Subversion Svnserve service startup and configuration

Svnserve is a lightweight service that communicates with clients using a custom protocol over TCP/IP.
The client accesses the Svnserve server through a URL starting with svn://or svn+ssh://.

Start the serverPort monitoring (inetd) mode

If you plan to use port monitoring to initiate processes that process client access requests, you can start by passing in the parameter-I:

Svnserve-i

When starting a service with the-i parameter, Svnserve uses the custom protocol and the client with stdin and stdout
Communication. The service listens on port 3690 at the same time.

Independent port monitoring Process

Use the parameter-D to start the service as a separate port monitoring process.

Svnserve-d

When running Svnserve in standalone port monitoring mode, you can use the--listen-port= and--listen-host= parameters to customize the required ports and host names. The default port for the current mode is 3690.

Of course, there is a third way to start Svnserve, which is to use "tunnel mode" and start the service with the-t parameter. This mode requires a remote service program, such as Rsh or SSH, to successfully authenticate the user and start a svnserve process that belongs to the user using the user who has already been verified. When using this mode to provide services, verify that the user account that is started has read/write permissions to Repository.

Set up the project directory

When Svnserve starts running, it will expose all repository to the network. However, when the client needs to get a repository content, the absolute path of the reopsitory needs to be specified. Example: A repository placed in the file path
C:/project Repository/project1
Then when the client accesses, the absolute path needs to be specified:
Svn://host/c:/project Repository/project1
So, for added privacy, you can use the parameter-r to specify the path of the repository that needs to be exposed, and when the user accesses it, simply specify the name of the repository. For example, the above repository, when starting the service, use the following method:
Svnserve-d-R C:/project Repository
Then when the client accesses it, it uses the
Svn://host/project1
To get the data.

Built-in authentication and authorization

When a client connects to a Svnserve process, the following process is triggered:
1, the customer chooses a designated repository;
2, the service handles repository configuration file conf/svnserve.conf file, and starts to execute all the authentication and authorization policies defined therein;
3. Dependencies and scenarios and authorization policies:
A) The client may allow anonymous access without requiring authentication, or
b) customer but may be required to be verified at any time, or
c) If you are in tunnel mode, the client declares that it can be externally authenticated.

Obviously, as stated above, the user file is a file named svnserve.conf, placed in the Conf directory.
Now let's take a look at how to configure this file:
This configuration file is placed in the Conf directory of the Repository directory, which has two nodes:
[General]
[Users]
The configuration information for [general] is:
Anon-access = Read
auth-access = Write
It indicates what can be done by users who are validated and not authenticated. Read, write, and none, respectively

The contents of the label for [users] are:
USERNAME = PASSWORD
Password-db = passwd
Realm = My First Repository
It indicates what the password for the user name is, or specifies a relative or absolute path to the file that stores the user name and password, and a validation realm that specifies the repository. If two repository have the same authentication domain, then they should have the same password database, and vice versa. The default realm is the path to the current repository, which is related to the root directory of the server's repository.

Svnser Configuration Instance
Svnserve is a lightweight server that comes with SVN, and the client accesses the Svnserve server by using a URL prefixed with svn://or svn+ssh://, enabling remote access to the SVN repository.

Svnserve can set up users and passwords through configuration files, and control repository access by path. This article analyzes the Svnserve configuration file format in detail and explains how to use a configuration file to control the repository access rights.


1) svnserve Configuration file Overview

The Svnserve configuration file typically consists of the following 3 text files:
The SVN service configuration file, the file repository directory, is under the Conf directory, and the file name is svnserve.conf.
User name password file, which is specified in file svnserve.conf, and defaults to passwd in the same directory.
The permission profile, which is also specified in the file svnserve.conf, defaults to Authz in the same directory.

2) SVN service configuration file

The SVN service configuration file is the file conf/svnserve.conf in the repository directory. The file consists of only one [general] configuration segment.

