Setting up Subversion on Ubuntu Lucid

Russell Bateman
September 2010
last update:

Table of Contents

Introduction
Linux installation
Apache httpd installation
Setting Up Subversion
The initial command-line work
Checking out our first project
Adding and committing an existing project
Web access
WebDAV
Sorting out errors
Users and passwords
Trying it out from a browser
OpenSSL and signed certificates
Installing the SSL certificate
Abandoning this vein...
Requiring user-authentication
Wrap-up
Appendix: TortoiseSVN illustrations
Appendix: Useful links
Appendix: Project structure and set-up
Steps to create
Appendix: Setting up an SSL cert

Introduction

Here's a log of me setting up Subversion on my new Linux box. I had done this years ago under openSuSE 10.2, but am just now getting around to needing to do it again.

This is still an emerging document; I have to figure out how to enable the OpenSSL certificate stuff in Apache yet. I've still got a bit of a security hole there.

Linux installation

Install Linux. I'm sorry, I don't show the steps to installing Lucid here. I assume you've already done that.

Apache installation

You don't need Apache installed if you're only going to consume what's in your repository from your own computer host. But, if you want to make it available to your friends and colleagues via HTTP and, especially, via their browser, I do this here.

Otherwise, I would suggest setting up Apache (or even full blown LAMP) and I do have a step-by-step for that on Ubuntu Lucid Lynx, Setting up LAMP.

Setting Up Subversion

I'm using this superb Ubuntu documentation as my step-by-step. I've rarely seen such good documentation as this. Note that I'm leaving my screw-ups in here for what documentary value they may be: you might make the same ones (or not: I'm the moron par excellence here).

However, this document is wrong (from a certain point of view) when it gets to the WebDAV section. Please see Requiring user-authentication later on this page.

The initial command-line work

I did the software installation described in the documentation. I pick back up here with the command-line stuff for you to follow.

Here's illustrating the command-line work. I frequently do a directory listing for the help it is to know what, if anything, has happened in the current working directory.

russ@tuonela:~> sudo mkdir /home/svn russ@tuonela:~> pu /home/svn /home/svn ~ russ@tuonela:/home/svn> sudo mkdir myproject russ@tuonela:/home/svn> ll total 0 drwxr-xr-x 2 root root 48 2010-10-08 12:09 myproject russ@tuonela:/home/svn> sudo svnadmin create /home/svn/myproject russ@tuonela:/home/svn> ll total 0 drwxr-xr-x 6 root root 200 2010-10-08 12:34 myproject russ@tuonela:/home/svn> tree myproject/ myproject/ |-- conf | |-- authz | |-- passwd | `-- svnserve.conf |-- db | |-- current | |-- format | |-- fsfs.conf | |-- fs-type | |-- min-unpacked-rev | |-- rep-cache.db | |-- revprops | | `-- 0 | | `-- 0 | |-- revs | | `-- 0 | | `-- 0 | |-- transactions | |-- txn-current | |-- txn-current-lock | |-- txn-protorevs | |-- uuid | `-- write-lock |-- format |-- hooks | |-- post-commit.tmpl | |-- post-lock.tmpl | |-- post-revprop-change.tmpl | |-- post-unlock.tmpl | |-- pre-commit.tmpl | |-- pre-lock.tmpl | |-- pre-revprop-change.tmpl | |-- pre-unlock.tmpl | `-- start-commit.tmpl |-- locks | |-- db.lock | `-- db-logs.lock `-- README.txt 10 directories, 28 files russ@tuonela:/home/svn> ll total 0 drwxr-xr-x 6 root root 200 2010-10-08 12:34 myproject russ@tuonela:/home/svn> sudo chown -R www-data:subversion myproject russ@tuonela:/home/svn> sudo chmod -R g+rws myproject russ@tuonela:/home/svn> ll total 0 drwxrwsr-x 6 www-data subversion 200 2010-10-08 12:34 myproject

Here it is condensed; you replace myproject with the name of your own project.

sudo mkdir myproject sudo svnadmin create /home/svn/myproject sudo chown -R www-data:subversion myproject sudo chmod -R g+rws myproject

Checking out our first project

After creating /home/russ/dev/projects as a place to put all my checked-out projects, I go there and check out myproject.

russ@tuonela:~/dev/projects> svn co file:///home/svn/myproject Checked out revision 0. russ@tuonela:~/dev/projects> tree myproject/ myproject/ 0 directories, 0 files

Or, a different way:

russ@tuonela:~/dev/projects> svn co file://localhost/home/svn/myproject Checked out revision 0.

I wanted two users to have access to the repository. My colleague's username is aneill. I added aneill as a user and added him to the subversion group on Ubuntu using System -> Administration > Users and Groups. I also tried checking out the project under his user just to make certain that works. (More on users and passwords in a moment.)

