Setting Up Subversion Repository on OS X
Subversion is becoming more popular than CVS over
time as a source code version control system. Subversion is impressive in it's
design goals and from the outset, it's goals and objectives appear to be very
well thought out. Subversion is flexible and repositories can be made available
in many flexible ways from as simple as a repository on your local hard drive to
internet based repositories served over http or https
protocols.
For this exercise we show how to set up a simple repository on a network server with secure shell access. The requirements of the repository are accessibility by a small stable development team of 3 trusted inhouse developers with a need to update and commit remotely outside of the local area network. The requirement for tunneling repository traffic over ssh is simply to protect the small amounts of sensitive data such as API pins or private SSL keys that are shared by the repository. Also keep in mind that there are many, many ways to set up a Subversion infrastructure. This is just one way that suits my needs and is based on the concept explained in the Subversion book in the section SSH configuration tricks . There are other ways and variations that may suit your needs better.
This article assumes that you have a basic knowledge of unix command line usage...
For this exercise we show how to set up a simple repository on a network server with secure shell access. The requirements of the repository are accessibility by a small stable development team of 3 trusted inhouse developers with a need to update and commit remotely outside of the local area network. The requirement for tunneling repository traffic over ssh is simply to protect the small amounts of sensitive data such as API pins or private SSL keys that are shared by the repository. Also keep in mind that there are many, many ways to set up a Subversion infrastructure. This is just one way that suits my needs and is based on the concept explained in the Subversion book in the section SSH configuration tricks . There are other ways and variations that may suit your needs better.
This article assumes that you have a basic knowledge of unix command line usage...
Initial Network Access
Configuration
Before installing Sunversion or configuring a repository, we will set up an account on the repository machine with public/private key pair access for the developers. This is a generic unix task, but is essential to provide remote secure access to the repository for the configuration we have planned.
Choose your network machine that will have the repository. Our repository is on an intel Mac that runs OS X Server, but the instructions are the same for the repository being stored on an OS X network machine.
On the repository machine, create a standard ordinary user account (System Preferences -> Accounts). Let's say, for the porupose of this example, we create a user named 'svnsandbox'
Configure public/private key access so that the development team members can ssh into the repository machine as user 'svnsandbox' without typing any passwords. See the following article for an understanding of setting this up:
SSH Without Password Interaction
Tip: Use a config file in your ~/.ssh directory to create 'preconfigured' ssh aliases. For example, an entry such as:
Host svnmac.svnsandbox
HostKeyAlias svnmac
HostName my.domain.com
User svnsandbox
CheckHostIP no
Port 523
This entry in the config file will conveniently allow a very simple ssh hostname of 'slmini.svnsandbox' to be used for svn and/or ssh login from a developer's personal account straight into the svnsandbox account that we set up on the remote machine. Port 523 on the router is forwarded to 22 on the inside svn repository machine. See man ssh for details on the other parameters.
When this optional convenience feature is setup, you should test from each developer machine by simply typing:
$ ssh svnmac.svnsandbox
... which should result in the developer logging straight into the remote svn machine from anywhere form his personal account on his development machine. Do not progress any further until you have this working.
Installing Subversion
Thanks to Jeremy Whitlock, we have a fully complete recent binary with all the Subversion bells and whistles available online at http://downloads.open.collab.net/binaries.html and you can still check the tigris page for others that may be available after the time of writing this article. See http://subversion.tigris.org/project_packages.html
Download the binary and run the installer on the repository machine and all of the developer machines (assuming they use Macs for development too)
Creating the Repository
First log into shell on the repository machine as the svn user we created earlier
$ ssh svnmac.svnsandbox
Next create the repository (shown here as 'svnsandboxrepos ') as follows in the home directory of the svn user we created earlier:
$ svnadmin create --fs-type fsfs /Users/svnsandbox/svnsandboxrepos
Preparing for MultiUser Access
Now we need to create an alias to the svnserve binary to make sure we do not have file system permission problems. Google 'svnserve umask' to understand more about why we must do this.
Now logged in as root on repository machine, create a text file using pico commandline editor or whatever named /usr/local/aliasbin/svnserve (make dir 'aliasbin' if not existing) with the following contents:
#!/bin/sh
umask 002
/usr/local/bin/svnserve "$@"
Make the text file executable:
$ sudo chmod +x /usr/local/aliasbin/svnserve
So, essentially we have created a 'wrapper' that sets the umask and points to the real svnserve executable. The Subversion Book recommends that we also do this for svnlook and svnadmin executables. So you might end up with an alias directory of wrappers looking something like this:
svnmac:/usr/local/aliasbin root# ls -al
total 24
drwxr-xr-x 5 root wheel 170 Jul 5 12:00 .
drwxr-xr-x 11 root wheel 374 Jul 3 14:09 ..
-rwxr-xr-x 1 root wheel 49 Jul 5 12:01 svnadmin
-rwxr-xr-x 1 root wheel 48 Jul 5 12:01 svnlook
-rwxr-xr-x 1 root wheel 49 Jul 3 14:11 svnserve
Afterward, modify the /etc/profile on the repository so that /usr/local/aliasbin comes first.
Finally modify the authorized_keys file in the svn user's account in the repository machine as outlined in the SSH configuration tricks section of the Subversion manual.
For this example, we could insert the following ssh command at the beginning of the line having my own public key
command="/usr/local/aliasbin/svnserve -t --tunnel-user=kieran -r /Users/svnsandbox/svnsandboxrepos"
Note that we point to the svnserve wrapper alias and we specify the repository path with -r option and we specify the tunnel-user so that committed changes are associated with that user name.
