Accepting request 176189 from home:AndreasStieger:branches:devel:tools:scm:svn

- add systemd support for svnserve
- package now contains user and group svn
- adjust and extend README.SuSE to cover a quickstart with both
  mod_dav_svn and svnserve, mention the user/group requirement for
  parallel operation and make text more compact by referencing the
  template config file [bnc#781980]

OBS-URL: https://build.opensuse.org/request/show/176189
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm:svn/subversion?expand=0&rev=118

subversion.README.SuSE

@@ -1,220 +1,175 @@
+Quickstart document for Apache Subversion on openSUSE.
+
+For the full documentation, install the package subversion-doc and see
+/usr/share/doc/packages/subversion/html/book/svn-book.html
+An online version can be found at http://svnbook.red-bean.com/
+
 Topics:
 
-1. backup and restore your repository data
-2. create svn user/group for svnserve
-3. mini-howto for 2 projects
-4. quickstart for mod_dontdothat
+1. mini-howto
+2. allowing anonymous read access
+3. serving several repositories with SVNParentPath 
+4. serving the repositories at "/"
+5. running svnserve
+6. quickstart for mod_dontdothat
 
 ================================================================================
 
-1. backup and restore your repository data
+1. mini-howto
 
-subversion repositories use either the Berkeley Database system libraries,
-or the FSFS database format which comes with the subversion package.
-Since the BDB system libraries often introduce a new incompatible format during
-version upgrade, a backup/restore of all the subversion repositories must be
-performed _BEFORE_ doing such a system upgrade.
-'svnadmin dump' will write the repository to stdout in a 'dumpfile' format.
-This dumpfile can be loaded later with 'svnadmin load'.
+To run a subversion server, you need to configure apache2 to load two modules: 
+mod_dav and mod_dav_svn.
 
-
-2. create svn user/group for svnserve
-
-subversion repositories can be served either via http, or via the svnserve
-daemon and a special network protocol. svnserve should not run as root user.
-The startup script rcsvnserve expects a user/group named 'svn', configureable
-via /etc/sysconfig/svnserve.
-
-But this user/group must be created before first use:
-
-	groupadd svn
-	useradd  -d /srv/svn -s /bin/false -g svn svn
-
-
-3. mini-howto for 2 projects
-
-To run a subversion server, you need to configure apache2 to load two apache2
-modules: mod_dav and mod_dav_svn. (mod_dav is needed by mod_dav_svn, it is
-installed together with apache2.)
-
-This is done by adding the dav and dav_svn modules to the apache2 configuration
-(a2enmod dav; a2enmod dav_svn), and restarting the server.
+  zypper in subversion-server
+  a2enmod dav
+  a2enmod dav_svn
 
 A default/example configuration of the dav_svn module can be found in
-/etc/apache2/conf.d/subversion.conf. With more recent apache
-packages, this configuration is *not* loaded automatically by
-the apache server, since many people configure virtual hosts
-and it is unlikely that the repositories shall be available
-from any virtual host. To load the configuration for a certain
-virtual host, add 
-  Include /etc/apache2/conf.d/subversion.conf
-or 
-  Include /path/to/your_subversion_configuration
-in the respective virtual host configuration. This *may* be done in the default
-virtual host (/etc/apache2/default-server.conf).
+/etc/apache2/conf.d/subversion.conf. The current default configuration
+automatically includes this file the default server configuration.
 
+Create some directories to contain the repositories and other files:
 
+  mkdir -p /srv/svn/repos
+  mkdir -p /srv/svn/user_access
+  mkdir -p /srv/svn/html
 
-Minihowto:
+Edit /etc/apache2/conf.d/subversion.conf and uncomment the desired sections.
 
+The first section "project related HTML files" is optional and will allow you
+to return some static content when /repos is accessed alone. If you do not need
+this, discard this section. 
 
-The plan:
+If instead you wish to show a list of repositories, set "SVNListParentPath on"
+later. See for details:
+http://svnbook.red-bean.com/en/1.7/svn.serverconfig.httpd.html#svn.serverconfig.httpd.extra.browsing.reposlisting
 
-host 2 source projects with subversion
-both must have anonymous read access
-both must have limited write access for a few users
-they are accessed only via HTTP, not (!) locally
-they will be reachable via:
+The section following that will configure a repository to be served out of 
+the path /srv/svn/repos/myproject1. Note that the location "/repo/myproject1"
+and "SVNPath" is specified explicitly, see section 3 for an alternative.
 
