Hideki A. Ikeda (HidekiAI) [池田英紀] ["Tony" Ikeda] – BLog

The other day, I was researching on an options to have SVN repository and Apache on a separated host. In one forum, the admin even bluntly responded to a user who had this issue with a simple “there’s no correct way” and a “you shouldn’t even be trying it”.  This is one of the reasons why I really hate those holier-than-thou-RTFM admins, but we’ll leave that to another day’s rant and move on to the web-log instead…

The real issue in my opinion, is the fact that there’s a bit of confusion on the user side who do not realize the combinations of ways you can serve SVN.  Here’s a matrix in hopes to clarify things.  Assumptions made here are:

• Repository directory is located at “/var/svn/myrepos“
• The machine hosting it is “myserver”
• Domain name is “mydomain.tld” (note that even if accessing locally, my example will use domain name for clarifications)

Note: In sshd mode, it spawns svnserve upon connection, so you must make sure that you have svnserve working.

So the key part to realize is that when you’re running in WebDAV mode, it is the Apache modules that becomes the front-end proxy to allow the clients to access the repositories.  This is the reasons why the repositories are to be located on the same host as the Apache, simple as that.

The next issue to point out is why would one want to use http and/or https rather than sshd, svnserve or even samba.  In my opinion, file-based is out of the question as a “server”, so we’ll look at the 3 services (yes, I know about inetd, but I don’t think it’s supported on Windows, so I am not considering it – although my servers are Gentoo).

Whether you’re serving for your laptop and desktop in the LAN or serving for your colleagues and groups, it’s about serving to other host machines (otherwise, you’d be using file based and/or git), and the question is whether you want to punch a hole in the router firewall for port 22 (sshd), 80/443 (http/https) or 3690 (svnserve).

It should also be an issue of whether you want to manage the accounting (sshd=PAM, svnserve=text-file-password or SASL, http=htpasswd-based-text-file) as well as security (https=ssl, svnserve=SASL, sshd=PAM).  In my opinions, the decisions should be made on how one would want to manage passwords.  I personally like PAM, and my sshd is hooked in to PAM in which it queries LDAP.  So my choice is to go with “svn+ssh://URL” method.  Only caveat to ssh method is that it constantly asks for password (and you cannot do annonymous read-only, why I’d want to, I don’t know) but that’s OK since my repository is on my dev-box and from the dev-box, I do “file://” anyways.  From other boxes (such as my laptop or work) I only need to checkout/update to read-only and I rarely edit so it’s usually a one-time deal…

In any case, once you comprehend and understand its functions, I’m sure one can make better decisions as to how the repositories are to be serviced.  For me, I’ve decided to just have a cron job that runs daily and copies the repositories from my dev-box to my external SSHd server.  This way, I have a back up of my repository in case my dev-box harddrive crashes…  Alternatively, I could have done the same on my Apache server box box, but I went with ssh because that way, both internally and externally, I’ll be using svn+ssh so I won’t get confused. *grin*

Note: After I was satisfied with self-educating all this crazy mess, I’ve switched to git.  What makes sense is that having it as distributed repositories.  And I can push to the web version if and only if I like to.  I can also have a cron job that would pull from my dev-box if I care to (but I think I would prefer to push from my dev-box only when I am satisfied and besides, because it is distributed it means that if I need to pull on my laptop, I can pull directly from my dev-box too).  But the choices are more flexible.  If you have got to the similar issue and are reading my blog, my recommendations are to switch to git and/or mercurial.  Search on YouTube for Linus Torvald’s presentations on git, or read Joel Spolsky’s (final) blog on mercurial.  For git, read http://book.git-scm.com/4_setting_up_a_public_repository.html and you can see how easy it is to set-up!  P/S: On Windows, use msysGit rather than Cygwin version of git.

Related posts

• Postfix + Dovecot – (Cyrus + Courier) (0)
• Compiling Apache on Gentoo (0)
• Why KeepAlive Heartbeats should be on Dedicated Socket Stream (0)
• Testing Postfix + Courier (authlib and imap) + MySQL (0)
• Syslog-ng + syslog-server (Kiwi) = network slowdown (0)

Just recently, there was an update which I’ve no clue of what, but it is happening on both my x86 server and x86_64 dev-box Gentoo…  I was down for few hours with this message in /var/log/apache2/error_log file:

[Sun Aug 02 16:07:53 2009] [info] Init: Initialized OpenSSL library
[Sun Aug 02 16:07:53 2009] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]

I first disabled SSL_DEFAULT_VHOST so that I can at least get this BLog up and running began investigating on my dev-box (none-server) what needs to be looked at.  For those who wish to do the same, on Gentoo it would be modifications in your /etc/conf.d/apache2 and removing the “-D SSL_DEFAULT_VHOST”, you can keep the “-D SSL” because it”s not the mod_ssl is the problem.  By the way if you have very long APACHE2_OPTS, you can append variables like below and just comment the ones you are trying to test:

## First, setup default (without SSL vhost, but SSL enabled)
APACHE2_OPTS="-e debug -D DEFAULT_VHOST -D INFO -D MANUAL -D STATUS -D SUEXEC -D LANGUAGE -D PHP5 -D ERRORDOCS"

## Now start adding anything else (per app based)
#APACHE2_OPTS="$APACHE2_OPTS "

## Note: If you need MEM_CACHE, you have to enable CACHE
APACHE2_OPTS="$APACHE2_OPTS -D FTPD -D CACHE -D MEM_CACHE -D USERDIR -D DNSBL"

## Enable SSL vhost
## As of Apache 2.2.8 and older, SNI (Server Name Indication) is capable for SSL
APACHE2_OPTS="$APACHE2_OPTS -D SSL -D SSL_DEFAULT_VHOST"

