SVN installation configuration Summary

Source: Internet
Author: User
Tags openssl library openssl rsa rfc subversion client svn client ssh server startssl

As a new generation of version control software, SVN (subversion) is developed on the basis of CVS. It fixes various drawbacks of CVs and is expected to become a substitute for open-source CVs.

(1) Preparations

You can download the latest version of svnfrom the svn official website

$ Cd ~ /Build $ wget$ tar zxvf subversion-1.3.0.tar.gz $ CD subversion-1.3.0 $ more install... i. build requirements ==================================... 1. apache Portable Runtime 0.9.7 ( # The SVN release package already contains APR and APR-util. If you do not want to use the default package, you can. /configure # options -- With-Apr = and -- With-Apr-util = Specified # You can also download the latest APR and APR-util packages and store them. /APR and. /APR-util, # It will participate in the entire compilation process... 2. autoconf 2.50 or newer (unix only) # Only the source code of the latest version is planned to be compiled... 3. libtool 1.4 or newer (unix only) # Only the source code of the latest version is planned to be compiled... 4. neon library 0.24.7 or 0.25.3 ( the neon library allows a subversion client to interact with remoterepositories over the Internet via a WebDAV based protocol. # You can download the Neon-x.x.x and save it. /neon, which will participate in the entire compilation process # You can specify a compiled neon. specify the ldflags variable in/configure. # You must also specify the -- with-neon = option. The directory indicated by this option should contain the bin/neon-config program... 5. berkeley dB 4.x# if you do not plan to use Berkeley dB as the version library or install the svn client only, you do not need to install it. # we recommend that you install Berkeley dB 4.3 or 4.2 # In. in/configure, specify the location -- With-Berkeley-DB =/usr/local/berkeleydb.4.3... 6. apache Web Server 2.0.49 or newer ( # used to access your subversion repository # Of course you can also use your SVN server: svnserver... 6.1 Apache Web Server 2.0.54 or newer (Windows only) ( )... 7. python 2.0 ( # mainly used as make check, should be possible not... 8. visual c ++ 6.0 or newer (Windows only )... 9. perl 5.8 or newer (Windows only )... 10. MASM 6 or newer (Windows only, optional )... 11. libraries for our libraries # mainly involves related libraries. For example, if SSL encryption is required for neon, the OpenSSL library must have ...... II. installation ====================. building from a tarball or rpm... 2. building from an RPM... unpack it, and use the standard GNU procedure to compile: $. /configure $ make # make install you can also run the full test suite by running 'make check '.... b. building the latest source under UNIX # If you have installed the subversion and want to update it to the latest version, take a look at this... III. building A Subversion server ==============================. setting up apache1. obtaining and installing Apache 2. 0... $ SVN Co/ httpd-2.0 Checkout the "APR" and "Apr-util" modules into the srclib/directory: $ CD httpd-2.0/srclib $ SVN Co/ APR $ SVN Co/ Apr-util at the top of the httpd-2.0 tree: $. /buildconf $. /configure -- enable-Dav -- enable-so -- enable-maintainer-mode # You can also use -- With-dBm = db4 and -- With-Berkeley-DB =/usr/local /berkeleydb.4.2 # specify the location of berkeleydb # -- enable-SSL enable SSL support # -- enable-Deflate enable compression support... compile and install Apache: $ make & make installb. making and installing the Subversion server # Switch to the svn source code Directory, which can be $. /configure -- With-apxs =... configure subversion # After make is complete, you can find in the modules directory of Apache... c. logging ing Apache for subversion # Make sure your httpd. conf has this line after loading # loadmodule dav_svn_module modules/ #### in httpd. the configuration at the bottom of conf is as follows :##
 # Dav SVN # svnpath/absolute/path/to/Repository ##### to restrict access, you can add: # authtype basic ## authname "Subversion repository" ## authuserfile/My/SVN/user/passwd/file #### if you want to verify both read and write operations, you can add require valid-user #### if you only want the write to be verified, add ##
 # Require valid-user ###### to separate read and write control, add ## authgroupfile/My/SVN/group/file ##
 # Require group svn_committers ####
 # Require group svn_committers # require group svn_readers ###### mod_dav determines the server based on the domain name. Therefore, you must configure the correct servername. # If the svn library is in a name-based virtual host, you need to configure serveralias #### if you want to specify content compression, you can configure ## setoutputfilter deflate ### note, apache users (usually nobody) must be able to read the Berkeley dB file... e. alternative: 'svnserv' and ra_svn # Another optional network layer is the svn communication protocol, and the client is libsvn_ra_svn, # The service segment is the svnserver process, this communication has no encryption measures .... $ Svnserve-D # Becomes a background daemon $ SVN checkout SVN: // localhost/usr/local/SVN/Repository... 'svnserv' has built-in CRAM-MD5 authentication (so you canuse non-system accounts), and can also be tunneled over SSH (so you can use existing system accounts )....

