Subversion setup and Gorg

Hello, first actual post in linux planets :)

Introduction

Recently I wanted to have an svn+ssh installation, without giving ssh access to the users. The procedure is very simple, and it doesn’t diverge much from the typical subversion configuration. This is going to be the first topic I’m going to expand. The second one is a Gorg installation, that takes advantage of it, and helps translation teams. Let me clear this out, by telling you the whole story of it:

Some Greek geeks recently gathered and wanted to create a greek gentoo community. So, the very first thing I wanted to do is to have better communication between translators, but also give a motivation to some people to contribute to the translations, even with just reviewing. The current model does not allow it that much. There is only one or two people that have CVS access to translations (for greek there is none at the moment). So, if there are other people also translating the documentation, they have to send patches, which has many drawbacks: What if two or more people where working at the same thing? What if someone finds a simple typo? Why should he create a patch? If a bunch of people could just correct those kind of small mistakes in documentations, without getting in the procedure of creating patches or whatever, the translation progress would be very rapid, and it could be easy for more people to contribute. Let’s begin with the subversion configuration.

Subversion

In fact, all I have done here is to collect information. No special tweaking. This is going to be rather a quick installation, configuration and usage howto.

First of all, we install subversion :P (in Gentoo it is dev-util/subversion). Then we create a svn user and group, setting its home folder to /var/svn. This is the place where our subversion repositories will be stored.

useradd -m -d /var/svn -s /bin/bash svn

(For some extra security I set rbash as this user’s shell, it seems to work but you’ll have to make sure it doesn’t break your hooks first). The following changes should be done with the svn user, in order to avoid permissions problems. So, we go to that directory and create a test repository:

svnadmin create test

Next step is to set up the users accounts. We need ssh keys from the users for this. In /var/svn/.ssh/authorized_keys we write the following:

command="svnserve -t -r /var/svn --tunnel-user=commiter1",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-dss AAAAB3Nza.... user@host

Now, a little explanation about the above snippet. When the user performs an svn+ssh command, he actually logs in to the system with the svn user. So, ssh immediately calls the command svnserve, with some extra parameters, like the path of the folder where the repos reside and the actual username of the commiter (here it is commiter1). After that follow some extra ssh options which provide more security (like preventing execution of X11 forwarding). At the end is the user’s public key. The last step is to configure the repository, and specify who has read/write, who has read-only and who hasn’t any access. We have to edit two files, test/conf/authz and test/conf/svnserve.conf. In svnserve.conf we uncomment the following lines:

anon-access = read # optional: only if we want an anonymous svnserve running
auth-access = write
authz-db = authz

Then we edit authz file, where we specify the users’ privileges. There are many ways to do it, by specifying aliases, groups of people, and extra permissions to subdirectories. There are examples inside the file, so I am not going to expand on it at all. I’m just going to show a very simple configuration:

[test:/]
commiter1 = rw
commiter2 = rw
commiter3 = r
* = r
# Note: Of course the wildcard * = r covers the commiter3 = r entry

With this configuration we don’t need a running svnserve daemon. This prevents anonymous checkouts, and allows us to close the svn port (default 3690).

However if you do want this, in Gentoo the file /etc/conf.d/svnserve is used to specify the user that will run the daemon, which should be the user svn. Also, the SVNSERVE_OPTS variable could contain the repos path ( –root=/var/svn ). Debian does not provide a script, but it is very easy to create a custom one, and a simple google search will provide millions. Contact me if you need more info on this.

