Skip to main content

Linux: Trac and Subversion on Ubuntu with Nginx and SSL

I just setup Trac and Subversion on Ubuntu. I decided to proxy tracd behind Nginx so that I could use SSL. I used ssh to access svn. I got email and commit hooks for everything working. I used runit to run tracd. In all, it took me about four days. Here's a brain dump of my notes:
Set up Trac and Subversion:
Setup runit:
touch /etc/inittab # Latest Ubuntu uses "upstart" instead of the sysv init.
apt-get install runit
initctl start runsvdir
initctl status runsvdir
While still on oldserver, I took care of some Trac setup:
Setup permissions:
See: http://trac.edgewall.org/wiki/TracPermissions
trac-admin:
permission list
permission remove anonymous '*'
permission remove authenticated '*'
permission add authenticated BROWSER_VIEW CHANGESET_VIEW FILE_VIEW LOG_VIEW MILESTONE_VIEW REPORT_SQL_VIEW REPORT_VIEW ROADMAP_VIEW SEARCH_VIEW TICKET_CREATE TICKET_MODIFY TICKET_VIEW TIMELINE_VIEW WIKI_CREA
TE WIKI_MODIFY WIKI_VIEW
Note: The above matches the default, but with no anonymous access.
permission add jj TRAC_ADMIN
Went through the admin section in the GUI and setup everything.
Fixed inconsistent version field ("" vs. None):
sqlite3 db/trac.db:
update ticket set version = null;
apt-get install subversion-tools python-subversion
apt-get install python-pysqlite2
easy_install docutils:
/usr/bin/rst2newlatex.py
/usr/bin/rst2xml.py
/usr/bin/rstpep2html.py
/usr/bin/rst2s5.py
/usr/bin/rst2latex.py
/usr/bin/rst2pseudoxml.py
/usr/bin/rst2html.py
easy_install pygments:
/usr/bin/pygmentize
easy_install pytz
Setup users:
Used "adduser" to create users.
Grabbed their passwords from /etc/shadow on oldserver.
addgroup committers
Added the users to the committers group.
Setup svn:
mkdir -p /var/lib/svn
svnadmin create /var/lib/svn/example
Copied our svn repository db from oldserver to /var/lib/svn/example/db.
chgrp -R committers /var/lib/svn/example/db
Setup trac:
easy_install Trac:
/usr/bin/trac-admin
/usr/bin/tracd
+Genshi-0.5.1-py2.5-linux-i686.egg
mkdir -p /var/lib/trac
cd /var/lib/trac
trac-admin example initenv:
I pointed it at the svn repo path, but otherwise used the default
settings.
Copied stuff from our trac instance on oldserver to
/var/lib/trac/example/attachments and /var/lib/trac/example/db.
I chose not to keep our trac.ini since Trac has changed so much.
I chose not to keep our passwords file since they were too easy.
htpasswd -c /var/lib/trac/example/conf/users.htpasswd jj
Edited /var/lib/trac/example/conf/trac.ini.
adduser trac # Used a throwaway password.
vipw # Changed home to /var/lib/trac and set shell to /bin/false.
chown -R trac:trac /var/lib/trac # Per the instructions. Weird.
find /var/lib/trac/example/attachments -type d -exec chmod 755 '{}' \;
find /var/lib/trac/example/attachments -type f -exec chmod 644 '{}' \;
trac-admin /var/lib/trac/example resync
Setup trac under runit:
Setup logging:
mkdir -p /etc/sv/trac/log
mkdir -p /var/log/trac

cat > /etc/sv/trac/log/run << __END__
#!/bin/sh

exec 2>&1
exec chpst -u trac:trac svlogd -tt /var/log/trac
__END__

chmod +x /etc/sv/trac/log/run
chown -R trac:trac /var/log/trac
Setup trac:

cat > /etc/sv/trac/run << __END__
#!/bin/sh

exec 2>&1
exec chpst -u trac:trac tracd -s --hostname=localhost --port 9115 --basic-auth='*',/var/lib/trac/example/conf/users.htpasswd,'24 Hr. Diner' /var/lib/trac/example
__END__

chmod +x /etc/sv/trac/run
ln -s /etc/sv/trac /etc/service/
Setup Nginx to proxy to Trac and handle SSL:
cd /etc/nginx
openssl req -new -x509 -nodes -out development.example.com.crt \
-keyout development.example.com.key
Edit sites-available/default.
/etc/init.d/nginx restart
Setup post-commit hook:
cd /var/lib/svn/example/hooks
wget http://trac.edgewall.org/browser/trunk/contrib/trac-post-commit-hook?format=txt \
-O trac-post-commit-hook
chmod +x trac-post-commit-hook
cp post-commit.tmpl post-commit
chmod +x post-commit
Edited post-commit.
mkdir /var/lib/trac/example/.egg-cache
chown -R trac:committers \
/var/lib/trac/example/.egg-cache \
/var/lib/trac/example/db
chmod 775 /var/lib/trac/example/.egg-cache \
/var/lib/trac/example/db
chmod 664 /var/lib/trac/example/db/trac.db
Setup trac notifications:
Edit /var/lib/trac/example/conf/trac.ini.
sv restart trac
Here's the most important part of Nginx's sites-available/default:
# Put Trac on HTTPS on port 9443.
server {
listen 9443;
server_name development.example.com;

access_log /var/log/nginx/development.access.log;
error_log /var/log/nginx/development.error.log;

ssl on;
ssl_certificate /etc/nginx/development.example.com.crt;
ssl_certificate_key /etc/nginx/development.example.com.key;

ssl_session_timeout 5m;