This section describes how to install SVN and configure service programs. Based on the instructions in this section, let's start our SVN installation and configuration journey.

(2) install Berkeley dB 4.3.29

$ cd ~/build$ wget$ tar zxvf db-4.3.29.tar.gz$ cd db-4.3.29/build_unix$ ../dist/configure --prefix=/usr/local/BerkeleyDB-4.3.29 --enable-cxx --enable-rpc$ make$ make install$ echo /usr/local/BerkeleyDB-4.3.29/lib >> /etc/$ ldconfig -v

(3) install Apache 2.0.55

$ cd ~/build$ wget$ tar zxvf httpd-2.0.55.tar.gz$ cd httpd-2.0.55$ CFLAGS="-O2" ./configure --prefix=/usr/local/apache2 /--enable-rewrite=shared --enable-dav=shared --enable-so /--with-dbm=db4 --with-berkeley-db=/usr/local/BerkeleyDB-4.3.29 /--enable-deflate=shared --enable-ssl=shared$ make$ make install

(4) install subversion 1.3.0

$ cd ~/build$ cd subversion-1.3.0$ ./configure --prefix=/usr/local/svn-1.3.0 /--with-apxs=/usr/local/apache2/bin/apxs --with-ssl /--with-berkeley-db=/usr/local/BerkeleyDB-4.3.29 /--with-zlib$ make$ make install$ ln -s /usr/local/svn-1.3.0 /usr/local/svn

For ease of use, we have established a soft connection/usr/local/SVN.

(5) Configure svnserve

We first configure the svnserve service method, and then we will consider using Apache to implement the service.

First, give our SVN service a name. Iana retains port 3690 for the Subversion protocol. You can add it to/etc/services.

$ vi /etc/services...svn           3690/tcp   # Subversionsvn           3690/udp   # Subversion...

Next, prepare your SVN repository and configure your svnserve.

# The SVN version library will be placed under/usr/local/Repository/SVN/test, the repository type is berkeleydb $ svnadmin create -- FS-type bdb/usr/local/Repository/SVN/test # create a SVN user to run the svn service $ useradd-S/sbin/nologin-D/ dev/null SVN $ chown-r SVN. SVN/usr/local/Repository/SVN # create the svnserve configuration file $ VI/usr/local/Repository/SVN/test/CONF/svnserve. conf [general] Password-DB = passwdrealm = example realmanon-access = readauth-access = write $ VI/usr/local/Repository/SVN/test/CONF/passwdlarry = foopasswdmarchday = barpasswd

We edit the svnserve configuration file svnserve. conf to authenticate users in CRAM-MD5 mode. The user name and password pairs are stored in the file passwd. Anonymous Users are readable and authenticated users can write data. In addition, there is a configuration file authz, which can be used to refine the permission control, which is not changed here.

Svnserve can also be authenticated through SSH, which will be discussed later.

Svnserve has two options: Configure xinetd (or inited) or start with an independent process.

For the xinetd startup method, you can create a file/etc/xinetd. d/SVN with the following content:

service svn{        disable = no        socket_type     = stream        wait            = no        user            = svn        server          = /usr/local/svn/bin/svnserve        server_args     = -i -r /usr/local/repository/svn        log_on_failure  += USERID}

Then run the Command Service xinetd restart.
In the latter method, you can directly start svnserver using the-D parameter.

$ /usr/local/svn/bin/svnserver -d -r /usr/local/repository/svn

If you check the network service status, you can find that the svn port is being monitored.

$ netstat -la...tcp  0  0 *:svn  *:*  LISTEN...

