From 93cc2385c9552bbf5c5a31991505d6afd0ac2e94b59556d74de81b9b2f80d78a Mon Sep 17 00:00:00 2001 From: Andreas Stieger Date: Mon, 20 May 2013 21:00:10 +0000 Subject: [PATCH] Accepting request 176189 from home:AndreasStieger:branches:devel:tools:scm:svn - add systemd support for svnserve - package now contains user and group svn - adjust and extend README.SuSE to cover a quickstart with both mod_dav_svn and svnserve, mention the user/group requirement for parallel operation and make text more compact by referencing the template config file [bnc#781980] OBS-URL: https://build.opensuse.org/request/show/176189 OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm:svn/subversion?expand=0&rev=118 --- subversion.README.SuSE | 327 +++++++++++++++------------------- subversion.changes | 10 ++ subversion.conf | 29 ++- subversion.spec | 43 +++++ subversion.sysconfig.svnserve | 18 +- svnserve.service | 14 ++ svnserve.tmpfiles | 1 + 7 files changed, 242 insertions(+), 200 deletions(-) create mode 100644 svnserve.service create mode 100644 svnserve.tmpfiles diff --git a/subversion.README.SuSE b/subversion.README.SuSE index d229714..771c4ff 100644 --- a/subversion.README.SuSE +++ b/subversion.README.SuSE @@ -1,220 +1,175 @@ +Quickstart document for Apache Subversion on openSUSE. + +For the full documentation, install the package subversion-doc and see +/usr/share/doc/packages/subversion/html/book/svn-book.html +An online version can be found at http://svnbook.red-bean.com/ + Topics: -1. backup and restore your repository data -2. create svn user/group for svnserve -3. mini-howto for 2 projects -4. quickstart for mod_dontdothat +1. mini-howto +2. allowing anonymous read access +3. serving several repositories with SVNParentPath +4. serving the repositories at "/" +5. running svnserve +6. quickstart for mod_dontdothat ================================================================================ -1. backup and restore your repository data +1. mini-howto -subversion repositories use either the Berkeley Database system libraries, -or the FSFS database format which comes with the subversion package. -Since the BDB system libraries often introduce a new incompatible format during -version upgrade, a backup/restore of all the subversion repositories must be -performed _BEFORE_ doing such a system upgrade. -'svnadmin dump' will write the repository to stdout in a 'dumpfile' format. -This dumpfile can be loaded later with 'svnadmin load'. +To run a subversion server, you need to configure apache2 to load two modules: +mod_dav and mod_dav_svn. - -2. create svn user/group for svnserve - -subversion repositories can be served either via http, or via the svnserve -daemon and a special network protocol. svnserve should not run as root user. -The startup script rcsvnserve expects a user/group named 'svn', configureable -via /etc/sysconfig/svnserve. - -But this user/group must be created before first use: - - groupadd svn - useradd -d /srv/svn -s /bin/false -g svn svn - - -3. mini-howto for 2 projects - -To run a subversion server, you need to configure apache2 to load two apache2 -modules: mod_dav and mod_dav_svn. (mod_dav is needed by mod_dav_svn, it is -installed together with apache2.) - -This is done by adding the dav and dav_svn modules to the apache2 configuration -(a2enmod dav; a2enmod dav_svn), and restarting the server. + zypper in subversion-server + a2enmod dav + a2enmod dav_svn A default/example configuration of the dav_svn module can be found in -/etc/apache2/conf.d/subversion.conf. With more recent apache -packages, this configuration is *not* loaded automatically by -the apache server, since many people configure virtual hosts -and it is unlikely that the repositories shall be available -from any virtual host. To load the configuration for a certain -virtual host, add - Include /etc/apache2/conf.d/subversion.conf -or - Include /path/to/your_subversion_configuration -in the respective virtual host configuration. This *may* be done in the default -virtual host (/etc/apache2/default-server.conf). +/etc/apache2/conf.d/subversion.conf. The current default configuration +automatically