In Fire We Trust

Disclaimer: The techniques described in this document can help you, but they are not boud too. There could be errors, omissions or pure mistakes. Before using the information otlined here please check it. I accept no responsibility for whatsoever real or fictional damage/loss of profit/fallen houses/martians due to use or misuse of the information found here.

History

• 25.01.2007 - Initial version

Here i will try my best to describe a simple system i’ve set up for my personal projects.

The idea
As i am working on a quite a number of projects, it became clear to me that i need some system for project management. And as it was pondering in my mind i decided it would be usefull to be multiproject/multiuser environment. I started searchin, trying dotProject, TikiWiki, Mantis and some others. But they just doesn’t fitted in my view. At the end i chose Trac and SVN.

The motivation
I chose Trac + SVN for the following reasons

• I am used to SVN mainly the console clients
• Trac is actively developed
• I already have Python installed because of other parts in the system
• Trac has embedded wiki which will be used for documentation and other things
• There are trouble tickets
• other small stuff

Overall Trac is a good choice.

The machine
The machine on which the thing will be rolling is

Debian Unstable
600 Mhz CPU
256 MB Ram
20G HDD

It has quite a lot of services on it: mysql, apache, exim, routing/shaping/nat, dns, dhcp, ntp, ftp, shell, samba (being Master Browser) and others.

It is quite underpowered by todays standards but it is usefull and watched over with Luuuv

Needed software
For the system to operate fully we will need

• Trac
• subversion
• libneon
• Python
• pysqlite
• python-subversion-bindings
• mod_python
• clearsilver
• xinetd
• other small stuff

If you are a debian fan … it is tad easier than others. The procedure is as follows

apt-get install trac libapache2-mod-python xinetd

And lets get the party started

Additinally in python Python we install python-setuptools, tracwebadmin, tracaccountmanager.

File layout
As we will be hosting more than one project it is good to put them to live in separate partition.
I am using /home/projects which has the following structure

/home/projects/
/home/projects/trac
/home/projects/trac/project1
/home/projects/trac/project2
... ... ...
/home/projects/svn
/home/projects/svn/project1
/home/projects/svn/project2
... ... ...

It is possible that the Trac and SVN instances to live in the projects dir but that makes the configuration a little bit harder

The real deal
Create a suitable directory structure:

mkdir -p /home/projects/{trac,svn}

Create your projects (this is done with trac-admin)

trac-admin /home/projects/trac/project1 initenv

You will be asked a couple of questions: Name of project, db backend (sqlite is not a bad choice), repository type, where the repository is located.
One limitation is that the repository should live on the same machine (remote repositories are not supported), but that can be easily worked around with the help of nfs

Create your repositories (svnadmin)

svnadmin create /home/projects/svn/project1

Change the ownership of the directories to the users under which privileges the Trac system and the svn server run

chown -R www-data:www-data /home/projects/trac/project1
chown -R svnserv:svnserv /home/projects/svn/project1

We use www-data as this is the user under which Apache operates. The user svnserv has been created beforehand with homedir /home/projects/svn

After we have created the projects we are going to show them in the browser (otherwise they are of not much use).
Trac can work as a standalone daemon (tracd), as CGI process (trac.cgi, trac.fcgi) or in the context of Apache server (which we chose) with the help of mod_python.

In the apache config we add

LoadModule python_module modules/mod_python.so
# or allow it with the tools of the distribution
 
<location /projects>
    # what will handle the stuff
    SetHandler mod_python
    # exactly with what (trac)
    PythonHandler trac.web.modpython_frontend
    # what exactly we will serve from here
    PythonOption TracEnvParentDir /home/projects/trac
    # how we will generate the project index (optional)
    PythonOption TracEnvIndexTemplate /home/projects/trac/listing.cs
    # debug mode ON
    PythonDebug on
</location>

Now restart the apache server and check. You should see something similar

If not start digging in the logs.

