Context Navigation

Changes between Version 58 and Version 59 of Download/SCDB

Timestamp:: Sep 15, 2008, 10:33:45 PM (17 years ago)
Author:: /O=GRID-FR/C=FR/O=CNRS/OU=LAL/CN=Michel Jouvin
Comment:: Rewrite Apache/SVN configuration parts

Legend:

: Unmodified
: Added
: Removed
: Modified

Download/SCDB

-              v58
+              v59
 Recommended setting for these 3 areas are :
  * Restrict access to profile and Kickstart configuration to IP adresses (or subnets) matching Quattor clients, as these files may contain sensitive information like encrypted passwords or MySQL passwords (cleartext).
+ * Configure all these areas to ignore any `index.html` file and auto-indexing. This is particularly important for RPM repositories URLs, as presence of an `index.html` will prevent SCDB tools to get the list of RPMs in the repository. Recommended settings for these areas are :
+{{{
+ * Configure all these areas to ignore any `index.html` file and auto-indexing. This is particularly important for RPM repositories URLs, as presence of an `index.html` will prevent SCDB tools to get the list of RPMs in the repository.
+Configuration for these areas is normally done by creating a file `/etc/httpd/conf.d/quattor.conf` with directives like the following one for each area (replace `/path/to/area` by your actual directoy name) :
+{{{
+<Directory /path/to/area>
     Options Indexes
     DirectoryIndex VeryUnlikelyDirectoryIndex.none
     AllowOverride None
+}}}
+== Subversion Server ==
+There is no need for a Subversion server dedicated to Quattor. SCDB is just one repository from the Subversion point of view. If you already run a Subversion server, you can skip the installation part and go directly to the configuration part.
+=== Subversion installation ===
+There are many possible installation options for a Subversion server. The best is to install it as Apache module, anyway. There is no requirement for the Subversion server to run on a Linux machine, even if it is the installation option documented here. You can even choose to use a Subversion server outside of your site, if you think the network connection is good enough.
+If you need to install a Subversion server, the easiest is to install Apache and then retrieve the RPMs for Subversion from [http://subversion.tigris.org/project_packages.html Subversion site]. Don't forget to install the Apache module which is in a separate RPM.
+After installing, you have to configure the Subversion server. Look at Quattor installation guide on [http://quattor.org Quattor] web site.
+Quick setup:
+{{{
+# Create SVN repository
+mkdir -p /var/svn/quattor
+svnadmin create /var/svn/quattor
+# Fetch the quattor specific post-commit hook
+wget  --no-check-certificate "https://trac.lal.in2p3.fr/Quattor/browser/trunk/src/hooks/post-commit?format=raw" -O /var/svn/quattor/hooks/post-commit
+# Quattor deployment scripts (used by post-commit svn hook)
+mkdir -p /root/quattor/scripts
+wget  --no-check-certificate "https://trac.lal.in2p3.fr/Quattor/browser/trunk/src/hooks/build-tag.pl?format=raw" -O /root/quattor/scripts/build-tag.pl
+}}}
+These scripts require some configuration files that will be created during [wiki:Download/SCDB#QuattorServerFinalconfiguration final configuration].
+Quattor tools access SVN repository through {{{http(s):}}} method (not {{{file:}}}), thus it is necessary to install and configure Apache {{{mod_dav_svn}}} module.
+The SVN repository should belong to the identity that run the web server:
+{{{
+chown -R apache:apache /var/svn/quattor
+}}}
+=== Apache for subversion and package service ===
+Files  {{{/etc/httpd/conf.d/subversion.conf}}} and  {{{/etc/httpd/conf.d/ssl.conf}}} (if using ssl) have to be edited and configured.
+In {{{/etc/http/conf/httpd.conf}}}, you may have to add the following lines to avoid a bug in the http interface of the rpm client.
+</Directory>
+}}}
+It is also better to add the following directive in our `/etc/httpd/conf.d/quattor.conf` to work around a problem in some RPM versions:
 {{{
 <IfModule mod_setenvif.c>
   BrowserMatch "rpm/.*" nokeepalive force-response-1.0
 </IfModule>
+}}}
+''Note: if you are installing a new Apache server, don't forget to edit `DocumentRoot` in `/etc/httpd/conf/httpd.conf` to reflect your local configuration.`
+== Subversion Server ==
+There is no need for a Subversion server dedicated to Quattor. SCDB is just one repository from the Subversion point of view. If you already run a Subversion server, you can skip the installation part and go directly to the configuration part.
