Subversion Installation and Configuration\n \n
\n[TOC]
\nHost is svn.example.com. There are basically two ways of serving up
\na subversion repository. One uses svnserve, a lightweight server
\n(default port 3690). The other is leveraging Apache (httpd) via the
\nWebDAV protocol.
The latter is more complex. But it is extremely flexible in terms of
\nadministration and is the basis for this setup guide. I will be setting
\nup a single repository at https://svn.example.com/repository with SSL,
\nLDAP-based authentication, and project-specific access control.
Installation
\nGetting the RPM
\nI’m putting the SVN root in /home/svn as well. This can be anywhere.
\nyum install subversion mod_dav_svn\nThis will install Apache and other dependencies as well.
\nservice httpd start \nchkconfig --level 345 httpd on\nMake sure it’s working, and that iptables is not causing any issues.
\nYou can use nmap for this purpose or just go to
\nhttp://svn.example.com.
Preparing subversion.conf
\nInstalling the packages will create a new apache configuration directive
\nin /etc/httpd/conf.d called subversion.conf. You need to edit this
\nfile to set up the location of the repository.
First uncomment these files if they’ve not been uncommented:
\nLoadModule dav_svn_module modules/mod_dav_svn.so \nLoadModule authz_svn_module modules/mod_authz_svn.so\nDefine the SVN root:
\n<Location /repository> \n DAV svn \n SVNPath /home/svn/repository \n</Location>\nNow you can add simple authentication or use LDAP.
\nConfiguration
\nSimple Authentication
\nThis uses basic htpasswd based authentication. Passwords may be sent
\nin the clear if you don’t enable SSL. You can also use digest-based
\nauthentication which is slightly more secure.
For this scheme, our /etc/httpd/conf.d/subversion.conf file will have
\nthe following directive:
<Location /repository> \n DAV svn \n SVNPath /home/svn/repository \n \n # Simple authentication \n AuthType Basic \n AuthName "SVN Server" \n AuthUserFile /home/svn/basic-authentication \n Require valid-user \n</Location>\nHere, we use /home/svn/authorized-users to authenticate. Create this
\nfile and add a user with:
[root@svn ~]# htpasswd -cm /home/svn/authorized-users testuser \nNew password: \nRe-type new password: \nAdding password for user testuser\nSetting up the repository
\nsvnadmin create /home/svn/repository\nMake absolutely sure that Apache owns this directory and its
\ndescendants!
chown -R apache:apache /home/svn/repository\nTesting the Configuration
\nAt this point, you should have a repo accessible via Apache, with
\npassword sent in clear text (we’ll change that). I went to
\nhttp://svn.example.com and saw the image to the right after entering
\nmy credentials for testuser.
Excellent! Test it now! I tested this config with Eclipse (with the
\nSubclipse plugin.)
Securing with SSL
\nTo secure stuff with SSL, generate or use a certificate and enable
\nApache with mod_ssl. Change subversion.conf so that all traffic on
\nport 80 is redirected to port 443 (which uses the certs we’ve created.)
<VirtualHost *:80> \n ServerName svn.example.com \n RewriteEngine On \n RewriteRule .* https://svn.example.com%{REQUEST_URI} [L,R=301] \n </VirtualHost>\nRestart httpd and you’re good to go!
LDAP integration
\nIn this example, I will be using directory.example.com as the (Open
\nDirectory-based) LDAP provider. Change the basic authentication scheme
\nto match this:
# # If using some CA file \n # LDAPTrustedMode NONE \n # LDAPTrustedGlobalCert CA_DER /etc/pki/tls/certs/root_ca.crt \n # LDAPVerifyServerCert off\n\n # Define the repository location \n <Location /repository> \n DAV svn \n SVNPath /home/svn/repository \n \n # Integrate with LDAP server \n AuthType Basic \n AuthBasicProvider ldap \n AuthName "SVN Server" \n AuthzLDAPAuthoritative off \n AuthLDAPURL "(ldap://directory.example.com/cn=users,dc=directory,dc=example,dc=com?uid?sub)?(objectClass=*)" \n Require valid-user \n AuthzSVNAccessFile /home/svn/repository/conf/authz \n </Location>\nIt is important that you set AuthBasicProvider ldap. If not,
\nApache will look for a password file and not even bother to authenticate
\nagainst your LDAP server. You’ll also see something like this when
\nrestarting the httpd daemon:
Invalid command 'AuthLDAPAuthoritative', perhaps misspelled or defined by a module not included in the server configuration\nI had terrible luck with setting AuthzLDAPAuthoritative to “on”. You
\ncan read the Apache mod_authnz_ldap page for more information on these
\ndirectives. They’re quite flexible when configuring multiple
\nrepositories, with respect to user and group access.
