基于 svnserve 的服务器

简介

有一些情况下,不能使用Apache作为你的服务器,Subversion包括Svnserve-一个轻型的独立服务器,使用普通TCP/IP连接之上的自定义协议。

In most cases svnserve is easier to setup and runs faster than the Apache based server. And now that SASL support is included it is easy to secure as well.

安装 svnserve

  1. Get the latest version of Subversion from http://subversion.tigris.org/servlets/ProjectDocumentList?folderID=91. Alternatively get a pre-packaged installer from CollabNet at http://www.collab.net/downloads/subversion. This installer will setup svnserve as a Windows service, and also includes some of the tools you need if you are going to use SASL for security.

  2. 如果你已经安装了Subversion,svnserve已经运行,你需要在继续之前把它停下来。

  3. Run the Subversion installer. If you run the installer on your server (recommended) you can skip step 4.

  4. 打开资源管理器,进入Subversion的安装目录(通常是C:\Program Files\Subversion)的bin目录,找到文件svnserve.exeintl3_svn.dlllibapr.dlllibapriconv.dlllibapriutil.dlllibdb*.dlllibeay32.dllssleay32.dll,复制这些文件,或所有bin目录内的文件到你的服务器目录,例如c:\svnserve

运行 svnserve

现在svnserve已经安装了,你需要在你的server运行它,最简单的方法是在DOS窗口或者windows快捷方式输入:

svnserve.exe --daemon

svnserve将会在端口3690等待请求,--daemon选项告诉svnserve以守护进程方式运行,这样在手动终止之前不会退出。

如果你没有创建一个版本库,根据下面的Apache服务器设置指令“配置”一节

为了验证svnserve正常工作,使用TortoiseSVN版本库浏览器来查看版本库。

假定你的版本库位于c:\repos\TestRepo,你的服务器叫做localhost,输入:

svn://localhost/repos/TestRepo

当被版本库浏览器提示输入。

你也可以使用 --root 选项设置根位置来限制访问服务器的目录,从而增加安全性和节约输入 svnserve URL 的时间:

svnserve.exe --daemon --root drive:\path\to\repository\root

以前面的测试为例,svnserve 现在的运行命令为:

svnserve.exe --daemon --root c:\repos

然后在 TortoiseSVN 中我们的版本库浏览器 URL 缩短为:

svn://localhost/TestRepo

注意,当 svnserve 和版本库位于不同分区或盘符时也需要使用 --root 选项。

Svnserve 可以提供任意数量的版本库服务。只要将这些版本库放到你刚才定义的根目录下即可,然后使用相对于根的URL访问它们。

警告

不要创建和访问网络共享上的 Berkeley DB 版本库,它不能存在于一个远程的文件系统,即使是映射到盘符的共享。如果你希望在网络共享使用 Berkeley DB,结果难以预料-你可能会立刻看到奇怪的错误,也有可能几个月之后才发现数据库已经损坏了。

以服务形式运行 svnserve

使用普通用户直接运行 svnserve 通常不是最好的方法。它意味着你的服务器必须有一个用户登录,还要记着重新启动服务器后重新启动 svnserve。最好的方法是将 svnserve 作为 windows 服务运行。从 Subversion 1.4 开始,svnserve 可以安装为 windows 服务。

To install svnserve as a native windows service, execute the following command all on one line to create a service which is automatically started when windows starts.

sc create svnserve binpath= "c:\svnserve\svnserve.exe --service 
    --root c:\repos" displayname= "Subversion" depend= tcpip 
    start= auto

If any of the paths include spaces, you have to use (escaped) quotes around the path, like this:

sc create svnserve binpath= "
    \"C:\Program Files\Subversion\bin\svnserve.exe\"
    --service --root c:\repos" displayname= "Subversion" 
    depend= tcpip start= auto

You can also add a description after creating the service. This will show up in the Windows Services Manager.

sc description svnserve "Subversion server (svnserve)"

注意 sc 的命令行很特殊。在 key= value 对中,key 与 = 之间不能有空格,但是在 value 之前,必须有空格。

提示

Microsoft 现在建议服务程序使用本地服务或网络服务帐户运行,参考 The Services and Service Accounts Security Planning Guide。以本地服务帐户创建服务,需要在上面的例子里追加下面几行。

obj= "NT AUTHORITY\LocalService"

请注意需要给本地服务帐户一些目录的适当权限,包括的 Subversion 和你的版本库,还有所有钩子脚本使用的应用。此帐号的内置组名是"LOCAL SERVICE"。

服务安装完毕后,你需要在服务管理器中启动它(仅此一次;当服务器重启后它会自动启动)。

为了得到更详细的信息,可参考 Windows Service Support for Svnserve

如果你已经使用 SvnService 包装安装了早期的 svnserve,现在想使用内置服务,那么你需要将其从服务中删除(切记先停止服务!)。使用简单的命令

svnservice -remove

即可删除服务。

Basic Authentication with svnserve

The default svnserve setup provides anonymous read-only access. This means that you can use an svn:// URL to checkout and update, or use the repo-browser in TortoiseSVN to view the repository, but you won't be able to commit any changes.