includes this file the default server configuration. +Create some directories to contain the repositories and other files: + mkdir -p /srv/svn/repos + mkdir -p /srv/svn/user_access + mkdir -p /srv/svn/html -Minihowto: +Edit /etc/apache2/conf.d/subversion.conf and uncomment the desired sections. +The first section "project related HTML files" is optional and will allow you +to return some static content when /repos is accessed alone. If you do not need +this, discard this section. -The plan: +If instead you wish to show a list of repositories, set "SVNListParentPath on" +later. See for details: +http://svnbook.red-bean.com/en/1.7/svn.serverconfig.httpd.html#svn.serverconfig.httpd.extra.browsing.reposlisting -host 2 source projects with subversion -both must have anonymous read access -both must have limited write access for a few users -they are accessed only via HTTP, not (!) locally -they will be reachable via: +The section following that will configure a repository to be served out of +the path /srv/svn/repos/myproject1. Note that the location "/repo/myproject1" +and "SVNPath" is specified explicitly, see section 3 for an alternative. - http://hostname/repos/project1 - http://hostname/repos/project2 +To create the repository itself: -Both will have the official version of the source tree and our modified -version for the distribution. Projects in question are: -project1 -project2 - -The realisation: - -find a machine to host the projects. Keep backup (and restore!) in mind -when hunting for hardware. - -install needed packages -(you might check for update packages on -ftp://ftp.suse.com/pub/projects/apache/ ) - -rpm -Uvh \ - apache2 \ - apache2-doc \ - apache2-prefork \ - libapr1 \ - libapr-util1 \ - neon \ - subversion \ - subversion-doc \ - subversion-server - - - -# Update /etc/sysconfig/apache2 by -# adding 'dav dav_svn' to $APACHE_MODULES: -a2enmod dav -a2enmod dav_svn - -create a few directories: -mkdir -p /srv/svn/repos -mkdir -p /srv/svn/user_access -mkdir -p /srv/svn/html - -Add the http repository data to /etc/apache2/conf.d/subversion.conf: -#------------------------------------------------------------------------ -# -# project related HTML files -# - -Alias /repos "/srv/svn/html" - - - Options +Indexes +Multiviews -FollowSymLinks - IndexOptions FancyIndexing \ - ScanHTMLTitles \ - NameWidth=* \ - DescriptionWidth=* \ - SuppressLastModified \ - SuppressSize - - order allow,deny - allow from all - - - -# project repository files for project1 - - DAV svn - SVNPath /srv/svn/repos/project1 - - # Limit write access to certain people - AuthType Basic - AuthName "Authorization for project1 required" - AuthUserFile /srv/svn/user_access/project1_passwdfile - AuthGroupFile /srv/svn/user_access/project1_groupfile - - Require group project1_committers - - - # Limit read access to certain people - - Require group project1_committers - Require group project1_readers - - - - -# project repository files for project2 - - DAV svn - SVNPath /srv/svn/repos/project2 - - # Limit write permission to list of valid users. - - # Require SSL connection for password protection. - # SSLRequireSSL - - AuthType Basic - AuthName "Authorization for project2 required" - AuthUserFile /srv/svn/user_access/project2_passwdfile - Require valid-user - - -#------------------------------------------------------------------------ - -create the repositories itself: -cd /srv/svn/repos -svnadmin create project1 -chown -R wwwrun:www project1/{dav,db,locks} -svnadmin create project2 -chown -R wwwrun:www project2/{dav,db,locks} + cd /srv/svn/repos + svnadmin create project1 + chown -R wwwrun:www project1/{db,locks} +If using svnserve is not planned, /srv/svn/repos may be owned by wwrun:www. +Otherwise see instruction in the svnserve section on how to use the user and +group svn. The webserver must be (re)started: -rcapache2 restart -Now create the user access files: -project1 is a restricted project. -read access requires a password -write access is limited to a few users -touch /srv/svn/user_access/project1_passwdfile -chown root:www /srv/svn/user_access/project1_passwdfile -chmod 640 /srv/svn/user_access/project1_passwdfile + rcapache2 restart -htpasswd2 /srv/svn/user_access/project1_passwdfile olaf -htpasswd2 /srv/svn/user_access/project1_passwdfile olh +To create the user access files: -this is the group file for project1: -/srv/svn/user_access/project1_groupfile -content: -project1_committers: olh -project1_readers: olaf olh + touch /srv/svn/user_access/project1_passwdfile + chown root:www /srv/svn/user_access/project1_passwdfile + chmod 640 /srv/svn/user_access/project1_passwdfile -project2 is world readable, but only a few can commit to the sources. -touch /srv/svn/user_access/project2_passwdfile -chown root:www /srv/svn/user_access/project2_passwdfile -chmod 640 /srv/svn/user_access/project2_passwdfile -htpasswd2 /srv/svn/user_access/project2_passwdfile olaf + htpasswd2 /srv/svn/user_access/project1_passwdfile user1 + htpasswd2 /srv/svn/user_access/project1_passwdfile user2 -You should be able to connect to the server: -http://host/repos/project2 -http://host/repos/project1 +Create the group file for project1: + /srv/svn/user_access/project1_groupfile -Now import the data, e.g. -svn import /path/to/project2-tree http://host/repos/project2 + project1_committers: user2 + project1_readers: user1 user2 +You can test access by: + svn info http://127.0.0.1/repos/project1 +================================================================================ +2. allowing anonymous read access -4. quickstart for mod_dontdothat +To allow anonymous read access, remove the section and move the +three Auth* statements into the section. + +================================================================================ + +3. serving several repositories with SVNParentPath + +When serving several repositories, instead of specifying each location with +SVNPath in a separate location, you can use SVNParentPath with a single location. +Change the directive form the template to start with the following: + + + DAV svn + SVNParentPath /srv/svn/repos + SVNListParentPath on + +Do not forget to restart the apache service to make the configuration effective. + + service apache2 restart + +================================================================================ + +4. serving the repositories at "/" + +Include the configuration into the relevant vhost configuration. Uncomment the +section in the template files labeled 'Hosting svn at "/"' and adjust as required. +Note that this example uses "SVNParentPath" as given in the previous section. + +================================================================================ + +5. running svnserve + +Subversion repositories can be via the svnserve daemon and a special network +protocol. svnserve should not run as root user. The startup scripts expects a +user/group named 'svn', configureable via /etc/sysconfig/svnserve. + +The subversion package now creates a user and group svn. + +If you want to expose the repository via both svnserve and mod_dav_svn +(Apache httpd) in parallel, ensure that the apache user is part of the +svn group. + + usermod -A svn wwwrun + +This requires a restart of the apache2 service to become effective. + +Change the permissions to let the svn group write, and set the setgid flag +on the repositories. + + chown -R svn:svn /srv/svn/repos + chmod -R g+ws /srv/svn/repos + +Then proceed to create reposititories using svnadmin create described above. + +In either case, if using svnserve, ensure that the repositories are owned by +svn:svn. + +The settings files with the options passed to the daemon is is located in: + + /etc/sysconfig/svnserve + +To start, ensure proper ownership of repositories and run: + + service svnserve start + +For further information about multi-method repository access, see +http://svnbook.red-bean.com/en/1.7/svn.serverconfig.multimethod.html + +You can test repository access by: + + svn info svn://127.0.0.1/project1 + +Please note that by default, svnserve is configured to be started with -R, +meaning read-only access only. Remove to allow write access, after you have +configued access via + + /srv/svn/repos/repo1/conf/svnserve.conf + +To configue authentication for