Adding and committing an existing project

Here's how to take an existing project and set it up in Subversion. First, as noted above, you must create the empty project. Next, follow these steps, which are illustrated afterward and assume all the files to be committed are already in the project subdirectory.

  1. Check out the new, empty project somewhere. It can just be where the root of the project already exists since it's empty and your files will not be overwritten.
  2. Make the root of the project your currect working directory.
  3. Add everything you wish to be part of the project (under source-code control) to the project.
  4. Commit the contents of the project.
russ@tuonela:~/dev/projects> svn co file:///home/svn/myproject Checked out revision 0. russ@tuonela:~/dev/projects> cd myproject russ@tuonela:~/dev/projects/myproject> svn add * A basic-prefs.epf A README.txt russ@tuonela:~/dev/projects/myproject> svn add .* A .project russ@tuonela:~/dev/projects/myproject> svn commit Adding .project Adding README.txt Adding basic-prefs.epf Transmitting file data ... Committed revision 1.

Web access

Now on to making our repository available via HTTP. I like to consume it both from Linux and from Windows. I have several of each both at home and at work. I use Tortoise SVN on Windows and plain, old command-line svn on Linux, and/or Eclipse's Subclipse connector.

WebDAV

Next, in support of WebDAV, I added this to the end of /etc/apache2/mods-available/dav_svn.conf. I decided against supporting Subversion from multiple domains, so I'm not going the vhosts route as evoked in the lengthy comments in this file. (I may yet regret that decision and follow that path anyway.)

<Location /svn/myproject> DAV svn SNVPath /home/svn/myproject AuthType Basic AuthName "myproject subversion repository" AuthUserFile /etc/subversion/passwd <LimitExcept GET PROPFIND OPTIONS REPORT> Require valid-user </LimitExcept> </Location>

Note: I had already installed libapache2-svn at the beginning of this exercise—see my article on setting up LAMP.

Pursuant to the next note in the doc—indeed, I do wish to be able to browse all projects in the repository—I corrected the dav_svn.conf file:

<Location /svn> DAV svn SNVPath /home/svn SNVParentPath On AuthType Basic AuthName "Subversion Repository" AuthUserFile /etc/subversion/passwd <LimitExcept GET PROPFIND OPTIONS REPORT> Require valid-user </LimitExcept> </Location>

At this point, I realized that I had installed Apache (and PHP and MySQL) on Ubuntu Lucid a couple of months ago, but had not done this yet on my brand, new build (new hardware and Lucid). I went to take care of it at this point.

Sorting out some errors

After setting up Apache (and PHP and MySQL), I tried to start the web server and got this error:

root@tuonela:/etc/apache2/mods-available> /etc/init.d/apache2 start Starting web server apache2 Syntax error on line 57 of /etc/apache2/mods-enabled/dav_svn.conf: Invalid command 'SNVPath', perhaps misspelled or defined by a module not included in the server configuration [fail]

Notice that I misspelled SVNPath. I fixed this in dav_svn.conf. I had also misspelled SVNParentPath. Then I got this error:

root@tuonela:/etc/apache2/mods-available> /etc/init.d/apache2 start Starting web server apache2 Syntax error on line 58 of /etc/apache2/mods-enabled/dav_svn.conf: SVNParentPath cannot be defined at same time as SVNPath. [fail]

Reading out there... I found that you can't specify both. You must use the "parent" one if you wish to share more than on repository. This wasn't so much my problem as sheer idiocy: I didn't get the second edit of the file correct. I had to change to use these two lines:

SVNParentPath /home/svn SVNListParentPath On

Then, on to the next "failure":

root@tuonela:/etc/apache2/mods-available> /etc/init.d/apache2 start Starting web server apache2 apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName [ OK ]

Actually, Apache started up, but I had to add

ServerName localhost

to /etc/apach2/httpd.conf file, which ships zero-length now (unlike the early days of my Apache apprenticeship). I bounced Apache and got the "it works" response (out of /var/www/index.html). I want to leave things like that (instead of switching to the /home/username/public_html solution) for now since I'm not trying to use my Linux development host to serve up formal domain content.