## NOTE: SSL and GNUTLS are _MUTUALLY_EXCLUSIVE_!!!  It is either one or the other!
## -D GNUTLS seems to be broken, fails on symbol gnutls_mallor
#APACHE2_OPTS="$APACHE2_OPTS -D GNUTLS -D GNUTLS_DEFAULT_VHOST"

## SVN, you need minimum of:
APACHE2_OPTS="$APACHE2_OPTS -D SVN -D SVN_AUTHZ -D DAV -D DAV_FS -D DAV_SVN"

## PAM, LDAP and auth
APACHE2_OPTS="$APACHE2_OPTS -D LDAP -D AUTH_LDAP -D AUTHNZ_LDAP -D AUTH_PAM -D VHOST_LDAP -D AUTH_OPENID -D AUTH_MYSQL"

# adding "-D SECURITY" causes blogs to fail because it catches some words it doesn't like and it think I'm injecting it
#  you'll need to tweak /etc/apache2/modules.d/mod_security/* to allow pass-throughs
#APACHE2_OPTS="$APACHE2_OPTS -D SECURITY"

## Mailman
APACHE2_OPTS="$APACHE2_OPTS -D MAILMAN"

## Python
APACHE2_OPTS="$APACHE2_OPTS -D PYTHON"

This way, you can comment (using “#”) the lines that is specific to the modules you are debugging.

(continue reading…)

Related posts

• Use your O/S to Multi-Process (0)
• Linux Partition Size (0)
• In the Beginning (0)
• Compiling Apache on Gentoo (0)
• Android: First Encounter (AT&T/Cingular) (0)

I just recently had to re-install Apache2 on this server, fresh Gentoo install using 2005 CD (yes, I know, it’s old, I’ve been using Gentoo for a while now).  I didn’t want to waste anymore CD’s to burn (actually, I’ve run out burning so many Ubuntu) for X86 based system (my server is Intel based while my dev-system is AMD x86_64, so it’s been a while since I needed x86 Gentoo CD).

In any case, this server had bare-minimum with very old kernel (incidentally, the paradox of trying to emerge latest gentoo-sources kernel requires udev to be emerged first, yet old kernels cannot be emerged with udev, was a pain in the butt – I did a –skipfirst to force it to skip udev so that I can get the sources, compile the kernel, reboot, then emerge udev again).

When you attempt to emerge apache2, you will be required to install apr and apr-util to compile Apache (same deal with log4cxx).  If you go to Apache’s site and investigate on the dependecies required for apr, they specifically tell you they have done their best to be standalone and can compile as-is.  This is true if you hand-compile it.  I was able to compile both apr (first) and apr-util (needs apr’s source to compile) without any issues, but when you try to have emerge build it and install it for you (because I wanted it to be in my ‘world’ database), it errors otu with the following:

libtool: compile: unable to infer tagged configuration
libtool: compile: specify a tag with `--tag'

I thought I had older versions of libtool, etc but no matter what I’ve updated, it will continuously complain about this configuration issue.  I’ve even tried compiling the apr/apr-util by hand, let it reside in the /usr/lib path, etc but to no avail.

Finally, I’ve decided to emerge Ant since I know how big they are on using it.  It pulled in about 30 dependent projects (because I did emerge –deep to make sure I had all its requirements covered) and then tried to emerge Apache2 again.  Whether it was Ant that did it or some of its dependencies that was needed by ./configure was resolved for apr, and Apache2 compiled without any issues.

Although it’s more maintenance and time-consuming to figure out some of the installations for Gentoo, I still feel most comfortable with Gentoo.  One of my server is Ubuntu Server, I’ve had Fedora as server once as well, but because I do most of the pre-production experiments on Gentoo first, and just be able to copy the config files over to my servers (because the paths differs from distro-to-distro) and as we all know, in some cases, you have to mess with so many config files to make things work on Linux (case in point: setting up ldap requires configurations of other services such as kerberos, etc – personally, I think this is why Microsoft is just so much better because installing services such as ActiveDirectory takes less than 30 minutes and it works!).

As mentioned, one of my servers are Ubuntu, but that server is isolated in a sense that it only has one or two purposes, thus I did not have to stress myself on securities based on bad configurations.  I didn’t have to invest too much time on my dev-box to test for problems, transfer and/or mimic the configurations on that server, and if it didn’t work, come back to my dev-box, and back-and-forth.

But when you have to deal with that back-and-forth as experimenting on functionalities, it becomes critical that the distros are similar in paths structures so that you won’t have to re-edit it on the server side to accommodate on paths differences.  Another argument is security holes and upgrades.  If you have multiple distros, one distro may have already fixed/patched it but others may still be on hold.  Say there was a security problem on sshd, you’ve updated on your dev-box (via emerge) and tried to update your Ubuntu (via apt-get and/or aptitude) and there’s no update yet, you put it on the side and forget to update it for few days leaving that server vulnerable.

By the way, in regards to path structures, the argument can be made not just for Linux servers, it can be the same for Microsoft Servers as well.  I’m sure we’ve all installed applications on Microsoft O/S where on one system it is in C:\ while on another, it’s on D:\ (and yes, I know about capabilities of being able to mount another drive as a folder on Microsoft, that may solve the issue of having multiple drives but that’s not the point here, the point is that no matter what O/S it is, you can have inconsistencies if you allow it).

Related posts

• Use your O/S to Multi-Process (0)
• Testing Postfix + Courier (authlib and imap) + MySQL (0)
• Syslog-ng + syslog-server (Kiwi) = network slowdown (0)
• Serving SVN repositories (0)
• RAID0 is Useless in Today’s Technology (0)