The configuration line format in the [General] configuration section is as follows:
< configuration Items > = < values >

The configuration item is divided into the following 5 items:

Anon-access controls the permissions of non-authenticated users to access the repository. The values range from "write", "read" and "none".
That is, "write" is readable and writable, "read" is read-only and "none" means no access.
Default value: Read

Auth-access Controls access to the repository for authentication users. The values range from "write", "read" and "none".
That is, "write" is readable and writable, "read" is read-only and "none" means no access.
Default value: Write

PASSWORD-DB Specifies the user name password file name. File location is relative conf unless absolute path is specified
The relative path of the directory.
Default value: passwd

AUTHZ-DB Specifies the permission profile file name through which path-based access control can be implemented.
The file location is relative to the relative path of the Conf directory unless you specify an absolute path.
Default value: Authz

realm Specifies the authentication domain for the repository, which is the name of the authentication domain that is prompted at logon. If two versions of the repository
Authentication domain is the same, it is recommended to use the same user name password data file.
Default value: One uuid (Universal unique IDentifier, globally unique).

Description Repository Certification Domain
When using an SVN client to access the Svnserve server, if a user is required to log in, the message is as follows:
[Root@test root]# svn list svn://192.168.3.45/test
Authentication realm:0d545a49-4038-0410-99b4-c66dc73f754e
Password for ' root ':
The string displayed after "Authentication realm:" In line 2nd above is the authentication domain name. If you set the authentication domain in the configuration file, you will be prompted with a UUID, as shown above.
If the following configuration item is specified in the configuration file:
Realm = Test
The SVN client will be prompted as follows:
[Root@test root]# svn list svn://192.168.3.45/test
Authentication Realm:test
Password for ' root ':

Example 1:SVN Service configuration file conf/svnserve.conf is as follows:
[General]
Anon-access = None
auth-access = Write
Password-db =.. /.. /conf/passwd
Authz-db =.. /.. /conf/authz
Realm = Test

The above configuration file sets non-authenticated users without permission to access the repository; Authentication users can read and write to the repository; User name password file is relative to Repository conf directory file ". /.. /CONF/PASSWD "; Permissions profile is relative to Repository conf directory file". /.. /conf/authz "; The repository's authentication domain is" test ".

3) User name password file

The user name password file is specified by the SVNSERVE.CONF configuration item password-db, which defaults to passwd in the Conf directory. The file consists of only one [users] configuration segment.

The configuration line format for the [users] configuration segment is as follows:
< user name > = < password >
Note: The password in the configuration line is clear text that has not been processed.

Example 2: User name password file conf/passwd the following:
[Users]
admin = Admin
Thinker = 123456

The file is configured with two users, the user name is "admin" and "thinker" respectively. Where the "admin" User's password is "admin", "thinker" User's password is "123456".

4) Privilege profile

The permission profile is specified by the SVNSERVE.CONF configuration item authz-db, which defaults to Authz in the Conf directory. The configuration file consists of a [groups] configuration segment and several repository path permission segments.

The configuration line format in the [groups] configuration segment is as follows:
< user Group > = < user list >
The list of users consists of several user groups or user names, separated by a comma "," between user names, and a user group to be referenced using the prefix "@" (for example, referencing the user group "all" to use the string "@all").

The section name format for the repository path permission segment is as follows:
[< version Library name >:< path;]
The section name for the repository path permission segment, such as the version library ABC path/TMP, is "[Abc:/tmp]".
You can omit the repository name from the segment name. If you omit the repository name, the repository path permission segment is valid for access control for the same path in all repositories. For example, the repository path permission segment named "[/tmp]" is set to access the directory "/tmp" in the repository that references that permission profile.

There are three types of configuration rows in the Repository path permission segment:
< user name > = < permissions >
< user groups > = < permissions >
* = < Permissions >
where "*" means any user, the scope of the permission is ', ' R ' and ' RW ', ' indicates that there is no permission on the repository path, ' R ' indicates read-only permission, ' RW ' indicates read and write permissions.
Note: Each line configuration can only be configured for individual users or groups of users.

