svnserve on RHEL - shawfdong/hyades GitHub Wiki
The goal is to set up svnserve for svn repository access using the svn network protocol on a server running RHEL or one of the clones (CentOS and Scientific Linux). We'll configure svnserve to use the Cyrus Simple Authentication and Security Layer (SASL) library for authentication and encryption if the svn client is built with SASL library (e.g., those on most of the popular Linux distros); and to fall back on using the built-in CRAM-MD5 mechanism for authentication (but no encryption) if the client is not built with SASL library (e.g., the stock svn client on Mac OS X).
1. Check the capabilities of the server and clients
The server (server.example.com) is a Linux box running Scientific Linux 6.2 (a RHEL clone). The RPM package subversion provides both the svn client and svnserve. Let's check their capabilities:
[root@server ~]# svn --version * ra_svn : Module for accessing a repository using the svn network protocol. - with Cyrus SASL authentication - handles 'svn' scheme [root@server ~]# svnserve --version Cyrus SASL authentication is available.
Good! Both the svn client and svnserve on the Linux box are built with the Cyrus SASL library. However, the stock svn client on Mac OS X is not:
dong@bigmac:~$ /usr/bin/svn --version * ra_svn : Module for accessing a repository using the svn network protocol. - handles 'svn' scheme
Thus, the stock svn client on Mac OS X only supports the built-in CRAM-MD5 authentication. It does not support encryption either, so passwords will be transmitted in plain text!
2. Create the svn group and user
[root@server ~]# groupadd -g 502 svn [root@server ~]# useradd -c "SVN" -d /var/svn -g 502 -u 502 -s /sbin/nologin -M svn
3. Create a svn repository on the server
[root@server ~]# mkdir -p /var/svn [root@server ~]# cd /var/svn [root@server ~]# svnadmin create repos [root@server ~]# chown -R svn:svn /var/svn/
4. Enable svnserve as an xinetd service
Create an xinetd configuration file (/etc/xinetd.d/svn) for svnserve (the service will run as user svn):
# description: svnserve allows access to Subversion repositories using # the svn network protocol. service svn { disable = no port = 3690 socket_type = stream protocol = tcp wait = no user = svn server = /usr/bin/svnserve server_args = -i -r /var/svn/repos }
5. Enable SASL for svnserve
Modify the svnserve configuration (/var/svn/repos/conf/svnserve.conf) to enable SASL:
[general] anon-access = none auth-access = write ### If SASL is enabled, this file will NOT be used. password-db = passwd # authz-db = authz ### The default realm is repository's uuid. # realm = SVN_on_HPC [sasl] use-sasl = true min-encryption = 0 max-encryption = 256
Since the svn client on Mac OS X does not support encryption, we have to set min-encryption to 0; but the Linux svn client will use max-encryption of 256. SASL provides a myriad of authentication mechanisms. Here we choose the DIGEST-MD5 mechanism for clients with SASL support, and CRAM-MD5 as a fallback for clients without SASL support.
Make sure the RPM package cyrus-sasl-md5 has been installed on the Linux box:
[root@server ~]# rpm -q cyrus-sasl-md5 cyrus-sasl-md5-2.1.23-8.el6.x86_64
Create the file /etc/sasl2/svn.conf, with the following content:
### /etc/sasl2/svn.conf pwcheck_method: auxprop auxprop_plugin: sasldb sasldb_path: /etc/svn_sasldb mech_list: DIGEST-MD5 CRAM-MD5
Populate the private password database /etc/svn_sasldb, using the program saslpasswd2 to add or modify usernames and passwords in the database:
[root@server ~]# saslpasswd2 -c -f /etc/svn_sasldb -u realm username
Here realm is the realm defined in /var/svn/repos/conf/svnserve.conf, which is by default the repository's uuid. We can get the uuid with:
[root@server ~]# cat /var/svn/repos/db/uuid
Don't forget to change the owner of the password database; otherwise the svnserve service won't be able to read it.
[root@server ~]# chown svn:svn svn_sasldb
6. Restart xinetd
[root@server ~]# service xinetd restart
We can test that svnserve is up and running, using the humble telnet:
username@server:~$ telnet localhost 3690 Trying ::1... Connected to localhost. Escape character is '^]'. ( success ( 2 2 ( ) ( edit-pipeline svndiff1 absent-entries commit-revprops depth log-revprops partial-replay ) ) )
This article only covers serving SVN repository using svnserve. Another popular option is to use the Apache web server (along with the mod_dav_svn module), for which a good guide is available on CentOS Wiki.
To learn more about svn, I highly recommend the excellent free book Version Control with Subversion.