为了打开对版本库的写访问,你可以编辑版本库目录的conf/svnserve.conf文件,这个文件控制了svnserve守护进程的配置,也提供了有用的文档。

为了打开匿名的写访问,只需要简单得设置:

[general]
anon-access = write

然而,你不会知道谁修改了版本库,因为svn:author属性是空的,你也不能控制谁来修改版本库,这是一个很危险的设置。

解决这个问题的一个方法是创建密码数据库:

[general]
anon-access = none
auth-access = write
password-db = userfile

这里的 userfilesvnserve.conf 文件在同一个目录,这个文件也可以存在于文件系统的其他地方(当多个版本库使用相同的访问权限时尤其有用),可以使用绝对路径,或者是 conf 的相对目录,使用 \ 或盘符不能工作。userfile 的结构如下:

[general]
anon-access = none
auth-access = write
password-db = userfile

这个例子拒绝所有的未认证用户(匿名)访问,给 userfile 中的用户读写权限。

提示

如果使用相同的密码数据库维护多个版本库,使用一个认证域将让用户的工作更加简单,因为 TortoiseSVN 可以缓存你的凭证,所以你只需要输入一次,更多的信息可以参考 Subversion 手册的 创建用户文件和域客户端凭证缓存

使用 SASL 以便更安全

什么是 SASL?

The Cyrus Simple Authentication and Security Layer is open source software written by Carnegie Mellon University. It adds generic authentication and encryption capabilities to any network protocol, and as of Subversion 1.5 and later, both the svnserve server and TortoiseSVN client know how to make use of this library.

For a more complete discussion of the options available, you should look at the Subversion book in the section Using svnserve with SASL. If you are just looking for a simple way to set up secure authentication and encryption on a Windows server, so that your repository can be accessed safely over the big bad Internet, read on.

SASL 认证

To activate specific SASL mechanisms on the server, you'll need to do three things. First, create a [sasl] section in your repository's svnserve.conf file, with this key-value pair:

use-sasl = true

Second, create a file called svn.conf in a convenient location - typically in the directory where subversion is installed.

Thirdly, create two new registry entries to tell SASL where to find things. Create a registry key named [HKEY_LOCAL_MACHINE\SOFTWARE\Carnegie Mellon\Project Cyrus\SASL Library] and place two new string values inside it: SearchPath set to the directory path containing the sasl*.dll plug-ins (normally in the Subversion install directory), and ConfFile set to the directory containing the svn.conf file. If you used the CollabNet installer, these registry keys will already have been created for you.

Edit the svn.conf file to contain the following:

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: DIGEST-MD5
sasldb_path: C:\TortoiseSVN\sasldb

The last line shows the location of the authentication database, which is a file called sasldb. This could go anywhere, but a convenient choice is the repository parent path. Make sure that the svnserve service has read access to this file.

If svnserve was already running, you will need to restart it to ensure it reads the updated configuration.

Now that everything is set up, all you need to do is create some users and passwords. To do this you need the saslpasswd2 program. If you used the CollabNet installer, that program will be in the install directory. Use a command something like this:

saslpasswd2 -c -f C:\TortoiseSVN\sasldb -u realm username

The -f switch gives the database location, realm must be the same as the value you defined in your repository's svnserve.conf file, and username is exactly what you expect it to be. Note that the realm is not allowed to contain space characters.

You can list the usernames stored in the database using the sasldblistusers2 program.

SASL 加密

To enable or disable different levels of encryption, you can set two values in your repository's svnserve.conf file:

[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256

The min-encryption and max-encryption variables control the level of encryption demanded by the server. To disable encryption completely, set both values to 0. To enable simple checksumming of data (i.e., prevent tampering and guarantee data integrity without encryption), set both values to 1. If you wish to allow (but not require) encryption, set the minimum value to 0, and the maximum value to some bit-length. To require encryption unconditionally, set both values to numbers greater than 1. In our previous example, we require clients to do at least 128-bit encryption, but no more than 256-bit encryption.

使用 svn+ssh 认证

Another way to authenticate users with a svnserve based server is to use a secure shell (SSH) to tunnel requests through. It is not as simple to set up as SASL, but it may be useful is some cases.

通过此方法,svnserve不会作为守护进程启动,而是SSH为你启动svnserve,以SSH授权用户运行,为此,你需要在你的服务器上有SSH守护进程。

A basic method for setting up your server is given in 附录 G, 用 SSH 使服务器更安全. You can find other SSH topics within the FAQ by searching for “SSH”.

更多的关于svnserve的信息可以看《使用 Subversion 进行版本管理》

svnserve 基于路径的授权

从Subversion1.3开始,svnserve支持与mod_authz_svn相同的路径为基础的授权模式,你需要编辑版本库路径下的conf/svnserve.conf引用的授权文件。

[general]
authz-db = authz

在这里,authz是你创建用来定义访问权限的文件,你可以为每一个版本库使用单独的文件,或者为所有的版本库使用相同的文件,关于此文件的格式可以查看“路径为基础的授权”一节