Now we have to start the svn server. This is accomplished with svnserve. In my case i am starting it trough xinetd because it will not be very loaded. For better security it will run as a separate user (svnserv)

The xinetd configuration is as follows

service subversion
{
        # we listen only on IPv4
        flags = IPv4
        # the service is NOT disabled
        disable = no
        # user and group
        user = svnserv
        group = svnserv
        # maximum instances
        instances = 5
        # be nice :)
        nice = 15
        # which exactly is the server binary
        server = /usr/bin/svnserve
        # and his args
        server_args = --inetd --root /home/projects/svn
        # the usual housekeeping
        log_on_success = PID HOST DURATION
        log_on_failure = HOST ATTEMPT
        wait = no
        socket_type = stream
}

Test with svn client if everything is ok

Securing and enhancing the services
After our services are up and running it is time to secure and enhance them. Andf here is what we are going to do:

For the Trac environments

• Remove the anonymous access. For this purpose we are going to use trac-admin. It is possible to be done troug web interface, but you have to know how to do it the manual way.
  

  # we enter interactive mode
  trac-admin /projects/trac/project1
  # privileges are controlled with the command permission
  Trac [/home/projects/trac/project1]> permission help
  permission list [user]
          -- List permission rules
   
  permission add <user> <action> [action] [...]
          -- Add a new permission rule
   
  permission remove <user> <action> [action] [...]
          -- Remove permission rule
  # just to know your way around
  # now the real removal
  Trac [/home/projects/trac/project1]> permission remove anonymous *</action></user></action></user>

  
  Now the anonymous has no rights.
• Add a new user with administrative rights. This is done for easier control.
  

  Trac [/home/projects/trac/project1]> permission add user1 TRAC_ADMIN, MILESTONE_DELETE ....
  # all possible privileges 

  
  This way the newly added user1 is granted total and uther control.
• Activate the admin panel - this is accomplished with edditing the config file conf/trac.ini in the directory of our project. To activate the admin panel we have to activate the needed components by adding
  

  [components]
  webadmin.* = enabled

• Enabling a better login process - by design the Trac login process is not a prety one or comfortable, so it will be replaced by the plugin TracAccountManager. It depends on TracWebAdmin which is already activated. For being able to use the new login process we have first to disable the builtin trac process and activate the new one. This is done again with edditing trac.ini
  

  [components]
  acct_mgr.admin.accountmanageradminpage = enabled
  acct_mgr.api.accountmanager = enabled
  acct_mgr.htfile.abstractpasswordfilestore = enabled
  acct_mgr.htfile.htdigeststore = disabled
  acct_mgr.htfile.htpasswdstore = enabled
  acct_mgr.http.httpauthstore = disabled
  acct_mgr.web_ui.accountmodule = enabled
  acct_mgr.web_ui.loginmodule = enabled
  trac.web.auth.loginmodule = disabled
   
  [account-manager]
  password_file = /home/projects/trac/users
  password_store = HtPasswdStore 

  
  What every option means is described in the documentation (links at the end)
  Now we need to restart the web server so our changes go live.

For the svn server:

No unauthorized access

This is accomplished by modifying the svn server configuration. We modify it in the following way:

conf/svnserve.conf

### This file controls the configuration of the svnserve daemon
### Visit http://subversion.tigris.org/ for more information.
 
[general]
# no anonymous access
anon-access = none
password-db = passwd
authz-db = authz
realm = Project 1 

conf/authz

### This file is an example authorization file for svnserve.
### Its format is identical to that of mod_authz_svn authorization
### files.
 
[groups]
 
# for which path we are talking
[/]
# user rights (read and write)
user1 = rw
# the rights for everybody else (zero)
* =

conf/passwd

### This file is an example password file for svnserve.
 
[users]
user1 = password 

Conclusion
After our work is finished we have to restart once more the apache and xinetd and start using our system. For details on usage … in the links.

Връзки
Trac
mod_python
Apache
Subversion
TracWebAdmin
TracAccountManager