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;

location / {
root html;
index index.html index.htm;
proxy_pass http://127.0.0.1:9115;
}
}
Here's the most important part of svn's post-commit hook:
REPOS="$1"
REV="$2"
MAILING_LIST="commits@example.com"
TRAC_ENV="/var/lib/trac/example"

/usr/share/subversion/hook-scripts/commit-email.pl "$REPOS" "$REV" \
"$MAILING_LIST"
/usr/bin/python /var/lib/svn/example/hooks/trac-post-commit-hook \
-p "$TRAC_ENV" -r "$REV"
Here are the changes I made to trac.ini:
===================================================================
--- var/lib/trac/example/conf/trac.ini (revision 464)
+++ var/lib/trac/example/conf/trac.ini (revision 475)
@@ -58,13 +58,13 @@
mime_encoding = base64
smtp_always_bcc =
smtp_always_cc =
-smtp_default_domain =
-smtp_enabled = false
-smtp_from = trac@localhost
+smtp_default_domain = example.com
+smtp_enabled = true
+smtp_from = trac@development.example.com
smtp_from_name =
smtp_password =
smtp_port = 25
-smtp_replyto = trac@localhost
+smtp_replyto = ops@example.com
smtp_server = localhost
smtp_subject_prefix = __default__
smtp_user =
@@ -152,7 +152,7 @@
authz_file =
authz_module_name =
auto_reload = False
-base_url =
+base_url = https://development.example.com:9443
check_auth_ip = true
database = sqlite:db/trac.db
default_charset = iso-8859-15
@@ -166,7 +166,7 @@
repository_type = svn
show_email_addresses = false
timeout = 20
-use_base_url_for_redirect = False
+use_base_url_for_redirect = True

[wiki]
ignore_missing_pages = false
Wow, that was painful!

Comments

jjinux said…
If you're trying to read something, and it gets cut off by the CSS, just look at the HTML source. Sorry about that.

If you don't know how to install Python egg's via easy_install, start with:

Setup distutils:
wget http://peak.telecommunity.com/dist/ez_setup.py
python ez_setup.py
jjinux said…
Sorry it's so terse and messy looking. There actually is a method to my madness, but the heredocs mess up the look of the indentation.
Hi,
You can use naraio. It comes with Apache, subversion, trac and openldap . Naraio is very in installation with
trac and subversion.
You can download from http://opensourcedevelopment.net
Regards

Popular posts from this blog

Ubuntu 20.04 on a 2015 15" MacBook Pro

I decided to give Ubuntu 20.04 a try on my 2015 15" MacBook Pro. I didn't actually install it; I just live booted from a USB thumb drive which was enough to try out everything I wanted. In summary, it's not perfect, and issues with my camera would prevent me from switching, but given the right hardware, I think it's a really viable option. The first thing I wanted to try was what would happen if I plugged in a non-HiDPI screen given that my laptop has a HiDPI screen. Without sub-pixel scaling, whatever scale rate I picked for one screen would apply to the other. However, once I turned on sub-pixel scaling, I was able to pick different scale rates for the internal and external displays. That looked ok. I tried plugging in and unplugging multiple times, and it didn't crash. I doubt it'd work with my Thunderbolt display at work, but it worked fine for my HDMI displays at home. I even plugged it into my TV, and it stuck to the 100% scaling I picked for the othe

ERNOS: Erlang Networked Operating System

I've been reading Dreaming in Code lately, and I really like it. If you're not a dreamer, you may safely skip the rest of this post ;) In Chapter 10, "Engineers and Artists", Alan Kay, John Backus, and Jaron Lanier really got me thinking. I've also been thinking a lot about Minix 3 , Erlang , and the original Lisp machine . The ideas are beginning to synthesize into something cohesive--more than just the sum of their parts. Now, I'm sure that many of these ideas have already been envisioned within Tunes.org , LLVM , Microsoft's Singularity project, or in some other place that I haven't managed to discover or fully read, but I'm going to blog them anyway. Rather than wax philosophical, let me just dump out some ideas: Start with Minix 3. It's a new microkernel, and it's meant for real use, unlike the original Minix. "This new OS is extremely small, with the part that runs in kernel mode under 4000 lines of executable code.&quo

Haskell or Erlang?

I've coded in both Erlang and Haskell. Erlang is practical, efficient, and useful. It's got a wonderful niche in the distributed world, and it has some real success stories such as CouchDB and jabber.org. Haskell is elegant and beautiful. It's been successful in various programming language competitions. I have some experience in both, but I'm thinking it's time to really commit to learning one of them on a professional level. They both have good books out now, and it's probably time I read one of those books cover to cover. My question is which? Back in 2000, Perl had established a real niche for systems administration, CGI, and text processing. The syntax wasn't exactly beautiful (unless you're into that sort of thing), but it was popular and mature. Python hadn't really become popular, nor did it really have a strong niche (at least as far as I could see). I went with Python because of its elegance, but since then, I've coded both p