Users and passwords

Next, I added passwords for both aneill and me.

root@tuonela:/etc/apache2/mods-available> cd /etc/subversion/ root@tuonela:/etc/subversion> ll total 16 -rw-r--r-- 1 root root 6813 2009-12-11 23:03 config -rw-r--r-- 1 root root 7674 2009-12-11 23:03 servers root@tuonela:/etc/subversion> htpasswd -c /etc/subversion/passwd russ New password: Re-type new password: Adding password for user russ root@tuonela:/etc/subversion> htpasswd -c /etc/subversion/passwd aneill New password: Re-type new password: Adding password for user aneill root@tuonela:/etc/subversion> ll total 20 -rw-r--r-- 1 root root 6813 2009-12-11 23:03 config -rw-r--r-- 1 root root 21 2010-10-08 14:06 passwd -rw-r--r-- 1 root root 7674 2009-12-11 23:03 servers root@tuonela:/etc/subversion> cat passwd aneill:KsXddINDzjHhU

I was uncertain as to why my user doesn't show up in this file, then I realized that I'd left the -c (create) option and simply wiped myself out when I added aneill's password:

root@tuonela:/etc/subversion> htpasswd -c /etc/subversion/passwd russ New password: Re-type new password: Adding password for user russ root@tuonela:/etc/subversion> htpasswd /etc/subversion/passwd aneill New password: Re-type new password: Adding password for user aneill root@tuonela:/etc/subversion> cat passwd russ:gbsy49Koad.jU aneill:UFyuCMYWgchJA

Trying it out from a browser

Then, I tried it out using HTTP from the command line first:

aneill@tuonela:~/projects$ svn co http://localhost/svn/myproject myproject --username aneill Checked out revision 0. aneill@tuonela:~/projects$ ll total 0 drwxr-xr-x 3 aneill aneill 80 2010-10-08 14:11 ./ drwxr-xr-x 4 aneill aneill 248 2010-10-08 14:04 ../ drwxr-xr-x 3 aneill aneill 72 2010-10-08 14:11 myproject/

Spiffily, I went to a browser and typed http//localhost/svn/ and it worked. Then, I went to my Windows host and typed http://192.168.1.7/svn/ and that worked too. Clicking on myproject, that also worked:

     

I wasn't asked for passwords. I don't know why this was.

I need to set this up with SSL encryption to make use of WebDAV in order...

  1. to require authentication (why doesn't it already require that?).
  2. for clear-text passwords not to be transmitted over the wire.

OpenSSL and signed certificates

Here, I'm working from a different article now, How to create a self-signed SSL certificate.... (What comes out here isn't real because I've changed some answers that were real that I don't want to reveal to the reader; some of what I show, like "fiddlesticks", would not be a good example of what to use.)

