分类: 项目管理
2008-05-02 11:23:36
Copyright 2006 Ben Suter - bsuter at stanfordalumni dot org -
This page provides step-by-step instructions, illustrated with screenshots along the way, for setting up a Subversion repository under Windows XP. It includes optional instructions to make the repository available via remote access and includes various useful security precautions. I performed these steps, in this order, twice, and two separate Windows XP computers. The first time through, I documented the process as I went. The second time through, I simply followed my own instructions and kept track of time spent. This process takes about 20 minutes.
Download the subversion installer for Windows from: http://subversion.tigris.org/servlets/ProjectDocumentList?folderID=91
These instructions pertain to the 1.4.0 stable release of Subversion. I chose to download the following Windows executable: svn-1.4.0-setup.exe
Run the installer. Choose where to install. The default is Program Files\Subversion, but I will change this to C:\SVN.
I opened a command prompt and typed svnadmin, it responded telling me that "svnadmin help" will show useage info. So it is already in my path. Good.
Create a folder to hold your repositories. I want a single folder to hold any repos: C:\svn-repos
For now that is all, later I will create a "code" sub-folder within that to hold my first repository.
UPDATE: The svnservice download page pictured below may no longer be available. I am making the zip file that I originally downloaded available myself here:
UPDATE: Note that as of the 1.4.0 release of Subversion, it is possible to run svnserve as a Windows service without any additional wrapper. If you decided to install Subversion 1.4.0 (or more recent), then perhaps you can follow these instructions for setting up a Windows service:
UPDATE: If you wish to follow such a shortcut for setting up a 1.4.0+ version of Subversion as a Windows service, without need of a wrapper, here is the command that I believe is appropriate for this guide - enter it all as one line without breaks at the Windows command prompt. Thank you to Dan Panzer for his help with this:
sc create "SVNService" binpath= "C:\Program Files\Subversion\bin\svnserve --service -r C:\svn-repos" displayname="SVNService" depend= Tcpip start= auto
Let us carry on assuming that you will be using the SVNService wrapper for svnserve, provided by clanlib.org and available as described above.
Extract the zip file. It includes all the sources, which you don't need. Just take SVNService.exe file and copy it into Subversion's bin directory: C:\SVN\bin
Open a command prompt and run svnservice.exe in order to install an svnserve daemon as a Windows service. I also include parameters to customize the root directory from which svnserve will serve the repository. I want to hide the full path to the repos.
svnservice -install -d -r C:\svn-repos
Now we want to make sure that the Subversion service runs automatically when the computer turns on.
Control Panel -> Administrative Tools
Computer Management
Double-click the SVNService entry and then from the General tab select "Automatic" as the "Startup type".
Then click "Start" to start it for the first time.
The default settings in the installer should be fine.
The installer says you need to restart, but I found that I could proceed without doing so.
Now we need to choose a directory that will contain the repository, i.e. the database of versioned content and configuration information. I will create a repository called "code" within the C:\svn-repos directory. This folder name will appear as part of the URL used to access the repository.
Navigate to the desired repository directory (for me, C:\svn-repos\code). In Windows Explorer, right-click on the directory and choose the option to "Create a Repository" there.
The following dialog will open, allowing you to choose the repository format. Choose FSFS (fuzzfuzz).
And the repository directory now looks like this:
IMPORTANT: The README.txt file has the following good advice:
"This is a Subversion repository; use the 'svnadmin' tool to examine it. Do not add, delete, or modify files here unless you know how to avoid corrupting the repository."
Let's check whether the repository is being served by svnserve. Open a command prompt and type: svn info svn://localhost/code (or change the path part if you named your repository differently)
Looks good. We'll also confirm that TortoiseSVN can see this repository. Right-click on the repository folder and choose the Repo-browser option.
The repository browser appears, like this:
Note that the URL field reads "file:///C:/svn-repos/code". TortoiseSVN is using "local repository access" for this view. To verify that it works with svnserve, try changing the URL field to "svn://localhost/code" - you should see the same contents as with the local access method.
Now we will try to connect from a different computer, over the network, to our newly created Subversion server. For this you will need to know the IP address or fully qualified host name of the server where we just installed Subversion. In a command prompt, type "ipconfig" to see the IP address.