svnserve, see +http://svnbook.red-bean.com/en/1.7/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.auth + +================================================================================ + +6. quickstart for mod_dontdothat The apache module mod_dontdothat can be used to prevent users from causing high load on the server, e.g. checking out the root of the tree or the tags or @@ -227,7 +182,7 @@ Add configuration for the module, e.g. DAV svn - SVNParentPath /srv/svn/repositories/ + SVNParentPath /srv/svn/repos/ SVNListParentPath on # [...other configuration...] diff --git a/subversion.changes b/subversion.changes index 5bc1c2d..3da3cef 100644 --- a/subversion.changes +++ b/subversion.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon May 20 19:30:52 UTC 2013 - andreas.stieger@gmx.de + +- add systemd support for svnserve +- package now contains user and group svn +- adjust and extend README.SuSE to cover a quickstart with both + mod_dav_svn and svnserve, mention the user/group requirement for + parallel operation and make text more compact by referencing the + template config file [bnc#781980] + ------------------------------------------------------------------- Tue May 14 21:52:35 UTC 2013 - andreas.stieger@gmx.de diff --git a/subversion.conf b/subversion.conf index fa7b4b4..6fd8ca9 100644 --- a/subversion.conf +++ b/subversion.conf @@ -1,5 +1,7 @@ # Example configuration for a subversion repository -# see /usr/share/doc/packages/subversion for the full documentation +# Install the package subversion-doc and see +# /usr/share/doc/packages/subversion for the full documentation +# An online version can be found at http://svnbook.red-bean.com/ # @@ -28,17 +30,26 @@ # # DAV svn # SVNPath /srv/svn/repos/myproject1 - +# +# AuthType Basic +# AuthName "Authorization Realm" +# AuthUserFile /srv/svn/user_access/myproject1_passwdfile +# +# # Limit read access to certain people +# +# # uncomment to require SSL connection for password protection. +# # SSLRequireSSL +# Require group project1_committers +# Require group project1_readers +# +# # # Limit write permission to list of valid users. # -# # Require SSL connection for password protection. +# # uncomment to require SSL connection for password protection. # # SSLRequireSSL -# -# AuthType Basic -# AuthName "Authorization Realm" -# AuthUserFile /srv/svn/user_access/myproject1_passwdfile -# Require valid-user +# Require project1_committers # +# # ## @@ -73,7 +84,7 @@ # # # # DAV svn -# SVNParentPath /srv/svn/repositories/ +# SVNParentPath /srv/svn/repos/ # SVNListParentPath on # AuthType Basic # AuthName "subversion repository" diff --git a/subversion.spec b/subversion.spec index 1976a6a..fb249f0 100644 --- a/subversion.spec +++ b/subversion.spec @@ -45,6 +45,9 @@ %define with_bashcomp 1 %endif +%define svngroup svn +%define svnuser svn + Name: subversion Version: 1.7.9 Release: 0 @@ -63,6 +66,14 @@ BuildRequires: python-devel BuildRequires: python-xml BuildRequires: update-alternatives BuildRequires: zlib-devel +Requires(pre): pwdutils +# +%if 0%{?suse_version} > 1140 +BuildRequires: pkgconfig(systemd) +%{?systemd_requires} +%define has_systemd 1 +%endif +# %if %with_bashcomp BuildRequires: bash-completion %endif #with_bashcomp @@ -138,6 +149,8 @@ Source9: subversion.rcsvnserve Source10: subversion.sysconfig.svnserve Source12: subversion.sysconfig.svnserve.remoteaccess Source13: subversion.xinetd.svnserve +Source14: svnserve.service +Source15: svnserve.tmpfiles Source42: subversion.svngrep.sh Source43: subversion.svndiff.sh # https://people.apache.org/keys/group/subversion.asc @@ -582,6 +595,13 @@ install -m 755 -D %{S:9} $RPM_BUILD_ROOT/etc/init.d/svnserve ln -sv /etc/init.d/svnserve $RPM_BUILD_ROOT/usr/sbin/rcsvnserve install -m 644 -D %{S:10} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.svnserve install -m 644 -D %{S:12} $RPM_BUILD_ROOT/%{_fwdefdir}/svnserve +%{__install} -d -m 0755 %{buildroot}/srv/svn +%if 0%{?has_systemd} +install -m 644 -D %{S:14} $RPM_BUILD_ROOT/%{_unitdir}/svnserve.service +%{__install} -d -m 0755 %{buildroot}/var/run/svnserve/ +%{__install} -d -m 0755 %{buildroot}/usr/lib/tmpfiles.d/ +%{__install} -m 0644 %{SOURCE15} %{buildroot}/usr/lib/tmpfiles.d/svnserve.conf +%endif #useless libtool stuff rm -f %{buildroot}%{_libdir}/*.la if [ "$with_jdk" != "" ] ; then @@ -743,16 +763,33 @@ kill -9 `cat "$HTTPD_PIDFILE" 2>/dev/null` %clean %__rm -rf "%{buildroot}" +%pre +getent group %{svngroup} >/dev/null || groupadd -r %{svngroup} +getent passwd %{svnuser} >/dev/null || useradd -r -g %{svngroup} -d /srv/svn -s /sbin/nologin -c "user for Apache Subversion svnserve" %{svnuser} +%if 0%{?has_systemd} +%service_add_pre svnserve.service +%endif + %preun %stop_on_removal svnserve +%if 0%{?has_systemd} +%service_del_preun svnserve.service +%endif %post %{fillup_and_insserv -n svnserve svnserve} +%if 0%{?has_systemd} +%service_add_post svnserve.service +systemd-tmpfiles --create /usr/lib/tmpfiles.d/svnserve.conf +%endif /sbin/ldconfig %postun %restart_on_update svnserve %{insserv_cleanup} +%if 0%{?has_systemd} +%service_del_postun svnserve.service +%endif /sbin/ldconfig %post -n subversion-python -p /sbin/ldconfig @@ -790,7 +827,13 @@ kill -9 `cat "$HTTPD_PIDFILE" 2>/dev/null` %attr(754,root,root) /etc/init.d/svnserve %attr(754,root,root) /usr/sbin/rcsvnserve /var/adm/fillup-templates/sysconfig.svnserve +%dir %attr(755,%{svnuser},%{svngroup}) /srv/svn %config %{_fwdefdir}/* +%if 0%{?has_systemd} +%{_unitdir}/svnserve.service +%ghost %dir %attr(755,%{svnuser},%{svngroup}) /var/run/svnserve +/usr/lib/tmpfiles.d/svnserve.conf +%endif # %attr(755,root,root) /usr/bin/svn %attr(755,root,root) /usr/bin/svnadmin diff --git a/subversion.sysconfig.svnserve b/subversion.sysconfig.svnserve index 62b5f43..73a7597 100644 --- a/subversion.sysconfig.svnserve +++ b/subversion.sysconfig.svnserve @@ -8,7 +8,7 @@ # The -R option enforces read-only access, i.e. write operations to the # repository (such as commits) will not be allowed. # Authentication should be configured before allowing write access. -# See http://svnbook.red-bean.com/en/1.5/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.auth +# See http://svnbook.red-bean.com/en/1.7/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.auth # SVNSERVE_OPTIONS="-d -R -r /srv/svn/repos" @@ -16,8 +16,12 @@ SVNSERVE_OPTIONS="-d -R -r /srv/svn/repos" ## Default "svn" # # svnserve should run as unprivileged user. -# The userid/groupid svn is not created during package install. -# Run 'groupadd svn; useradd -d /srv/svn -s /bin/false -g svn svn' to create the userid/groupid. +# If you want to expose the repository via both svnserve and mod_dav_svn +# (Apache httpd) in parallel, ensure that the apache user is part of the +# svn group and the setgid flag is set on the repositories +# usermod -A svn wwwrun +# chmod -R g+s /srv/svn/repos +# See http://svnbook.red-bean.com/en/1.7/svn.serverconfig.multimethod.html # SVNSERVE_USERID="svn" @@ -25,7 +29,11 @@ SVNSERVE_USERID="svn" ## Default "svn" # # svnserve should run as unprivileged user. -# The userid/groupid svn is not created during package install. -# Run 'groupadd svn; useradd -d /srv/svn -s /bin/false -g svn svn' to create the userid/groupid. +# If you want to expose the repository via both svnserve and mod_dav_svn +# (Apache httpd) in parallel, ensure that the apache user is part of the +# svn group and the setgid flag is set on the repositories +# usermod -A svn wwwrun +# chmod -R g+s /srv/svn/repos +# See http://svnbook.red-bean.com/en/1.7/svn.serverconfig.multimethod.html # SVNSERVE_GROUPID="svn" diff --git a/svnserve.service b/svnserve.service new file mode 100644 index 0000000..3c91fca --- /dev/null +++ b/svnserve.service @@ -0,0 +1,14 @@ +[Unit] +Description=Subversion protocol daemon +After=syslog.target network.target + +[Service] +Type=forking +EnvironmentFile=/etc/sysconfig/svnserve +User=svn +Group=svn +PIDFile=/var/run/svnserve/svnserve.pid +ExecStart=/usr/bin/svnserve --daemon --pid-file=/var/run/svnserve/svnserve.pid $SVNSERVE_OPTIONS + +[Install] +WantedBy=multi-user.target diff --git a/svnserve.tmpfiles b/svnserve.tmpfiles new file mode 100644 index 0000000..daec23a --- /dev/null +++ b/svnserve.tmpfiles @@ -0,0 +1 @@ +D /var/run/svnserve 0755 svn svn -