root@tuonela:/etc/subversion> openssl genrsa -des3 -out server.key 1024 Generating RSA private key, 1024 bit long modulus ....++++++ ......................++++++ e is 65537 (0x10001) Enter pass phrase for server.key:fiddlesticks Verifying - Enter pass phrase for server.key:fiddlesticks root@tuonela:/etc/subversion> ll total 24 -rw-r--r-- 1 root root 6813 2009-12-11 23:03 config -rw-r--r-- 1 root root 40 2010-10-08 14:09 passwd -rw-r--r-- 1 root root 963 2010-10-08 14:26 server.key -rw-r--r-- 1 root root 7674 2009-12-11 23:03 servers root@tuonela:/etc/subversion> cat server.key -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,937B44C9A000814D EM82QAV4Zqgm3Cryq71Ac5f7Tx9jULH83Z8V1qbXKg7su8Y4FnaV0qCtWzTOm4Cv m4vhSnlwMdDlsYmVDnb3de6A0knecpRWElGaRxWHPvD0duSE7kgWaDhRquchZihP DMijB5+CzpfQRRI4Zbi3DA6+rOF3ujyMhQAVyymDDM/zRNll3G73bKHTt3aVyoGH AYhM9PDPSdVe0jHJegNwl99srZQuFTs4PUuRYIRmfGld7SZawxTy+Kh9O9pMakum fYAcp6/dEHinPdLcc3+6r/deMIMoszh+nxMyKmZiRAdVghQMitSc+QtTG2L6093D qtYEdGun13+LZaegdTl4lUqMQKh3+oya0XjhebuXe3yq5dfsPbHY3waiNtln9YRy XLGNop6zwCcDBIuqnMsHqp+1gqO7D6NkBeoDghbzZwHG8sVduoRtKDEkxGV9tbVi 05pX/DZazboXeju8wrkZxwohUvAudwDJF3IUAphHY9KS5W/3HWAisPti6nvWYviP 7O+H7F+GxRkNp+8z9+Vf7yvnknz+mUR9KhfenTrsRf9mtQ5TUU2X5HvCMPPn6f7x zCdKIeSjFkVmC1pCLg2fCdX38jtshYr/QAIVFiXKCk+2AHIdU3qxCeemXBaVRrsk B4Vx13eZgbk/1DIMQLRI31KwcRNST8WDqB3z+BoZYQn//0xhuYLwVa8AJUiEmnjZ Pffb4PuIJyE1vMGUiCINy2Hf9JIP6jYd5GTxW3Ou4jUlVDpORcDDtvD3B9t80BkJ It9WwJ66+Hf29k59QRs9XsqFSgtxKrqgXkD/NjqjmKEnol0PNZ585w== -----END RSA PRIVATE KEY----- root@tuonela:/etc/subversion> openssl req -new -key server.key -out server.csr Enter pass phrase for server.key:fiddlesticks You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Utah Locality Name (eg, city) []:Provo Organization Name (eg, company) [Internet Widgits Pty Ltd]:Etretat Logiciels, LLC Organizational Unit Name (eg, section) []:Subversion Usage Common Name (eg, YOUR name) []:fiddlesticks.us Email Address []:russ at fiddlesticks dot us Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:paulmccartney An optional company name []:Etretat Logiciels, LLC root@tuonela:/etc/subversion> ll total 28 -rw-r--r-- 1 root root 6813 2009-12-11 23:03 config -rw-r--r-- 1 root root 40 2010-10-08 14:09 passwd -rw-r--r-- 1 root root 846 2010-10-08 14:31 server.csr -rw-r--r-- 1 root root 963 2010-10-08 14:26 server.key -rw-r--r-- 1 root root 7674 2009-12-11 23:03 servers root@tuonela:/etc/subversion> cat server.csr -----BEGIN CERTIFICATE REQUEST----- MIICOTCCAaICAQAwgbMxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIEwRVdGFoMQ4wDAYD VQQHEwVQcm92bzEfMB0GA1UEChMWRXRyZXRhdCBMb2dpY2llbHMsIExMQzEZMBcG A1UECxMQU3VidmVyc2lvbiBVc2FnZTEaMBgGA1UEAxMRdGV4dG1ldGhlc2NvcmUu dXMxLTArBgkqhkiG9w0BCQEWHnJ1c3MgYXQgd2luZCBvZiBrZWx0aWEgZG90IGNv bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA50/EXrs7d3pMyWit7ePplCsa J3m3eGfI4yIxlfKtaRWJW8NIuCNnorDiWpCVYnLpRFavijJEirr4yMdySUYC36lX JKwAWvSVfFpFNxzC5vzVzZP5hzvjlMDsNTwVazF9/3cTQ+MaFvYIy1mE6vpSgRj8 QuvOJdGRtlINncA7v80CAwEAAaBFMBwGCSqGSIb3DQEJBzEPEw1wYXVsbWNjYXJ0 bmV5MCUGCSqGSIb3DQEJAjEYExZFdHJldGF0IExvZ2ljaWVscywgTExDMA0GCSqG SIb3DQEBBQUAA4GBAOG4LUY6eKakkjbROHb99nPOIF/oBuWm5kco31ZDonH6Bfjw ze0j3TuX2t8++6DIQEewtEYnkKG1e9HXVUE1B6TcOxM+YtgK/pQoRW6DibP295PJ /KTCXo80NCvHhK1hM0yde6H85cStibZjXrBZenzyO1WExmvcnEVuhq4ILVUi -----END CERTIFICATE REQUEST----- root@tuonela:/etc/subversion> cat server.key -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,937B44C9A000814D EM82QAV4Zqgm3Cryq71Ac5f7Tx9jULH83Z8V1qbXKg7su8Y4FnaV0qCtWzTOm4Cv m4vhSnlwMdDlsYmVDnb3de6A0knecpRWElGaRxWHPvD0duSE7kgWaDhRquchZihP DMijB5+CzpfQRRI4Zbi3DA6+rOF3ujyMhQAVyymDDM/zRNll3G73bKHTt3aVyoGH AYhM9PDPSdVe0jHJegNwl99srZQuFTs4PUuRYIRmfGld7SZawxTy+Kh9O9pMakum fYAcp6/dEHinPdLcc3+6r/deMIMoszh+nxMyKmZiRAdVghQMitSc+QtTG2L6093D qtYEdGun13+LZaegdTl4lUqMQKh3+oya0XjhebuXe3yq5dfsPbHY3waiNtln9YRy XLGNop6zwCcDBIuqnMsHqp+1gqO7D6NkBeoDghbzZwHG8sVduoRtKDEkxGV9tbVi 05pX/DZazboXeju8wrkZxwohUvAudwDJF3IUAphHY9KS5W/3HWAisPti6nvWYviP 7O+H7F+GxRkNp+8z9+Vf7yvnknz+mUR9KhfenTrsRf9mtQ5TUU2X5HvCMPPn6f7x zCdKIeSjFkVmC1pCLg2fCdX38jtshYr/QAIVFiXKCk+2AHIdU3qxCeemXBaVRrsk B4Vx13eZgbk/1DIMQLRI31KwcRNST8WDqB3z+BoZYQn//0xhuYLwVa8AJUiEmnjZ Pffb4PuIJyE1vMGUiCINy2Hf9JIP6jYd5GTxW3Ou4jUlVDpORcDDtvD3B9t80BkJ It9WwJ66+Hf29k59QRs9XsqFSgtxKrqgXkD/NjqjmKEnol0PNZ585w== -----END RSA PRIVATE KEY----- root@tuonela:/etc/subversion> cp server.key server.key.tmp root@tuonela:/etc/subversion> openssl rsa -in server.key.tmp -out server.key Enter pass phrase for server.key.tmp:fiddlestucks unable to load Private Key 6425:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:330: 6425:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:428:

(This happened because I mistyped the passphrase, "fiddlesticks".)

root@tuonela:/etc/subversion> openssl rsa -in server.key.tmp -out server.key Enter pass phrase for server.key.tmp:fiddlesticks writing RSA key root@tuonela:/etc/subversion> ll total 32 -rw-r--r-- 1 root root 6813 2009-12-11 23:03 config -rw-r--r-- 1 root root 40 2010-10-08 14:09 passwd -rw-r--r-- 1 root root 846 2010-10-08 14:31 server.csr -rw-r--r-- 1 root root 891 2010-10-08 14:43 server.key -rw-r--r-- 1 root root 963 2010-10-08 14:33 server.key.tmp -rw-r--r-- 1 root root 7674 2009-12-11 23:03 servers

And now to generate the self-signed certificate:

root@tuonela:/etc/subversion> openssl x509 -req -days 999 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=US/ST=Utah/L=Provo/O=Etretat Logiciels, LLC/OU=Subversion Usage/CN=fiddlesticks.us/emailAddress=russ at fiddlesticks dot us Getting Private key root@tuonela:/etc/subversion> ll total 36 -rw-r--r-- 1 root root 6813 2009-12-11 23:03 config -rw-r--r-- 1 root root 40 2010-10-08 14:09 passwd -rw-r--r-- 1 root root 1058 2010-10-08 14:53 server.crt -rw-r--r-- 1 root root 846 2010-10-08 14:31 server.csr -rw-r--r-- 1 root root 891 2010-10-08 14:43 server.key -rw-r--r-- 1 root root 963 2010-10-08 14:33 server.key.tmp -rw-r--r-- 1 root root 7674 2009-12-11 23:03 servers

Installing isn't covered since the article we're following is far too old. We'll have to look elsewhere.

Installing the SSL certificate

Looking around, it appears to me that the keys may be put anywhere and merely referenced from httpd.conf or whether we decide to reference them from. So, I've put them at /etc/apache2/conf.d/ssl-keys.

root@tuonela:/etc/apache2/conf.d> ll ssl-keys/ total 16 -rw-r--r-- 1 root root 1058 2010-10-08 14:53 server.crt -rw-r--r-- 1 root root 846 2010-10-08 14:31 server.csr -rw-r--r-- 1 root root 891 2010-10-08 14:43 server.key -rw-r--r-- 1 root root 963 2010-10-08 14:33 server.key.tmp

The only doc I've seen has me modify, not httpd.conf, but virtual hosts files. I'm not doing virtual hosts yet, so I'll have to look around for an alternative, or go enable virtual hosting. We're supposed to add this to the configuration file:

SSLEngine on SSLCertificateFile /etc/apache2/conf.d/ssl-keys/server.crt SSLCertificateKeyFile /etc/apache2/conf.d/ssl-keys/server.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

And then restart Apache, which I'm sure will fail to restart unless we've got our ducks waddling in a row. Remember, we excised the passphrase from the key in order not to have to be present when Apache is bounced. Remember also that this isn't a real, signed certificate. It will give a warning that it's of unknown origin when asking the user to accept it in his browser.

Abandoning this vein a little...

...I found another article entitled SSL Install Method, which I followed. I've already got SSL installed; I did not have to install anything, but I did the configuration wiggle as noted beginning with the section (near top) "Create a Certificate" under Setup Apache and SLL: Ubuntu 7.10:

root@tuonela:/etc/apache2> mkdir ssl root@tuonela:/etc/apache2> cd ssl root@tuonela:/etc/apache2/ssl> make-ssl-cert /usr/share/ssl-cert/ssleay.cnf ./apache.pem root@tuonela:/etc/apache2/ssl> ll total 4 lrwxrwxrwx 1 root root 10 2010-10-12 10:04 2a1c8eba -> apache.pem -rw------- 1 root root 1506 2010-10-12 10:04 apache.pem root@tuonela:/etc/apache2/ssl> a2enmod ssl Enabling module ssl. See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates. Run '/etc/init.d/apache2 restart' to activate new configuration! root@tuonela:/etc/apache2/ssl> /etc/init.d/apache2 force-reload * Reloading web server config apache2

Then, I switched directories to modify a special SSL virtual host. I made the changes to /etc/apache2/sites-available/ssl, which was cloned from file default in that subdirectory.