+=== Subversion Installation and Configuration ===
+There are many possible installation options for a Subversion server. The best is to install it as Apache module, anyway. There is no requirement for the Subversion server to run on a Linux machine, even if it is the installation option documented here. You can even choose to use a Subversion server outside of your site, if you think the network connection is good enough.
+If you need to install a Subversion server, the easiest is to install Apache using YUM. Another option is to retrieve the RPMs for Subversion from [http://subversion.tigris.org/project_packages.html Subversion site]. Don't forget to install the Apache module which is in a separate RPM.
+A typical SVN installation with YUM is:
+{{{
+yum install subversion mod_dav_svn
+}}}
+After installing, you have to configure the Subversion server. Refer to [http://subversion.tigris.org Subversion web site] for details. Configuration the SVN server typically involves:
+ * Creation of directory which will contain the Quattor repository (this example uses `/var/svn`):
+{{{
+mkdir -p /var/svn
+}}}
+ * Create Subversion repository that will be used for Quattor SCDB (don't forget to '''backup this directory'''):
+{{{
+svnadmin create /var/svn/quattor
+# Repository must be owned by Apache account
+chown -R apache:apache /var/svn/quattor
+}}}
+Apache SVN module configuration (`/etc/httpd/conf.d/subversion.conf`) must be edited to configure URL used by SVN. A typical example, based on previously created repository (adjust paths to reflect your configuration) is:
+{{{
+<Location /svn>
+   DAV svn
+   SVNParentPath /var/svn
+   AuthzSVNAccessFile security/svn-repositories-access
+   AuthType        Basic
+   AuthUserFile    security/passwd
+   AuthGroupFile   security/group
+   AuthName        "Grid Tutorial SVN server"
+   # Limit write permission to list of valid users.
+   <LimitExcept GET PROPFIND OPTIONS REPORT>
+      # Require SSL connection for password protection.
+      # SSLRequireSSL
+      Require valid-user
+   </LimitExcept>
+</Location>
+}}}
+To configuration SVN authentication for SCDB repository, you need to create one or more accounts in `/etc/httpd/security/passwd`. You can use `htpasswd` or `openssl passwd -apr1` to generate an encrypted password.
+You also need to define SVN ACLs in `/etc/httpd/security/svn-repositories-access`. A typical file to start is (it assumes the account you created is called `quattormgr`, if this is a list it must be comma separated):
+{{{
+[groups]
+quattor-mgrs = quattormgr
+[/]
+* = r
+@quattor-mgrs = rw
 }}}
 …
 }}}
 Then, initial checkout will be:
 {{{
 svn checkout https://svn.server.tld/svn/quattor/
+Then, you can do the initial checkout with (this will create a `scdb` sub-directory of you current directory):
+{{{
+svn checkout https://svn.server.tld/svn/quattor/trunk scdb
 }}}
 …
 === Installation of hook script and server script ===
+{{{
+# Fetch the quattor specific post-commit hook
+wget  --no-check-certificate "https://trac.lal.in2p3.fr/Quattor/browser/trunk/src/hooks/post-commit?format=raw" -O /var/svn/quattor/hooks/post-commit
+# Quattor deployment scripts (used by post-commit svn hook)
+mkdir -p /root/quattor/scripts
+wget  --no-check-certificate "https://trac.lal.in2p3.fr/Quattor/browser/trunk/src/hooks/build-tag.pl?format=raw" -O /root/quattor/scripts/build-tag.pl
+}}}
 The hook script, [source:SCDB/tags/pro/src/hooks/post-commit post-commit], is provided as part of SCDB, in the `src/hooks` directory. It must be installed on your Subversion server, in the `hook` directory of the repository, and given executable permission for Apache user. This script requires a configuration file `/etc/quattor-deploy.conf`, see SCDB [wiki:Doc/SCDB/Server server-side customizations] for details.
 …
 For more details about these scripts and their customization, see the page on SCDB [wiki:Doc/SCDB/Server server-side customizations].
 === Creation of Ssh Keys ===
+=== Creation of SSH Keys ===
 Currently, deployment of new version of the templates is done by the hook script triggered by `ant deploy` executing the server script `build-tag.pl` through ssh. There is no way to enter a password at this time, thus ssh must be configured in such a way that the Apache account on the Subversion server can do a ssh connection as root on the Quattor server, without password. The easiest is to use ssh keys to do that.