To connect to this Subversion on this computer over the network from a different computer, we need to make sure that the TCP port used by svnserve is not blocked by a firewall. If you are using the Windows software firewall, here are steps to open up the necessary port. If you are using different firewall software, or a hardware firewall, this procedure will be different.
IMPORTANT: You should be aware that modifying the firewall rules to permit remote Subversion access is a potential security risk for this server.
Control Panel -> Security Center -> Manage Security Settings for: Windows Firewall
Exceptions tab -> Add a Port
Name: Subversion Remote Access (or whatever you want)
Port number: 3690
TCP
Note: If you a limited set of computers requires remote access, and you know the IP address of each such computer, you can choose the "Change Scope" button (before hitting OK above) and improve the security situation somewhat. The options are "any computer" (default), "my network/subnet only", or "custom list only" (a set of IP addresses or IP address ranges).
OK out of the port dialogs. In the Windows Firewall -> Exceptions tab you should now see "Subversion Remote Access" in the list of Programs and Services that are NOT blocked by the firewall.
Let's test this from a different computer, over the network. On some other computer with network access, install TortoiseSVN, open Windows Explorer, right-click on any folder, and choose the "Repo-Browser" command from the TortoiseSVN menu. You will be prompted to enter the URL of the repository. The URL in this case should look something like this: svn://xxx.yy.xx.yy/code Where you provide the IP address of the server, or else the fully qualified hostname.
Click OK and you should see the Repository Browser view, again showing an empty "code" repository. If you are not able to remotely access the repository in this way (perhaps the Repository Browser times out, etc.) the most likely problem at this point is a lack of network connection between the client computer and svnserve running on the server computer. First make sure that the client can ping the server, then check for any firewalls that could be blocking the traffic, etc.
As a further security precaution, we will set up a dedicated Windows user account that will be used to run the svnserve daemon. Our aim is to give this user account just enough permission to successfully run svnserve, and nothing else.
You can choose any user name, but feel free to follow my example. I created a user called "svnserve".
Control Panel -> Administrative Tools -> Computer Management -> Local Users and Groups -> Users
Right-click -> New User
Enter appropriate options, including a strong password. When done, the properties view of the svnserve user should look like this:
In the MemberOf tab, remove any groups:
Windows XP by default has "simple file sharing" enabled. This means that there is no "Security" tab when you view a folder's properties dialog. To disable the "simple" interface, in Windows Explorer, go to the Tools menu, then "Folder Options", then the "View" tab, then uncheck the "Use simple file sharing" option under Advanced settings:
In Windows Explorer, right-click the "C:\svn-repos" directory and open the properties dialog. Choose the Security tab. Click the "Add" button.
Enter "svnserve" into the text area and use the "Check Names" button to verify that the new user created above is recognized. Then click "OK".
Back in the Security tab, select the svnserve user and select the "Full Control" checkbox in the "Allow" column. Make sure that these permissions propagate to the existing repository and all its files.
Now the svnserve user account should have full access to the C:\svn-repos directory and anything below it. Since we made sure that the svnserve user account is NOT a member of any built-in groups, it should not have access to anything else.
Next, modify the SVNService properties so that it runs using the svnserve restricted Windows user account that we created above.
Stop the service, then restart it. Re-open a TortoiseSVN repository browser on this server and make sure it works. Do the same from a client computer, over the network. If both of these checks succeed, we will now restart the server.
Once the server computer has restarted, open the Repository Browser again from a client computer and verify that the Subversion repository remains remotely accessible.
We now have a reasonably secure Subversion server with a single empty repository, called "code". The repository provides read-only access for remote users via the "svn" (svnserve) protocol, and read/write access for local users using the "file" (local access) protocol.
To provide write access to the "code" repository for remote users, we need to create Subversion user accounts. In the Subversion installation directory there is a sub-directory called "conf", which contains a file called svnserve.conf - that's where we'll adjust access controls:
Make a copy of this file and rename it as svnserve.conf.original, in case you ever need to go back to the original default settings.