root@tuonela:/etc/apache2> cd /etc/apache2/sites-available root@tuonela:/etc/apache2/sites-available> cp default ssl root@tuonela:/etc/apache2/sites-available> a2ensite ssl Enabling site ssl. See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates. Run '/etc/init.d/apache2 reload' to activate new configuration! root@tuonela:/etc/apache2/sites-available> /etc/init.d/apache2 reload * Reloading web server config apache2 root@tuonela:/etc/apache2/sites-available> ll total 12 -rw-r--r-- 1 root root 948 2010-08-18 23:19 default -rw-r--r-- 1 root root 7467 2010-08-18 23:19 default-ssl -rw-r--r-- 1 root root 1255 2010-10-12 10:11 ssl

It's here I realize that there was already a default SSL virtual host. This makes me wonder about a few things, specifially, why turning to my Windows 7 host and entering https://tuonela:443/svn in the browser worked. I accepted a certificate, but was it the default "snake oil" one already there or the new one I just created?

(In C:\Windows\Syste32\drivers\etc\hosts, tuonela is defined as 192.168.1.102. To simulate getting in from the outside, it should be defined as whatever tuonela's IP address is, in my case, my router today is 71.199.5.133.)

Also, http://tuonela/ works. I've got this set up so that it should be http://71.199.5.133:8888 outside my router/firewall.

One last thing...

root@tuonela:/etc/apache2/sites-available> /etc/init.d/apache2 restart * Restarting web server apache2 [Tue Oct 12 10:13:02 2010] [warn] NameVirtualHost *:80 has no VirtualHosts

Requiring user-authentication

Later, I got back to work on enforcing user authentication since I don't want to leave my repository open to just anyone.

This is easily accomplished, but you have to know how to do it. Initially, I followed Authentication, Authorization and Access Control, but it didn't clarify all the points for me.

Ultimately, I created the <Directory "/home/svn"> and <Location /svn> elements in the /etc/apache2/sites-available/ssl file. I added these lines to the end:

<Directory "/home/svn"> AuthType Basic AuthName "Restricted Files" AuthUserFile /etc/subversion/passwd Require valid-user # anyone in AuthUserFile #Allow from ... </Directory> <Location /svn> DAV svn SVNParentPath /home/svn SVNListParentPath On AuthType Basic AuthName "Subversion Repository" AuthUserFile /etc/subversion/passwd Require valid-user <LimitExcept GET PROPFIND OPTIONS REPORT /> </Location>

You'll recognize the second element as coming from /etc/apache2/mods-available/dav_svn.conf where I was erroneously encouraged to put it by the original Ubuntu article. This is specifically how the wiring of hostname:port/svn is made to /home/svn.

This is what got me going so that a) a certificate must be accepted to get in and b) any user I created in /etc/subversion/passwd has to log in—all before ever getting to see even the repository's root.

Wrap-up

At the end of this effort, here are the subdirectory and files we've created or modified:

root@tuonela:/etc/apache2/sites-available> ll total 16 -rw-r--r-- 1 root root 968 2010-10-30 10:16 default -rw-r--r-- 1 root root 7467 2010-10-30 10:25 default-ssl -rw-r--r-- 1 root root 1755 2010-10-30 10:26 ssl root@tuonela:/etc/apache2/sites-available> ll ../sites-enabled/ total 0 lrwxrwxrwx 1 root root 26 2010-10-08 11:57 000-default -> ../sites-available/default lrwxrwxrwx 1 root root 22 2010-10-12 10:12 ssl -> ../sites-available/ssl
/etc/apache2/httpd.conf:
ServerName localhost # Here's installing an SSL certificate for Subversion use. The passphrase is # actually "xxxxxxxxxxxxx." #SSLEngine on #SSLCertificateFile /etc/apache2/conf.d/ssl-keys/server.crt #SSLCertificateKeyFile /etc/apache2/conf.d/ssl-keys/server.key #SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown #CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

All we've done plus this (/home/svn revisited) concludes this exercise.

russ@tuonela:~> ll /home/svn total 0 drwxrwsr-x 2 www.data subversion 48 2010-10-11 17:51 myproject drwxrwsr-x 7 www.data subversion 224 2010-10-21 16:15 Tmts


Appendix: TortoiseSVN llustrations

Here are some illustrations of hitting the repository from TortoiseSVN:

Get Subversion running between taliesin (my Windows 7 host) and tuonela. See mediocre results (I clicked Accept once):

Then, correcting the path (to remove home/), success! However, there was no authentication. In order for that to work, I undertook what's discussed at Requiring user-authentication.

Later, on Linux, I added a JUnit test for grins to my schema library to see the result on Subversion. (I accepted the certificate permanently this time.) Here is the effect upon TortoiseSVN (on Windows).


Appendix: Useful links

These links aren't for setting up Subversion on your computer host, but for learning how best to structure your source code repositories.