- http://hostname/repos/project1
- http://hostname/repos/project2
+To create the repository itself:
 
-Both will have the official version of the source tree and our modified
-version for the distribution. Projects in question are:
-project1
-project2
-
-The realisation:
-
-find a machine to host the projects. Keep backup (and restore!) in mind
-when hunting for hardware.
-
-install needed packages
-(you might check for update packages on
-ftp://ftp.suse.com/pub/projects/apache/ )
-
-rpm -Uvh \
-	apache2 \
-	apache2-doc \
-	apache2-prefork \
-	libapr1 \
-	libapr-util1 \
-	neon \
-	subversion \
-	subversion-doc \
-	subversion-server
-
-
-
-# Update /etc/sysconfig/apache2 by
-# adding 'dav dav_svn' to $APACHE_MODULES:
-a2enmod dav
-a2enmod dav_svn
-
-create a few directories:
-mkdir -p /srv/svn/repos
-mkdir -p /srv/svn/user_access
-mkdir -p /srv/svn/html
-
-Add the http repository data to /etc/apache2/conf.d/subversion.conf:
-#------------------------------------------------------------------------
-#
-# project related HTML files
-#
-<IfModule mod_alias.c>
-Alias /repos	"/srv/svn/html"
-</IfModule>
-<Directory /srv/svn/html>
-	Options		+Indexes +Multiviews -FollowSymLinks
-	IndexOptions	FancyIndexing \
-			ScanHTMLTitles \
-			NameWidth=* \
-			DescriptionWidth=* \
-			SuppressLastModified \
-			SuppressSize
-
-	order allow,deny
-	allow from all
-</Directory>
-
-
-# project repository files for project1
-<Location /repos/project1>
-	DAV svn
-	SVNPath /srv/svn/repos/project1
-
-	# Limit write access to certain people
-	AuthType Basic
-	AuthName "Authorization for project1 required"
-	AuthUserFile /srv/svn/user_access/project1_passwdfile
-	AuthGroupFile /srv/svn/user_access/project1_groupfile
-	<LimitExcept GET PROPFIND OPTIONS REPORT>
-	Require group project1_committers
-	</LimitExcept>
-
-	# Limit read access to certain people
-	<Limit GET PROPFIND OPTIONS REPORT>
-	Require group project1_committers
-	Require group project1_readers
-	</Limit>
-
-</Location>
-
-# project repository files for project2
-<Location /repos/project2>
-	DAV svn
-	SVNPath /srv/svn/repos/project2
-
-	# Limit write permission to list of valid users.
-	<LimitExcept GET PROPFIND OPTIONS REPORT>
-		# Require SSL connection for password protection.
-		# SSLRequireSSL
-
-		AuthType Basic
-		AuthName "Authorization for project2 required"
-		AuthUserFile /srv/svn/user_access/project2_passwdfile
-		Require valid-user
-	</LimitExcept>
-</Location>
-#------------------------------------------------------------------------
-
-create the repositories itself:
-cd /srv/svn/repos
-svnadmin create project1
-chown -R wwwrun:www project1/{dav,db,locks}
-svnadmin create project2
-chown -R wwwrun:www project2/{dav,db,locks}
+  cd /srv/svn/repos
+  svnadmin create project1
+  chown -R wwwrun:www project1/{db,locks}
 
+If using svnserve is not planned, /srv/svn/repos may be owned by wwrun:www.
+Otherwise see instruction in the svnserve section on how to use the user and
+group svn.
 
 The webserver must be (re)started:
-rcapache2 restart
 
-Now create the user access files:
-project1 is a restricted project.
-read access requires a password
-write access is limited to a few users
-touch /srv/svn/user_access/project1_passwdfile
-chown root:www /srv/svn/user_access/project1_passwdfile
-chmod 640 /srv/svn/user_access/project1_passwdfile
+  rcapache2 restart
 
-htpasswd2 /srv/svn/user_access/project1_passwdfile olaf
-htpasswd2 /srv/svn/user_access/project1_passwdfile olh
+To create the user access files:
 
-this is the group file for project1:
-/srv/svn/user_access/project1_groupfile
-content:
-project1_committers: olh
-project1_readers: olaf olh
+  touch /srv/svn/user_access/project1_passwdfile
+  chown root:www /srv/svn/user_access/project1_passwdfile
+  chmod 640 /srv/svn/user_access/project1_passwdfile
 