Now that you have a single repository, you can fine tune access with the
\nAuthzSVNAccessFile directive. By default, and when you use
\nsvnadmin create, you get an authz file in your repository’s conf
\nfolder. In the Apache configuration above, it’s the file I’ve used to
\ntweak folder access.
Project Management within a Repository
\nCreating a project
\nThis is very simple. It’s vitally important that your project folder
\ncontains three sub-folders: trunk, branches and tags. All
\nthe code you want to check into the repository must be in trunk.
Step 1: Create the required directory structure
\nmkdir -p /tmp/newproject/{trunk,branches,tags}\nStep 2: Copy/move project files into trunk
\ncp -R /path/to/project/files/* /tmp/newproject/trunk/\nStep 3: Perform the first commit
\ncd /tmp\nsvn import newproject https://svn.example.com/repository/myproject --message "Initial import" --username myuser\nObserve that my project is called newproject on my local machine but
\nis myproject on the SVN server. You may or may not choose to do this,
\nbut the option is available.
You may get a dialog about the certificate used to secure the
\ntransaction. Accept the key permanently. You will then be required to
\nsupply a password.
Step 4: Working with your project
\nMost typical CVS actions should apply (prefixed with an svn of
\ncourse.) For example, to check out the project created above.
svn checkout https://username@svn.example.com/repository/myproject\nThe Google teems with SVN cheatsheets.
\nModifying Access Control
\nImportant: Only root can do this. Talk to your friendly sysadmin for
\nproject-specific access control. By default, your newly created project
\nwill be world accessible (i.e. to all authenticated users.)
Here’s an example where I created a folder for a rather sinister project
\ncalled thiswillendpoorly and have given write access only to user
\nnanand and read access to machrist. The leading slash is
\nimportant!
# Deny world access to repository root (noone needs to get a project listing) \n[/] \n* = \n \n# Allow only Nikhil and Mark to access this terrible project (Mark can only read) \n[/thiswillendpoorly] \nnanand = rw \nmachrist = r \n* =\nIf you had multiple repositories, you would need to:
\n- \n
- Change the Apache directive
SVNPathtoSVNParentPath\n - Specify the repository in the
authzfile \n
Here’s an example:
\n[repository1:/path] \nuser1 = rw \nuser2 = r \n \n[repository2:/path] \n* = rw\nIf you specified a path without specifying the repository, the filter is
\napplied across all repositories! This is explained
\nhere.
Miscellaneous
\nSpecial note about LDAP groups
\nYou cannot do LDAP group-based authentication in SVN with the authz
\nfile. However, I’ve seen a python
\nscript which can import LDAP
\ngroups.
Few pointers on multiple repository configuration
\n- \n
- If you plan on hosting multiple repositories, you need to change
\nSVNPathto “SVNParentPath”. \n - Apache will NOT allow you to access the root defined as
\nSVNParentPath! You need to create repositories using
\nsvnadmin createand can then access them through
\nhttp://svn.example.com/{path in SVNParentPath}/{name of repository}.
\nThere’s more information in the official handbook about
\nthis. \n
Configuring for use with Self-Signed Certificates
\nAssuming that your Root CA is called root_ca.crt. Create and edit
\n/etc/sysconfig/servers to add the following:
[global] \nssl-authority-files = /etc/pki/tls/certs/root_ca.crt\nThe other option is to use the system-wide keystore at
\n/etc/pki/tls/certs/ca-bundle.crt by appending the ASCII version to the
\nend of this file.
Resources
\n- \n
- mod_authnz_ldap directives - Apache page \n
- Subversion on CentOS (Wiki) \n
- Single or multiple repositories? \n
- Version Control with Subversion \n
- SubVersion with Apache and LDAP integration \n
- Per-directory access control in SVN \n