  1. Subversion "...how to setup Subversion [...] on Ubuntu". This was the main article I followed.
  2. How to create a self-signed SSL certificate.... This was my effort to continue to set up Subversion with a certificate for a remote host to consume Subversion from my server.
  3. Subversion Best Practices, by Dariusz Cieslak; some useful practices. I read this article in search of "best practices" for organizing source code in a Subversion repository.
  4. Setting up and Using a Subversion Repository. I read this article also in search of best practices.
  5. SSL Install Method. I read this article because the second one above left me a little at a dead end. It's three versions of Ubuntu older than what I'm working on, but it was a lot of help.
  6. Though old, Installation of Subversion on Ubuntu with Apache, SSL and BasicAuth gives yet another practical point of view.
  7. See my Bluebook notes on Subversion usage.
  8. When I got done doing this stuff, it worked, but no authentication dialog was required to access my repository. This is because I hadn't completed the Apache httpd configuration. Here's another doc to help with that problem: Authentication, Authorization and Access Control. See Requiring user-authentication on this page.

Appendix: Project structure and set-up

Best or, at least, wide-spread practice encourages the following structure for a project committed to Subversion, where project-name is the human name for the project or, more likely, product, such as libc, jvm, Retain, etc.


Underneath trunk is the subproject structure, a list of all major projects that are part of the product.

Steps to create

Outside of the new repository, set up the above structure, starting with project-name. Then, if you already have the subproject(s) themselves, move them to the trunk directory. Fix up ownership of the the new, ready structure:

$ chmod -R 770 project-name $ chgrp -R subversion project-name $ chmod g+s project-name

At this point, we're ready to import the source code into Subversion. Remember, in the command below, project-name is in your current working directory and is what was created in the previous step: the root dominating your entire source code repository. The scope and granularity of this is up to you since you can create several of these rather than one big one.

$ svn import project file://localhost/home/svn/project-name -m "Initial import"

The original directory structure, created above, may now be deleted although it would be a good idea to check out and verify that Subversion has your back first.

Appendix: Setting up an SSL cert

Bouncing Apache, it became evident that I must get SSL up on my host. It's already set up if the first command below comes back with a path. This is a sort of journal of what I did another time to get an SSL certificate running.

There is an Apache configuration file, subversion.conf in /etc/apache2/sites-available linked to from /etc/apache2/sites-enabled.

root@tuonela:/etc/apache2/sites-enabled> which openssl /usr/bin/openssl root@tuonela:/etc/apache2/sites-enabled> cd ../ root@tuonela:/etc/apache2> ll total 56 -rw-r--r-- 1 root root 7994 2010-11-18 14:16 apache2.conf drwxr-xr-x 2 root root 176 2011-01-13 09:18 conf.d -rw-r--r-- 1 root root 1169 2010-11-18 14:16 envvars -rw-r--r-- 1 root root 0 2011-01-13 09:18 httpd.conf drwxr-xr-x 2 root root 80 2011-01-14 14:17 logs -rw-r--r-- 1 root root 31063 2010-11-18 14:16 magic drwxr-xr-x 2 root root 3016 2011-01-14 13:01 mods-available drwxr-xr-x 2 root root 1080 2011-01-14 13:31 mods-enabled -rw-r--r-- 1 root root 750 2011-01-14 15:01 ports.conf drwxr-xr-x 2 root root 224 2011-02-17 10:35 sites-available drwxr-xr-x 2 root root 160 2011-02-17 10:35 sites-enabled root@tuonela:/etc/apache2> mkdir ssl root@tuonela:/etc/apache2> cd ssl root@tuonela:/etc/apache2/ssl> openssl genrsa -des3 -out server.key 1024 Generating RSA private key, 1024 bit long modulus .......++++++ ..............................................++++++ e is 65537 (0x10001) Enter pass phrase for server.key: tuonela-subversion Verifying - Enter pass phrase for server.key: tuonela-subversion root@tuonela:/etc/apache2/ssl> openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: tuonela-subversion You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:UT Locality Name (eg, city) []:Provo Organization Name (eg, company) [Internet Widgits Pty Ltd]:Etretat Logiciels, LLC Organizational Unit Name (eg, section) []:Engineering Common Name (eg, YOUR name) []:repository-server Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:bocaraton An optional company name []:IBM root@tuonela:/etc/apache2/ssl> ll total 8 -rw-r--r-- 1 root root 765 2011-02-17 11:09 subversion.csr -rw-r--r-- 1 root root 963 2011-02-17 10:59 subversion.key root@tuonela:/etc/apache2/ssl> cp subversion.key subversion.key.org root@tuonela:/etc/apache2/ssl> openssl rsa -in subversion.key.org -out subversion.key Enter pass phrase for subversion.key.org: tuonela-subversion writing RSA key root@tuonela:/etc/apache2/ssl> openssl x509 -req -days 365 -in subversion.csr -signkey subversion.key -out subversion.crt Signature ok subject=/C=US/ST=UT/L=Provo/O=Etretat Logiciels, LLC/OU=Engineering/CN=repository-server/[email protected] Getting Private key