-project2 is world readable, but only a few can commit to the sources.
-touch /srv/svn/user_access/project2_passwdfile
-chown root:www /srv/svn/user_access/project2_passwdfile
-chmod 640 /srv/svn/user_access/project2_passwdfile
-htpasswd2 /srv/svn/user_access/project2_passwdfile olaf 
+  htpasswd2 /srv/svn/user_access/project1_passwdfile user1
+  htpasswd2 /srv/svn/user_access/project1_passwdfile user2
 
-You should be able to connect to the server:
-http://host/repos/project2
-http://host/repos/project1
+Create the group file for project1:
+  /srv/svn/user_access/project1_groupfile
 
-Now import the data, e.g.
-svn import /path/to/project2-tree http://host/repos/project2
+  project1_committers: user2
+  project1_readers: user1 user2
 
 
+You can test access by:
 
+  svn info http://127.0.0.1/repos/project1
 
+================================================================================
 
+2. allowing anonymous read access
 
-4. quickstart for mod_dontdothat
+To allow anonymous read access, remove the <Limit GET...> section and move the
+three Auth* statements into the <LimitExcept GET...> section.
+
+================================================================================
+
+3. serving several repositories with SVNParentPath 
+
+When serving several repositories, instead of specifying each location with
+SVNPath in a separate location, you can use SVNParentPath with a single location.
+Change the <Location ...> directive form the template to start with the following:
+
+  <Location /repos/>
+    DAV svn
+    SVNParentPath /srv/svn/repos
+    SVNListParentPath on  
+
+Do not forget to restart the apache service to make the configuration effective.
+
+  service apache2 restart
+
+================================================================================
+
+4. serving the repositories at "/"
+
+Include the configuration into the relevant vhost configuration. Uncomment the 
+section in the template files labeled 'Hosting svn at "/"' and adjust as required.
+Note that this example uses "SVNParentPath" as given in the previous section.
+
+================================================================================
+
+5. running svnserve
+
+Subversion repositories can be via the svnserve daemon and a special network 
+protocol. svnserve should not run as root user. The startup scripts expects a 
+user/group named 'svn', configureable via /etc/sysconfig/svnserve.
+
+The subversion package now creates a user and group svn.
+
+If you want to expose the repository via both svnserve and mod_dav_svn
+(Apache httpd) in parallel, ensure that the apache user is part of the
+svn group.
+
+  usermod -A svn wwwrun
+
+This requires a restart of the apache2 service to become effective.
+
+Change the permissions to let the svn group write, and set the setgid flag
+on the repositories.
+
+  chown -R svn:svn /srv/svn/repos
+  chmod -R g+ws /srv/svn/repos
+
+Then proceed to create reposititories using svnadmin create described above.
+
+In either case, if using svnserve, ensure that the repositories are owned by
+svn:svn.
+
+The settings files with the options passed to the daemon is is located in:
+
+  /etc/sysconfig/svnserve
+
+To start, ensure proper ownership of repositories and run:
+
+  service svnserve start
+
+For further information about multi-method repository access, see
+http://svnbook.red-bean.com/en/1.7/svn.serverconfig.multimethod.html
+
+You can test repository access by:
+
+  svn info svn://127.0.0.1/project1
+
+Please note that by default, svnserve is configured to be started with -R,
+meaning read-only access only. Remove to allow write access, after you have
+configued access via
+
+  /srv/svn/repos/repo1/conf/svnserve.conf
+
+To configue authentication for svnserve, see
+http://svnbook.red-bean.com/en/1.7/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.auth
+
+================================================================================
+
+6. quickstart for mod_dontdothat
 
 The apache module mod_dontdothat can be used to prevent users from causing high
 load on the server, e.g. checking out the root of the tree or the tags or 
@@ -227,7 +182,7 @@ Add configuration for the module, e.g.
 
 <Location />
   DAV svn
-  SVNParentPath /srv/svn/repositories/
+  SVNParentPath /srv/svn/repos/
   SVNListParentPath on
   # [...other configuration...]
   <IfModule mod_dontdothat.c>

subversion.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Mon May 20 19:30:52 UTC 2013 - andreas.stieger@gmx.de
+
+- add systemd support for svnserve
+- package now contains user and group svn
+- adjust and extend README.SuSE to cover a quickstart with both
+  mod_dav_svn and svnserve, mention the user/group requirement for
+  parallel operation and make text more compact by referencing the
+  template config file [bnc#781980]
+
 -------------------------------------------------------------------
 Tue May 14 21:52:35 UTC 2013 - andreas.stieger@gmx.de
 

subversion.conf

@@ -1,5 +1,7 @@
 # Example configuration for a subversion repository
-# see /usr/share/doc/packages/subversion for the full documentation
+# Install the package subversion-doc and see
+# /usr/share/doc/packages/subversion for the full documentation
+# An online version can be found at http://svnbook.red-bean.com/
 #
 
