SCM Host Setup

Git and Subversion Hosting Installation

Allura can manage and display Git and SVN repositories, but it doesn’t automatically run the git and svn services for you. Here we’ll describe how to set up standard git and svn services to work with Allura, so that you can checkout and commit code with those repositories. The instructions here assume an Ubuntu system, but should be similar on other systems.

Note

For developing with Allura or simple testing of Allura, you do not need to run these services. You can use local filesystem access to git and svn, which works with no additional configuration.

Git

We’ll cover the basics to get you going. For additional options and details, see http://git-scm.com/docs/git-http-backend and http://git-scm.com/book/en/Git-on-the-Server and subsequent chapters.

sudo chmod 775 /srv/*  # make sure apache can read the repo dirs
sudo apt-get install apache2
sudo a2enmod cgi
# allow the apache user to sudo (used by git-http-backend-wrapper.sh see notes in that file)
sudo adduser www-data sudo
sudo echo '%sudo  ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/sudo_group_passwordless

sudo vi /etc/apache2/sites-available/default

And add the following text within the <VirtualHost> block:

SetEnv GIT_PROJECT_ROOT /srv/git
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git/ /usr/lib/git-core/git-http-backend-wrapper.sh/

# no authentication required at all - for testing purposes
SetEnv REMOTE_USER=git-allura
<Location "/git/">
    # new for httpd 2.4
    Require all granted
</Location>

Then exit vim (<esc> :wq) and run:

sudo service apache2 reload

To test that it’s working, run: git ls-remote http://localhost/git/p/test/git/. If there is no output, that is fine (it’s an empty repo).

Warning

This configuration has no authentication and is suitable for development only. See below for auth config.

Now you will want to change the scm.host.*.git and scm.clonechoices.git settings in development.ini, so that the proper commands are shown to your visitors when they browse the code repo web pages. The exact values to use will depend on the hostnames and port numbers you are using.

Read-only git://

If you want to run a separate readonly git service, using the git protocol instead of http, run: git daemon --reuseaddr --export-all --base-path=/srv/git /srv/git It can be accessed at git://localhost/p/test/git

Subversion

These instructions will cover the recommended easiest way to run Subversion with Allura. For an overview of other options, see http://svnbook.red-bean.com/en/1.8/svn.serverconfig.choosing.html and subsequent chapters.

sudo chown allura:allura /srv/svn  # or other user, as needed

cat > /srv/svn/svnserve.conf <<EOF
[general]
realm = My Site SVN
# no authentication required at all - for testing purposes
anon-access = write
EOF

svnserve -d -r /srv/svn --log-file /tmp/svnserve.log --config-file /srv/svn/svnserve.conf

Test by running: svn info svn://localhost/p/test/code/. If you need to kill it, run killall svnserve More info at http://svnbook.red-bean.com/en/1.8/svn.serverconfig.svnserve.html

Warning

This configuration has no authentication and is suitable for development only. (Maybe Allura could gain SASL support someday and use svnserve with SASL)

Now you will want to change the scm.host.*.svn and scm.clonechoices.svn settings in development.ini, so that the proper commands are shown to your visitors when they browse the code repo web pages.

Alternate Setup with HTTP

To use SVN over HTTP, you will need to patch and compile an Apache module, so that all svn repos can be dynamically served.

Warning

Not easy.

sudo apt-get install libapache2-svn

Test accessing http://localhost/.

Now we’ll configure Apache to serve a single project’s repositories and make sure that works.

sudo vi /etc/apache2/mods-available/dav_svn.conf

Uncomment and change to <Location /svn/p/test>. Set SVNParentPath /srv/svn/p/test Then run:

sudo service apache2 reload

Test at http://localhost/svn/p/test/code/

That configuration works only for the repositories in a single project. You must either create a new configuration for each project within Allura, or compile a patch to make SVNParentPath be recursive. The patch is at https://issues.apache.org/jira/browse/SVN-3588 and must be applied to the source of Subversion’s mod_dav_svn and then recompiled and installed. Once that is working, you can modify dav_svn.conf to look like:

<Location /svn>
  DAV svn
  SVNParentPath /srv/svn
  ...

Then Apache SVN will serve repositories for all Allura projects and subprojects.

Warning

This configuration has no authentication and is suitable for development only. See the next section for auth config.

Configuring Auth with Apache

This is the easiest way to integrate authentication and authorization for SCM access with Allura. It uses mod_python and the handler in scripts/ApacheAccessHandler.py to query Allura directly for auth and permissions before allowing access to the SCM. Of course, this only works for SCM access over HTTP(S).

First, you need to ensure that mod_python is installed:

sudo apt-get install libapache2-mod-python

Then, in the VirtualHost section where you send SCM requests to git, SVN, or Hg, add the access handler, e.g.:

sudo vi /etc/apache2/sites-available/default

Remove the <Location> block and SetEnv REMOTE_USER=git-allura from earlier.

<LocationMatch "^/(git|svn|hg)/">
    # new for httpd 2.4
    Require all granted

    AddHandler mod_python .py
    # Change this path if needed:
    PythonAccessHandler /home/myuser/src/allura/scripts/ApacheAccessHandler.py

    AuthType Basic
    AuthName "SCM Access"
    AuthBasicAuthoritative off

    # Change this path if needed:
    PythonOption ALLURA_VIRTUALENV /home/myuser/env-allura
    # This routes back to the allura webapp
    # In a production environment, change the IP address and port number as appropriate.
    # And use https if possible, since the username and password are otherwise
    # sent in the clear to Allura.
    PythonOption ALLURA_AUTH_URL http://127.0.0.1:8080/auth/do_login
    PythonOption ALLURA_PERM_URL http://127.0.0.1:8080/auth/repo_permissions
</LocationMatch>
sudo service apache2 reload

To test that it’s working, run: git ls-remote http://localhost/git/p/test/git/. If there is no output, that is fine (it’s an empty repo). If it errors, look in /var/log/apache2/error.log for the error message. Increase logging with the LogLevel directive if needed for further debugging.

Warning

Currently, for Mercurial, the handler doesn’t correctly distinguish read and write requests and thus requires WRITE permission for every request. See ticket #7288

Note

If two-factor auth is enabled, enter your password + current 6-digit code together, as your password. You will have to enter your password each time, and may run into temporary permission denied when it fails.

Advanced Alternative

An advanced alternative for SCM hosting using SSH, LDAP, and a FUSE driver is available.