We will
- disallow all anonymous (unauthenticated) access
- allow read and write access for authenticated users
- define some initial user accounts
- name the authentication realm for this repository
The svnserve.conf file should have the following settings:
anon-access = none
auth-access = write
password-db = accounts
realm = Some text to identify the authentication realm
If you have multiple repositories but want to share user accounts across them, you can have each use the same realm, then authenticating against one repository is sufficient to access the others. Approximately.
Create a file called accounts, next to the svnserve.conf file in the "conf" directory. Open this file in a text editor and specify user names and passwords using the following scheme:
[users]
harry = harryspassword
sally = sallyspassword
Save the modified svnserve.conf and the new accounts file and open a Repository Browser. This time you should be prompted for a username and password. Specify one of the accounts you defined in the accounts file and you should be able to connect successfully. If not, make sure that the value of the passwd-db setting in the svnserve.conf file matches the filename (and relative path) of the file containing the username = password pairs. In my case I called this file "accounts", but you can call it anything you like (the default seems to be "passwd").
As of the 1.3 version of Subversion, you have the ability to specify per-user access controls with much more detail than what we have done so far. I have found that the official documentation does not, at the time of this writing, cover the new functionality directly. In the svnserve.conf file you will see a setting called "authz-db", by default this is not enabled. You can point this setting to a text file containing per-user path-based access control directives using the same syntax as used for the "mod_authz_svn" module available when running Subversion over Apache. The following section of the Subversion documentation discusses the format used in the authz-db configuration file:
For example, you could give "harry" read and write access to the source of a 1.0 release of a spreadsheet application, but only let "sally" read from that portion of the repository:
[projects:/spreadsheet/tags/release-1.0]
harry = rw
sally = r
The release notes for version 1.3 discuss this functionality briefly:
Without using "authz" functionality, authorization can be specified as none/read/write for anonymous/authenticated users and applies to the entire repository equally.
With "authz", authorization can be specified as none/read/write for anonymous and individual users and for individual portions of the repository, based on hierarchical path patterns. When would you use "authz"? For example if you maintain multiple projects within a single repository and not all users should have write access to all projects. Or if you want to make sure that a tagged release can not be modified by anyone, or only by a release manager, etc. If you need per-user, path-based access controls, refer to the above-mentioned section of the official documentation.
You are free to organize your repository content in any way you like, depending on how many projects you will host within a single repository, whether there are inter-project dependencies, etc. One common convention is to create a folder to contain all content related to a given project, and to create separate sub-folders for the "trunk" (current development code line), "branches" and "tags". The official Subversion documentation covers this topic in some detail:
There are a number of ways to populate the repository with an initial directory structure and initial source code. Here I will briefly describe one way that I find particularly simple and effective, a combination approach using TortoiseSVN's repository browser to create the high-level structure, and the Import command for the initial source content.
In Windows Explorer, on any folder, right-click and choose the TortoiseSVN->Repo-browser command from the context menu.
In the Repository Browser, first make sure that you are looking at the appropriate repository root (provide the URL as above if necessary). Then right-click on the root folder and choose the "Create folder ..." command. When prompted, provide a name for your project in question (in my case, I choose "example").
In the same way, create three sub-folders of this new project folder: trunk, branches, and tags
Your repository browser view should now display the desired folder hierarchy for managing your version-controlled files. The next step is to populate the repository with your initial content. It is strongly recommended that you review the content with respect to folder structure and file naming prior to the initial import. In addition, you should remove any generated content (such as compiled .class files or object files) or other build artifacts, as one usually only keeps the pure source code under version control.
Note that the initial import is just that - it will populate the repository with the content you specify. It will NOT put the local content (that you chose to import) under Subversion's control, i.e. it will not create a local working copy for you. That is something you may do as an additional step, using the TortoiseSVN "SVN Checkout" command, in a directory of your choosing.
In Windows Explorer, right-click on the folder containing your initial content and choose the TortoiseSVN->Import command. Note that only the contents of the selected folder, NOT the folder itself, will be imported.
In the Import dialog, you must specify the target location within the repository, which in this case should be the "trunk" folder that you just created. You also can supply a log message to describe this initial set of files.
More information on the Import command is available in section 5.2 of the TortoiseSVN help documentation.
Copyright 2006 Ben Suter - bsuter at stanfordalumni dot org -