 <IfModule mod_dav_svn.c>
@@ -28,17 +30,26 @@
 #<Location /repos/myproject1>
 #   DAV svn
 #   SVNPath /srv/svn/repos/myproject1
-
+#
+#   AuthType Basic
+#   AuthName "Authorization Realm"
+#   AuthUserFile /srv/svn/user_access/myproject1_passwdfile
+#
+#   # Limit read access to certain people
+#   <Limit GET PROPFIND OPTIONS REPORT>
+#      # uncomment to require SSL connection for password protection.
+#      # SSLRequireSSL
+#      Require group project1_committers
+#      Require group project1_readers
+#   </Limit>
+#
 #   # Limit write permission to list of valid users.
 #   <LimitExcept GET PROPFIND OPTIONS REPORT>
-#      # Require SSL connection for password protection.
+#      # uncomment to require SSL connection for password protection.
 #      # SSLRequireSSL
-#
-#      AuthType Basic
-#      AuthName "Authorization Realm"
-#      AuthUserFile /srv/svn/user_access/myproject1_passwdfile
-#      Require valid-user
+#      Require project1_committers
 #   </LimitExcept>
+#
 #</Location>
 
 ##
@@ -73,7 +84,7 @@
 #    #
 #    <Location />
 #      DAV svn
-#      SVNParentPath /srv/svn/repositories/
+#      SVNParentPath /srv/svn/repos/
 #      SVNListParentPath on
 #      AuthType Basic
 #      AuthName "subversion repository"

subversion.spec

@@ -45,6 +45,9 @@
 %define with_bashcomp 1
 %endif
 
+%define svngroup svn
+%define svnuser svn
+
 Name:           subversion
 Version:        1.7.9
 Release:        0
@@ -63,6 +66,14 @@ BuildRequires:  python-devel
 BuildRequires:  python-xml
 BuildRequires:  update-alternatives
 BuildRequires:  zlib-devel
+Requires(pre):	pwdutils
+#
+%if 0%{?suse_version} > 1140
+BuildRequires:  pkgconfig(systemd)
+%{?systemd_requires}
+%define has_systemd 1
+%endif
+#
 %if %with_bashcomp
 BuildRequires:  bash-completion
 %endif #with_bashcomp
@@ -138,6 +149,8 @@ Source9:        subversion.rcsvnserve
 Source10:       subversion.sysconfig.svnserve
 Source12:       subversion.sysconfig.svnserve.remoteaccess
 Source13:       subversion.xinetd.svnserve
+Source14:       svnserve.service
+Source15:       svnserve.tmpfiles
 Source42:       subversion.svngrep.sh
 Source43:       subversion.svndiff.sh
 # https://people.apache.org/keys/group/subversion.asc
@@ -582,6 +595,13 @@ install -m 755 -D %{S:9} $RPM_BUILD_ROOT/etc/init.d/svnserve
 ln -sv /etc/init.d/svnserve $RPM_BUILD_ROOT/usr/sbin/rcsvnserve
 install -m 644 -D %{S:10} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.svnserve
 install -m 644 -D %{S:12} $RPM_BUILD_ROOT/%{_fwdefdir}/svnserve
+%{__install} -d -m 0755 %{buildroot}/srv/svn
+%if 0%{?has_systemd}
+install -m 644 -D %{S:14} $RPM_BUILD_ROOT/%{_unitdir}/svnserve.service
+%{__install} -d -m 0755 %{buildroot}/var/run/svnserve/
+%{__install} -d -m 0755 %{buildroot}/usr/lib/tmpfiles.d/
+%{__install} -m 0644 %{SOURCE15} %{buildroot}/usr/lib/tmpfiles.d/svnserve.conf
+%endif
 #useless libtool stuff
 rm -f %{buildroot}%{_libdir}/*.la
 if [ "$with_jdk" != "" ] ; then
@@ -743,16 +763,33 @@ kill -9 `cat "$HTTPD_PIDFILE" 2>/dev/null`
 %clean
 %__rm -rf "%{buildroot}"
 