Let's perform a test to add a project to the version library to see if svnserver works properly.

$ cd /tmp$ mkdir svntest$ cd svntest$ mkdir {trunk,branches,tags}$ svn import . file:///usr/local/repository/svn/test/svntest /--message "first test project"Adding         trunkAdding         branchesAdding         tagsCommitted revision 1.$ svnlook tree /usr/local/repository/svn/test/ svntest/  trunk/  branches/  tags/$ cd ../$ rm -rf svntest$ svn checkout svn://localhost/test/svntestA    svntest/trunkA    svntest/branchesA    svntest/tagsChecked out revision 1.

OK. It seems that our SVN is working correctly.

(6) Integrate SVN and SSH

Basic principle: when the client uses the svn command to connect to SSH + SSH: // URL, the svn client opens an SSH client process to connect to the remote SSH server, then, the remote SSH server starts the svnserve process in pipe mode. When an SSH session ends, svnserve automatically exits.

It can be seen that sshd is responsible for network monitoring, and svnserve is no different from common programs. The svnserve running identity is the user identity currently logged on through SSH. Therefore, you must have the permission to access the version Library (you can add users to the svn user group ).

The client cannot cache the password. Therefore, you must enter the password each time you submit the modification. However, this can be solved through SSH-agent. In addition, it is inconvenient to control the svnserve running mode. For example, specifying the-R parameter indicates the absolute path of the version library. However, this can be solved by configuring the authorized_users file. For detailed implementation, refer to the svn document. I will not explain it here.

Do a test. We disable the svn service in Xinetd. If the svnserver service runs independently, disable it.

$ cp /usr/local/svn/bin/svnserve /usr/bin$ usermod -G svn marchday$ chmod 02775 /usr/local/repository/svn/test/db$ su marchday$ cd /tmp$ svn checkout svn+ssh://localhost/usr/local/repository/svn/test/svntestmarchday@'s password:A    svntest/trunkA    svntest/branchesA    svntest/tagsChecked out revision 1.

First, we need to copy svnserve to a place that can be found by shell, such as/usr/bin. Then modify the permission so that marchday can be written to the svn dB directory. Finally, we need to use the full path when accessing the version library.

(7) Integrate SVN and Apache

The exciting time is finally reached. Here we will configure a secure and easy-to-use SVN version control system. The premise is that the above (2), (3), (4) steps must be done in place.

First, modify httpd. conf to ensure that necessary modules have been loaded.

LoadModule dav_module         modules/mod_dav.soLoadModule dav_svn_module     modules/

Next, you need to expose the path of the version library.

<Location /svn>  DAV svn  SVNPath /usr/local/repostiroy/svn/test</Location>

If you have multiple version libraries available for access, each version library's access method is like,
Http://, which can be configured as follows:

<Location /svn>  DAV svn  SVNParentPath /usr/local/repository/svn</Location>

Modify the user and group options to access the version library files.

User svnGroup svn

In addition, you may also need to configure servername. If you use namevirtualhost to indicate that the Apache Virtual Host is used, you may need serveralias to specify an additional name. Servername is set to, which is not accessed by a VM. The listening port is 8080.

As shown below, our WebDAV can work. Let's have a sip of water first. :-)

$ /usr/local/apache2/bin/apachectl start$ cd /tmp$ svn checkout http://localhost:8080/svn/test/svntestA    svntest/trunkA    svntest/branchesA    svntest/tagsChecked out revision 1.

Next we will add the authentication function to it.

First, with SSL protection, unprotected authentication is equally dangerous.

Generate self-signed certificate:

$ CD/usr/local/apache2 $ mkdir certs $ CD certs $ OpenSSL genrsa-des3-out ca. key 1024 # generate the private key for the root certificate $ OpenSSL req-New-X509-days 365-key ca. key-out ca. CRT # generate the root certificate $ OpenSSL genrsa-des3-out server. key 1024 # generate the private key of the server $ OpenSSL req-New-key server. key-out server. CSR # generate the server's request Visa file $ .. /bin/sign. sh server. CSR # sign the server certificate and generate the server. CRT File

The script sign. Sh is obtained from the mod_ssl source code directory PKG. distrib, which simplifies the Certificate Signing process. If you want to establish your own authentication system, refer to another article about OpenSSL.