Example 3: The contents of the rights profile Conf/authz are as follows:
[Groups]
G_admin = Admin,thinker

[admintools:/]
@g_admin = RW
* =

[Test:/home/thinker]
Thinker = RW
* = R

In the above configuration file, a user group "g_admin" is defined, which contains the user "admin" and "thinker". Then 2 repository path permission segments are defined. Among them, the repository "AdminTools" only the user group "G_admin" can read and write, the other users do not have any permissions, the repository "test" in the path "/home/thinker" only the user "thinker" has read and write permissions, other users have only Read permission.

5) Summary

In this article, the 3 configuration files for the Svnserve program are described in detail. The SVN administrator can set the user name password for the Svnserve service and access to the repository path through these 3 profiles. These profiles take effect immediately after they are saved and do not require a restart of the Svnserve service.
It should be emphasized that the configuration file described in this article is valid only for the Svnserve service, that is, the client is valid through a URL that is prefixed with svn://or svn+ssh://, and the URL that is prefixed by http:/, https://, or file:///is invalid.

Official parameter description

Svnserve
When using Svnsync for a remote source repository, use Subversion's Custom network protocol.

Svnserve allows the Subversion repository to use the SVN network protocol, you can run Svnserve as a standalone server process, or use other processes such as inetd, xinetd (also svn://) or using svn+ssh:// The sshd that accesses the method starts the process for you.

Once the client has selected a repository to pass its url,svnserve, the conf/svnserve.conf file of the repository directory is read to detect the repository-specific settings, such as which authentication database is used and how the authorization policy is applied. For more information about the svnserve.conf file, see the "Svnserve, a custom Server" section.

Svnserve options
Unlike the example described earlier, Svnserve has no subcommands-svnserve completely controlled by the option.

--daemon (-D)
Causes the Svnserve to run as a daemon, Svnserve maintains itself and accepts and services the TCP/IP connection to the SVN port (default 3690).

--listen-port=port
Causes Svnserve to listen on port ports while daemon mode is in progress. (The FreeBSD daemon default only listens to tcp6-this option to tell them to listen to TCP4.) ）

--listen-host=host
The host that the Svnserve listens on may be a hostname or an IP address.

--foreground
When used with-D, it causes Svnserve to stay in the foreground and is used primarily for debugging.

--INETD (-I.)
Causes Svnserve to use the standard output/standard input file descriptor, more accurately using inetd as the daemon.

--help (-h)
Displays useful summaries and options.

--version
Displays the version information, the repository backend exists, and the list of available modules.

--root=root (-r=root)
Setting the virtual root of the repository for the Svnserve service, the path shown in the URL provided by the client is interpreted as the relative path of the root and will not be allowed to leave this root.

--tunnel (-T)
Causes the Svnserve to run in pipeline mode, much like the inetd operation mode (two modes all maintain the standard input/standard output connection), except that the connection is pre-authenticated with the user name of the current UID. This option is passed automatically when the client uses a pipe such as SSH, which means you rarely have to pass this parameter to Svnserve, so if you find that you have entered Svnserve--tunnel on the command line and want to know what to do next, you can see the "SSH Tunnel" section.

--tunnel-user NAME
Used in conjunction with the--tunnel option; Tell Svnserve that assuming name is the authenticating user rather than the UID user of the Svnserve process, it is useful to have multiple users sharing the same system account via SSH, but maintaining their respective commit identifiers.

--threads (-T)
When running in daemon mode, causing Svnserve to generate a thread instead of a process for each connection, the Svnserve process itself will remain in the background after startup.

--listen-once (-X)
Causes the Svnserve to accept a connection on the SVN port, which maintains the completion of its exit. This option is used primarily for debugging.

Subversion Svnserve service startup and configuration