+%pre
+getent group %{svngroup} >/dev/null || groupadd -r %{svngroup}
+getent passwd %{svnuser} >/dev/null || useradd -r -g %{svngroup} -d /srv/svn -s /sbin/nologin -c "user for Apache Subversion svnserve" %{svnuser}
+%if 0%{?has_systemd}
+%service_add_pre svnserve.service
+%endif
+
 %preun
 %stop_on_removal svnserve
+%if 0%{?has_systemd}
+%service_del_preun svnserve.service
+%endif
 
 %post
 %{fillup_and_insserv -n svnserve svnserve}
+%if 0%{?has_systemd}
+%service_add_post svnserve.service
+systemd-tmpfiles --create /usr/lib/tmpfiles.d/svnserve.conf
+%endif
 /sbin/ldconfig
 
 %postun
 %restart_on_update svnserve
 %{insserv_cleanup}
+%if 0%{?has_systemd}
+%service_del_postun svnserve.service
+%endif
 /sbin/ldconfig
 
 %post -n subversion-python -p /sbin/ldconfig
@@ -790,7 +827,13 @@ kill -9 `cat "$HTTPD_PIDFILE" 2>/dev/null`
 %attr(754,root,root) /etc/init.d/svnserve
 %attr(754,root,root) /usr/sbin/rcsvnserve
 /var/adm/fillup-templates/sysconfig.svnserve
+%dir %attr(755,%{svnuser},%{svngroup}) /srv/svn
 %config %{_fwdefdir}/*
+%if 0%{?has_systemd}
+%{_unitdir}/svnserve.service
+%ghost %dir %attr(755,%{svnuser},%{svngroup}) /var/run/svnserve
+/usr/lib/tmpfiles.d/svnserve.conf
+%endif
 #
 %attr(755,root,root) /usr/bin/svn
 %attr(755,root,root) /usr/bin/svnadmin

subversion.sysconfig.svnserve

@@ -8,7 +8,7 @@
 # The -R option enforces read-only access, i.e. write operations to the
 # repository (such as commits) will not be allowed.
 # Authentication should be configured before allowing write access.
-# See http://svnbook.red-bean.com/en/1.5/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.auth
+# See http://svnbook.red-bean.com/en/1.7/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.auth
 #
 SVNSERVE_OPTIONS="-d -R -r /srv/svn/repos"
 
@@ -16,8 +16,12 @@ SVNSERVE_OPTIONS="-d -R -r /srv/svn/repos"
 ## Default	"svn"
 #
 # svnserve should run as unprivileged user.
-# The userid/groupid svn is not created during package install.
-# Run 'groupadd svn; useradd -d /srv/svn -s /bin/false -g svn svn' to create the userid/groupid.
+# If you want to expose the repository via both svnserve and mod_dav_svn
+# (Apache httpd) in parallel, ensure that the apache user is part of the
+# svn group and the setgid flag is set on the repositories
+# usermod -A svn wwwrun
+# chmod -R g+s /srv/svn/repos
+# See http://svnbook.red-bean.com/en/1.7/svn.serverconfig.multimethod.html
 #
 SVNSERVE_USERID="svn"
 
@@ -25,7 +29,11 @@ SVNSERVE_USERID="svn"
 ## Default	"svn"
 #
 # svnserve should run as unprivileged user.
-# The userid/groupid svn is not created during package install.
-# Run 'groupadd svn; useradd -d /srv/svn -s /bin/false -g svn svn' to create the userid/groupid.
+# If you want to expose the repository via both svnserve and mod_dav_svn
+# (Apache httpd) in parallel, ensure that the apache user is part of the
+# svn group and the setgid flag is set on the repositories
+# usermod -A svn wwwrun
+# chmod -R g+s /srv/svn/repos
+# See http://svnbook.red-bean.com/en/1.7/svn.serverconfig.multimethod.html
 #
 SVNSERVE_GROUPID="svn"

svnserve.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Subversion protocol daemon
+After=syslog.target network.target
+
+[Service]
+Type=forking
+EnvironmentFile=/etc/sysconfig/svnserve
+User=svn
+Group=svn
+PIDFile=/var/run/svnserve/svnserve.pid
+ExecStart=/usr/bin/svnserve --daemon --pid-file=/var/run/svnserve/svnserve.pid $SVNSERVE_OPTIONS
+
+[Install]
+WantedBy=multi-user.target

svnserve.tmpfiles

@@ -0,0 +1 @@
+D /var/run/svnserve 0755 svn svn -