The last part is to create an svnserve wrapper. gentoo-wiki provides one that I have extended a bit (based on a script that robbat2 gave me that he uses in a Gentoo server):

#!/bin/bash
export SSH_SESSION=1
echo "$(date),$(date +%s) $USER (${SSH_ORIGINAL_COMMAND}) ($@)" >> /var/log/svnserve.log 
if [ "$SSH_ORIGINAL_COMMAND" == "svnserve -t" ] ; then
    export SSH_LOGIN=
    umask 002
    exec /usr/bin/svnserve "$@"
else
    exit 1;
fi

The extra thing I added is to log the user and reject the connection if the ssh argument is not svnserve -t. Place the script in /usr/local/bin/svnserve, make it executable and make sure that "which svnserve" returns /usr/loca/bin/svnserve instead of /usr/bin/svnserve. According to the gentoo-wiki article:

If the latter is the case, SSH does not search /usr/local/bin for the svnserve command. To change that, you can use the PAM module pam_env.so which is usually included in /etc/pam.d/ssh via system-auth. pam_env's config file is /etc/security/pam_env.conf and by adding PATH OVERRIDE=/usr/local/bin:/usr/bin:/bin you instruct it to set this particular path for all system-auth services. It appears this PAM module affects local login commands also, so check you have all the directories normally included in root's PATH included in this /etc/security/pam_env.conf entry.

That covers pretty much everything needed for the installation. The following command show how we can checkout the repository:

svn co svn+ssh://svn@server/repo

Since we specified -r /var/svn in authorized_keys, we don't need to type the whole path (the same applies to anonymous checkouts). Note that we use the svn user to do the svn+ssh authentication. The commits though will be logged with the actual user, the one who was specified in --tunnel-user. An optional step is to install a web gui for our svn repositories, like websvn or viewVC. Their configuration is very easy and well documented, so I won't expand on this. We are done with the subversion configuration, now let's move to something more Gentoo-specific.

Gorg with SVN

The main problem in Gentoo translations (and documentation translations in general I suppose) is that they can't be handled with a transifex or pooptle installation. So, what I am proposing here is to have a Gorg installation that serves a copy of the gentoo.org website, apart from the /doc/XX folder which will be a separate svn repository, which will be updated after every commit with a simple post-commit hook. The whole thing seems to work very well for the greek language (/doc/el), and you can see a sample of my work in the following links: http://gorg.gentoo-el.org/doc/el/handbook and http://websvn.gentoo-el.org/listing.php?repname=gentoo-doc-el. (Note to other translation teams: if you are interested in this but you don't have a server to host it, I'll be glad to host it). The installation of gorg is fully explained in Xavier's website, and I don't think I have to say anything more on this. After it is up and running, we can go on doing some further tweaking on this.

First of all we create an svn repository (for example called gentoo-doc-xx). Then delete the folder doc-xx from the CVS checkout we did earlier. Replace this folder with the svn repository you just made, which has to have the same name:

svn co svn://localhost/gentoo-doc-xx /path/to/your/document/root/doc/xx

Then we set up the hook. Some templates are stored inside the repositories, in the subfolder hooks. Just create a file post-commit, make it executable and add to it the following two lines:

#!/bin/bash
/usr/bin/svn export file:///var/svn/gentoo-doc-el/ /path/to/your/document/root/doc/xx  --force >> /var/log/svnserve.log

And that's pretty much it. Feel free to contact me for any suggestions or questions. The docs I used for this are the following:

5 Responses to Subversion setup and Gorg

  1. Dawid Węgliński says:

    You should use svn export instead of update to get rid of ./.svn/ things. :)

    Reply
  2. winterheart says:

    Hey, I have succesful experiment to integrate GuideXML and Transifex. I have few troubles with this (I can’t add roles and names of translators), but this work.
    Here my playground: https://transifex.gentoo.ru

    Reply
  3. tampakrap says:

    Guide updated to include svn export, thanks Dawid

    Reply
  4. Pingback: Gitolite installation with gitweb and anongit in Gentoo and Debian | Straight from tha bloK

  5. wicca spells says:

    I truly wanted to post a quick note to say thanks to you for some of the awesome items you are giving out on this site. My extensive internet search has at the end been rewarded with beneficial information to go over with my relatives. I would suppose that most of us visitors are unequivocally endowed to live in a superb community with many perfect people with interesting basics. I feel very blessed to have discovered your entire web pages and look forward to many more entertaining moments reading here. Thanks a lot once more for all the details.

    Reply

Leave a Reply