Insert a command line like this in front of each developer's public key line in the authorized_keys file changing the tunnel-user option to reflect their user name. if you wish you may specify some restrictions here as outlined in that section of the Subversion manual.
Your repository is now ready for use by the development team using a URL something like this:
svn+ssh://svnmac.svnsandbox/
Using this same simple approach, you can create multiple repositories on the same machine with the requirement that a standard user account must be created for each repository. And if the requirements of the team change and grow, you can always add other layers of repository access to the same repositories via apache or whatever in the future.
Send errors and comments to kieran_lists (at) mac (dot) com.
Before installing Sunversion or configuring a repository, we will set up an account on the repository machine with public/private key pair access for the developers. This is a generic unix task, but is essential to provide remote secure access to the repository for the configuration we have planned.
Choose your network machine that will have the repository. Our repository is on an intel Mac that runs OS X Server, but the instructions are the same for the repository being stored on an OS X network machine.
On the repository machine, create a standard ordinary user account (System Preferences -> Accounts). Let's say, for the porupose of this example, we create a user named 'svnsandbox'
Configure public/private key access so that the development team members can ssh into the repository machine as user 'svnsandbox' without typing any passwords. See the following article for an understanding of setting this up:
SSH Without Password Interaction
Tip: Use a config file in your ~/.ssh directory to create 'preconfigured' ssh aliases. For example, an entry such as:
Host svnmac.svnsandbox
HostKeyAlias svnmac
HostName my.domain.com
User svnsandbox
CheckHostIP no
Port 523
This entry in the config file will conveniently allow a very simple ssh hostname of 'slmini.svnsandbox' to be used for svn and/or ssh login from a developer's personal account straight into the svnsandbox account that we set up on the remote machine. Port 523 on the router is forwarded to 22 on the inside svn repository machine. See man ssh for details on the other parameters.
When this optional convenience feature is setup, you should test from each developer machine by simply typing:
$ ssh svnmac.svnsandbox
... which should result in the developer logging straight into the remote svn machine from anywhere form his personal account on his development machine. Do not progress any further until you have this working.
Installing Subversion
Thanks to Jeremy Whitlock, we have a fully complete recent binary with all the Subversion bells and whistles available online at http://downloads.open.collab.net/binaries.html and you can still check the tigris page for others that may be available after the time of writing this article. See http://subversion.tigris.org/project_packages.html
Download the binary and run the installer on the repository machine and all of the developer machines (assuming they use Macs for development too)
Creating the Repository
First log into shell on the repository machine as the svn user we created earlier
$ ssh svnmac.svnsandbox
Next create the repository (shown here as 'svnsandboxrepos ') as follows in the home directory of the svn user we created earlier:
$ svnadmin create --fs-type fsfs /Users/svnsandbox/svnsandboxrepos
Preparing for MultiUser Access
Now we need to create an alias to the svnserve binary to make sure we do not have file system permission problems. Google 'svnserve umask' to understand more about why we must do this.
Now logged in as root on repository machine, create a text file using pico commandline editor or whatever named /usr/local/aliasbin/svnserve (make dir 'aliasbin' if not existing) with the following contents:
#!/bin/sh
umask 002
/usr/local/bin/svnserve "$@"
Make the text file executable:
$ sudo chmod +x /usr/local/aliasbin/svnserve
So, essentially we have created a 'wrapper' that sets the umask and points to the real svnserve executable. The Subversion Book recommends that we also do this for svnlook and svnadmin executables. So you might end up with an alias directory of wrappers looking something like this:
svnmac:/usr/local/aliasbin root# ls -al
total 24
drwxr-xr-x 5 root wheel 170 Jul 5 12:00 .
drwxr-xr-x 11 root wheel 374 Jul 3 14:09 ..
-rwxr-xr-x 1 root wheel 49 Jul 5 12:01 svnadmin
-rwxr-xr-x 1 root wheel 48 Jul 5 12:01 svnlook
-rwxr-xr-x 1 root wheel 49 Jul 3 14:11 svnserve
Afterward, modify the /etc/profile on the repository so that /usr/local/aliasbin comes first.
Finally modify the authorized_keys file in the svn user's account in the repository machine as outlined in the SSH configuration tricks section of the Subversion manual.
For this example, we could insert the following ssh command at the beginning of the line having my own public key
command="/usr/local/aliasbin/svnserve -t --tunnel-user=kieran -r /Users/svnsandbox/svnsandboxrepos"
Note that we point to the svnserve wrapper alias and we specify the repository path with -r option and we specify the tunnel-user so that committed changes are associated with that user name.
Insert a command line like this in front of each developer's public key line in the authorized_keys file changing the tunnel-user option to reflect their user name. if you wish you may specify some restrictions here as outlined in that section of the Subversion manual.
Your repository is now ready for use by the development team using a URL something like this:
svn+ssh://svnmac.svnsandbox/
Using this same simple approach, you can create multiple repositories on the same machine with the requirement that a standard user account must be created for each repository. And if the requirements of the team change and grow, you can always add other layers of repository access to the same repositories via apache or whatever in the future.
Send errors and comments to kieran_lists (at) mac (dot) com.
Posted: Thursday - July 05, 2007 at 12:41 PM
Quick Links
Statistics
Total entries in this blog:
Total entries in this category:
Published On: Dec 29, 2008 02:27 PM
Total entries in this category:
Published On: Dec 29, 2008 02:27 PM