Prematurely, I attempt to bounce Apache httpd:

root@tuonela:/etc/apache2/ssl> /etc/init.d/apache2 restart [Thu Feb 17 11:13:41 2011] [warn] module proxy_module is already loaded, skipping [Thu Feb 17 11:13:41 2011] [warn] module proxy_http_module is already loaded, skipping [Thu Feb 17 11:13:41 2011] [warn] module rewrite_module is already loaded, skipping [Thu Feb 17 11:13:41 2011] [warn] module jk_module is already loaded, skipping Syntax error on line 34 of /etc/apache2/sites-enabled/subversion.conf: Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration Action 'configtest' failed. The Apache error log may have more information. ...fail!

I repent and issue this which I knew I would need:

root@tuonela:/etc/apache2/ssl> a2enmod proxy ssl proxy_http Module proxy already enabled Enabling module ssl. See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates. Considering dependency proxy for proxy_http: Module proxy already enabled Module proxy_http already enabled Run '/etc/init.d/apache2 restart' to activate new configuration!

Watch me attempt to bounce Apache httpd:

root@tuonela:/etc/apache2/ssl> /etc/init.d/apache2 restart * Restarting web server apache2 [Thu Feb 17 11:15:24 2011] [warn] module proxy_module is already loaded, skipping [Thu Feb 17 11:15:24 2011] [warn] module proxy_http_module is already loaded, skipping [Thu Feb 17 11:15:24 2011] [warn] module rewrite_module is already loaded, skipping [Thu Feb 17 11:15:24 2011] [warn] module jk_module is already loaded, skipping [Thu Feb 17 11:15:24 2011] [warn] NameVirtualHost *:80 has no VirtualHosts [Thu Feb 17 11:15:24 2011] [warn] NameVirtualHost *:80 has no VirtualHosts ... waiting .[Thu Feb 17 11:15:26 2011] [warn] module proxy_module is already loaded, skipping [Thu Feb 17 11:15:26 2011] [warn] module proxy_http_module is already loaded, skipping [Thu Feb 17 11:15:26 2011] [warn] module rewrite_module is already loaded, skipping [Thu Feb 17 11:15:26 2011] [warn] module jk_module is already loaded, skipping [Thu Feb 17 11:15:26 2011] [warn] NameVirtualHost *:80 has no VirtualHosts [Thu Feb 17 11:15:26 2011] [warn] NameVirtualHost *:80 has no VirtualHosts Action 'start' failed. The Apache error log may have more information. root@tuonela:/etc/apache2/ssl> /etc/init.d/apache2 status Apache2 is NOT running.

I peeked at /var/log/apache2/error.log and saw:

[Thu Feb 17 11:15:26 2011] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/etc/apache2/sites-enabled/subversion.conf:33)

So, I added

SSLCertificateFile /etc/apache2/ssl/subversion.crt SSLCertificateKeyFile /etc/apache2/ssl/subversion.key

...to the bottom of the VirtualHost section in subversion.conf. This eliminated the failure when I bounced Apache.

root@tuonela:/etc/apache2/ssl> /etc/init.d/apache2 restart * Restarting web server apache2 [Thu Feb 17 11:28:54 2011] [warn] module proxy_module is already loaded, skipping [Thu Feb 17 11:28:54 2011] [warn] module proxy_http_module is already loaded, skipping [Thu Feb 17 11:28:54 2011] [warn] module rewrite_module is already loaded, skipping [Thu Feb 17 11:28:54 2011] [warn] module jk_module is already loaded, skipping [Thu Feb 17 11:28:54 2011] [warn] NameVirtualHost *:80 has no VirtualHosts [Thu Feb 17 11:28:54 2011] [warn] NameVirtualHost *:80 has no VirtualHosts [Thu Feb 17 11:28:54 2011] [warn] module proxy_module is already loaded, skipping [Thu Feb 17 11:28:54 2011] [warn] module proxy_http_module is already loaded, skipping [Thu Feb 17 11:28:54 2011] [warn] module rewrite_module is already loaded, skipping [Thu Feb 17 11:28:54 2011] [warn] module jk_module is already loaded, skipping [Thu Feb 17 11:28:54 2011] [warn] NameVirtualHost *:80 has no VirtualHosts [Thu Feb 17 11:28:54 2011] [warn] NameVirtualHost *:80 has no VirtualHosts root@tuonela:/etc/apache2/ssl> /etc/init.d/apache2 status Apache2 is running (pid 16421).