Configure CONF/SSL. conf to enable SSL support.

SSLCertificateFile /sinaad/apache2/certs/server.crtSSLCertificateKeyFile /sinaad/apache2/certs/server.key

Then start Apache.

$ /usr/local/apache2/bin/apachectl startssl

Now, you can access your site through HTTPS.

One of the annoying points is that every time apachectl startssl requires a server. Key password, you can use the following methods to remove the password:

$ cp server.key$ openssl rsa -in -out server.key$ chmod 400 server.key

Now, add the basic authentication function to Apache.

$ cd /usr/local/apache2/conf$ htpasswd -cm svnusers harryNew password: ***** Re-type new password: *****Adding password for user harry$ htpasswd -m /etc/svn-auth-file sallyNew password: *******Re-type new password: *******Adding password for user sally

After the password file svnusers is created, modify httpd. conf and SSL. conf. We will move the following section from httpd. conf to .

<Location /svn>  DAV svn  SVNParentPath /usr/local/repository/svn</Location>

Add the Basic Authentication configuration. The final result is as follows:

<Location /svn>  DAV svn  SVNParentPath /usr/local/repository/svn  AuthType Basic  AuthName "Subversion repository"  AuthUserFile conf/svnusers  Require valid-user</Location>

Our security is initially guaranteed. At least the password will not be transmitted in plain text on the network. It's easy. In the United States, the precision of permission control is insufficient. If you want to precisely control access, you have to continue with the following steps.

First, we need a permission control file, such as the following:

$ cd /usr/local/apache2/conf$ vi svnauthz[test:/svntest]harry = rw* = r

Here we allow Harry to read and write the svntest project of the test version library. Others (including anonymous users) can only read.
Then, modify httpd. conf and enable the authz_svn_module. This module is generated when the Subversion is compiled. Now our httpd. conf is as follows:

...LoadModule dav_module modules/mod_dav.soLoadModule rewrite_module modules/mod_rewrite.soLoadModule dav_svn_module     modules/mod_dav_svn.soLoadModule authz_svn_module   modules/

Modify SSL. conf as follows:

<Location /svn>  DAV svn  SVNParentPath /usr/local/repository/svn  AuthzSVNAccessFile conf/svnauthz  # try anonymous access first, resort to real   # authentication if necessary.  Satisfy Any  Require valid-user  AuthType Basic  AuthName "Subversion repository"  AuthUserFile conf/svnusers  Require valid-user</Location>

The satisfy any configuration indicates that any user can access the service. The require valid-user indicates that the user must be authenticated only when necessary. In fact, this is equivalent to giving the authentication permission to the authz_svn_module. For details about how Apache can exchange user authentication information with modules, refer to o'reilly's masterpiece writing Apache modules with Perl and C. Now, the permission control function is very powerful.

(8) WebDAV and auto Versioning)

The standard for WebDAV is RFC 2518. The basic goal is to turn the Web into a read/write media. It has no version control, and its version control specification is RFC 3253, that is, DeltaV, but few vendors implement it.

Mod_dav_svn is a simulation of DeltaV and does not fully comply with DeltaV specifications. Its identity is a specific file operation that acts as a mod_dav request. An exciting feature is auto versioning: The number is automatically upgraded when the new version is submitted.

The SVN 1.2 documentation says that to enable auto versioning, svnautoversioning on must be set in the Apache configuration item, and some clients must avoid submitting requests with a file length of 0 in the hook script. I installed SVN 1.3. It seems that svnautoversioning is set to on by default, and it can effectively avoid repeated submissions (the first put Object Body with a length of 0, put is the real file), has been tested in network neighbors, Dreamweaver, Microsoft Office 2000. In the meantime, if the Berkeley dB is locked once, run the following command to solve the problem.

$ /usr/local/apache2/bin/apachectl stop$ svnadmin recover /usr/local/repository/svn/test$ chown -R svn.svn /usr/local/repository/svn/test$ /usr/local/apache2/bin/apachectl startssl

Our SVN configuration journey has come to an end. If you are not doing anything, continue to drill into other materials.


Subversion official recommended book (see'Reilly, Network Security with OpenSSLApache 2.0.55 manual

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.