SCM Host Setup¶
Git and Subversion Hosting Installation¶
Allura can manage and display Git and SVN repositories, but it doesn’t automatically run the git and svn services for you. Here we’ll describe how to set up standard git and svn services to work with Allura, so that you can checkout and commit code with those repositories. The instructions here assume an Ubuntu system, but should be similar on other systems.
Note
For developing with Allura or simple testing of Allura, you do not need to run these services. You can use local filesystem access to git and svn, which works with no additional configuration.
Git¶
We’ll cover the basics to get you going. For additional options and details, see http://git-scm.com/docs/git-http-backend and http://git-scm.com/book/en/Git-on-the-Server and subsequent chapters.
sudo chmod 775 /srv/* # make sure apache can read the repo dirs
sudo apt-get install apache2
sudo a2enmod cgi
# allow the apache user to sudo (used by git-http-backend-wrapper.sh see notes in that file)
sudo adduser www-data sudo
sudo echo '%sudo ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/sudo_group_passwordless
sudo vi /etc/apache2/sites-available/default
And add the following text within the <VirtualHost> block:
SetEnv GIT_PROJECT_ROOT /srv/git
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git/ /usr/lib/git-core/git-http-backend-wrapper.sh/
# no authentication required at all - for testing purposes
SetEnv REMOTE_USER=git-allura
<Location "/git/">
# new for httpd 2.4
Require all granted
</Location>
Then exit vim (<esc> :wq) and run:
sudo service apache2 reload
To test that it’s working, run: git ls-remote http://localhost/git/p/test/git/. If there is no output, that is fine (it’s an empty repo).
Warning
This configuration has no authentication and is suitable for development only. See below for auth config.
Now you will want to change the scm.host.*.git and scm.clonechoices.git
settings in development.ini, so that the proper commands are shown to your visitors
when they browse the code repo web pages. The exact values to use will depend on the
hostnames and port numbers you are using.
Read-only git://¶
If you want to run a separate readonly git service, using the git protocol instead of http,
run: git daemon --reuseaddr --export-all --base-path=/srv/git /srv/git It can
be accessed at git://localhost/p/test/git
Subversion¶
These instructions will cover the recommended easiest way to run Subversion with Allura. For an overview of other options, see http://svnbook.red-bean.com/en/1.8/svn.serverconfig.choosing.html and subsequent chapters.
sudo chown allura:allura /srv/svn # or other user, as needed
cat > /srv/svn/svnserve.conf <<EOF
[general]
realm = My Site SVN
# no authentication required at all - for testing purposes
anon-access = write
EOF
svnserve -d -r /srv/svn --log-file /tmp/svnserve.log --config-file /srv/svn/svnserve.conf
Test by running: svn info svn://localhost/p/test/code/. If you need to kill it, run killall svnserve More info at http://svnbook.red-bean.com/en/1.8/svn.serverconfig.svnserve.html
Warning
This configuration has no authentication and is suitable for development only. (Maybe Allura could gain SASL support someday and use svnserve with SASL)
Now you will want to change the scm.host.*.svn and scm.clonechoices.svn
settings in development.ini, so that the proper commands are shown to your visitors
when they browse the code repo web pages.
Alternate Setup with HTTP¶
To use SVN over HTTP, you will need to patch and compile an Apache module, so that all svn repos can be dynamically served.
Warning
Not easy.
sudo apt-get install libapache2-svn
Test accessing http://localhost/.
Now we’ll configure Apache to serve a single project’s repositories and make sure that works.
sudo vi /etc/apache2/mods-available/dav_svn.conf
Uncomment and change to <Location /svn/p/test>. Set
SVNParentPath /srv/svn/p/test Then run:
sudo service apache2 reload
Test at http://localhost/svn/p/test/code/
That configuration works only for the repositories in a single project. You must either
create a new configuration for each project within Allura, or compile a patch
to make SVNParentPath be recursive. The patch is at https://issues.apache.org/jira/browse/SVN-3588
and must be applied to the source of Subversion’s mod_dav_svn and then
recompiled and installed. Once that is working, you can modify dav_svn.conf to look like:
<Location /svn>
DAV svn
SVNParentPath /srv/svn
...
Then Apache SVN will serve repositories for all Allura projects and subprojects.
Warning
This configuration has no authentication and is suitable for development only. See the next section for auth config.
Configuring Auth with Apache¶
This is the easiest way to integrate authentication and authorization for SCM access with Allura. It uses
mod_python and the handler in scripts/ApacheAccessHandler.py to query Allura directly
for auth and permissions before allowing access to the SCM. Of course, this only works
for SCM access over HTTP(S).
First, you need to ensure that mod_python is installed:
sudo apt-get install libapache2-mod-python
Then, in the VirtualHost section where you send SCM requests to git, SVN, or Hg, add the access handler, e.g.:
sudo vi /etc/apache2/sites-available/default
Remove the <Location> block and SetEnv REMOTE_USER=git-allura from earlier.
<LocationMatch "^/(git|svn|hg)/">
# new for httpd 2.4
Require all granted
AddHandler mod_python .py
# Change this path if needed:
PythonAccessHandler /home/myuser/src/allura/scripts/ApacheAccessHandler.py
AuthType Basic
AuthName "SCM Access"
AuthBasicAuthoritative off
# Change this path if needed:
PythonOption ALLURA_VIRTUALENV /home/myuser/env-allura
# This routes back to the allura webapp
# In a production environment, change the IP address and port number as appropriate.
# And use https if possible, since the username and password are otherwise
# sent in the clear to Allura.
PythonOption ALLURA_AUTH_URL http://127.0.0.1:8080/auth/do_login
PythonOption ALLURA_PERM_URL http://127.0.0.1:8080/auth/repo_permissions
</LocationMatch>
sudo service apache2 reload
To test that it’s working, run: git ls-remote
http://localhost/git/p/test/git/. If there is no output, that is fine (it’s an empty
repo). If it errors, look in /var/log/apache2/error.log for the error
message. Increase logging with the LogLevel directive
if needed for further debugging.
Warning
Currently, for Mercurial, the handler doesn’t correctly distinguish read and write requests and thus requires WRITE permission for every request. See ticket #7288
Note
If two-factor auth is enabled, enter your password + current 6-digit code together, as your password. You will have to enter your password each time, and may run into temporary permission denied when it fails.
Advanced Alternative¶
An advanced alternative for SCM hosting using SSH, LDAP, and a FUSE driver is available.