracd knows about should be displayed. Note that, both svnserve and tracd should run with uid, otherwise their may be permission conflicts.

Since the Trac server needs to started after every boot, user may copy the following to /etc/init.d/tracd and run chkconfig tracd on.

#!/bin/sh
#File: /etc/init.d/tracd
REPO_ROOT=/home/user/myrepo/
SVN_UID=user
SVN_GID=user
. /etc/rc.status
rc_reset
case "$1" in
start)
echo -n "Starting tracd"
startproc -u $SVN_UID -g $SVN_GID -e tracd -d -R -r $REPO_ROOT
rc_status -v
;;
stop)
echo -n "Shutting down tracd"
killproc -TERM tracd
rc_status -v
;;
restart)
$0 stop
$0 start
rc_status
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
rc_exit

 

3. Subversion With Apache and SSL

If you need to host a repository that is going to be used by many projects and users and require fine grained access control, you may choose to use apache httpd with ssl to host it. In this case, since the rpms for some required packages may not be available, you may need to compile everything from source.

First install apache httpd

wget http://apache.mirrored.ca/httpd/httpd-2.0.55.tar.gz
tar zxvf httpd-2.0.55.tar.gz; cd httpd-2.0.55
./configure --prefix=/usr/local/subversion/ --enable-dav --enable-so --enable-ssl
make && make install

Now install subversion

wget http://subversion.tigris.org/downloads/subversion-1.2.3.tar.gz
tar zxvf subversion-1.2.3.tar.gz ; cd subversion-1.2.3
./configure --prefix=/usr/local/subversion/ --with-apxs=/usr/local/subversion/bin/apxs --with-ssl
make && make install
make swig-py && make install-swig-py


Create a new user and group to run the server for repository

groupadd svn
useradd -m -d /srv/svn/ -g svn svn

Create the repositories. Lets assume that we need two repositories named mars and venus.

su - svn
mkdir /srv/svn/repositories/
mkdir /srv/svn/repositories/mars/
mkdir /srv/svn/repositories/venus/
svnadmin create /srv/svn/repositories/mars/
svnadmin create /srv/svn/repositories/venus/


Now edit /usr/local/subversion/conf/httpd.conf to include following lines

ServerRoot "/usr/local/subversion/"
User svn
Group svn
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so


Turn SSL on by including the following lines

Listen 443
SSLEngine On
SSLCertificateFile /usr/local/subversion/cert/server.crt
SSLCertificateKeyFile /usr/local/subversion/cert/server.key

Where server.crt contains the SSL certificate. To create a self signed certificate refer to http://www.akadia.com/services/ssh_test_certificate.html.

Now include the following lines in httpd.conf to allow access to svn repository

<Location /svn/users/>
Order allow,deny
Allow from all
DAV svn
SVNParentPath /srv/svn/repositories/
# our access control policy
AuthzSVNAccessFile /srv/svn/conf/users-access-file
#try anonymous access first, resort to real
#authentication if necessary.
Satisfy Any
Require valid-user
# how to authenticate a user
AuthType Basic
AuthName "My Subversion repository"
AuthUserFile /srv/svn/conf/passwd
</Location>

passwd (as discussed earlier in this document) file contains username and password pairs and user-access-file will contain access rules. Unlike svnserve, password can be encrypted using one of many encryption algorithms supported (including the one used by UNIX for /etc/passwd). An example user-access-file will be as follows:

[/]
* =
[mars:/]
harry = r
sally = rw
[venus:/]
sally = rw
[venus:/bugs/]
sally =
harry = rw

The first line means that anonymous user ("*") has no access to the repository. harry can read while sally can both read and write in mars repository. sally can also read and write in venus repository (except for directory bugs which only harry can access and modify).

Now create the init script /etc/init.d/apache

#!/bin/sh
#File: /etc/init.d/apache
. /etc/rc.status
HTTPD = /usr/local/subversion/bin/httpd
CONFFILE=/usr/local/subversion/conf/httpd.conf
rc_reset
case "$1" in
start)
echo -n "Starting httpd"
startproc -e $HTTPD
rc_status -v
;;
stop)
echo -n "Shutting down httpd"
killproc -TERM httpd
rc_status -v
;;
restart)
$0 stop
$0 start
rc_status
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
rc_exit

and start the server by

chkconfig apache on
/etc/init.d/apache start

Now the repositories should be accessible on

https://remote.host/svn/mars/
https://remote.host/svn/venus/

Installing trac


First follow the instructions discussed earlier in this document to install trac. Once trac in installed, create trac environments for each of the repositories.

su - svn
mkdir /srv/svn/tracenv
mkdir /srv/svn/tracenv/mars
mkdir /srv/svn/tracenv/venus
trac-admin /srv/svn/tracenv/mars initenv
trac-admin /srv/svn/tracenv/venus initenv

Add the following lines to httpd.conf to make these repositories available

ScriptAlias /trac /usr/local/trac/share/trac/cgi-bin/trac.cgi
<Location "/trac">
SetEnv TRAC_ENV_PARENT_DIR "/srv/svn/tracenv/"
</Location>
<LocationMatch "/trac/[^/]+/login">
AuthType Basic
AuthName "My Trac"
AuthUserFile /srv/svn/conf/passwd
Require valid-user
</LocationMatch>

This will allow everyone to acces the repositories at https://remote.host/trac/. If you do not want anonymous access, instead include something like:

ScriptAlias /trac/mars /usr/local/trac/share/trac/cgi-bin/trac.cgi
<Location "/trac/mars/">
SetEnv TRAC_ENV "/srv/svn/tracenv/mars"
Require user harry
AuthType Basic
AuthName "My Trac"
AuthUserFile /srv/svn/conf/passwd
</Location>
ScriptAlias /trac/venus /usr/local/trac/share/trac/cgi-bin/trac.cgi
<Location "/trac/venus/">
SetEnv TRAC_ENV "/srv/svn/tracenv/venus"
Require user sally
AuthType Basic
AuthName "My Trac"
AuthUserFile /srv/svn/conf/passwd
</Location>

In this case, harry can access trac for mars and sally can access trac for venus. Require clause in above rules can also be preceded by valid-user instead of list of users to allow access by everyone in the passwd file.

trac-admin can be used to grant privileges to users on trac

trac-admin /srv/svn/tracenv/venus permission list
trac-admin /srv/svn/tracenv/venus permission add sally TRAC_ADMIN

Notes



  • All init scripts in this document are SuSE style. They may require editing before they can be used with other distributions.



  • If you find an error, please email me, or leave a comment at my blog, and I will update the document.


References

No comments: