Monday, September 8, 2008

Configuring svn, trac, SSL under Ubuntu

Been working on setting up subversion, with trac and SSL - currently for evaluation purposes.

I’m not a developer at all, and although I respect that you can build everything from src, prefer not to.

Normally CentOS is the linux distribution I use, but frankly, it’s a hell of a hassle getting the dependancies sorted - quicksilver et al. I do have something running under it, but not especially happy with it. May return to look at it again later.

So, instead I’ve taken a quick look at Ubuntu 8.04 for it - server not desktop edition, so no GUI. In general, the installation and configuration process for this leaves something to be desired. The following *appears* to get it working for me. I’m not claiming it to be optimal or even “correct”. I’m also not looking at configuration of trac and subversion, just getting them installed and available.

The webserver itself (for my purposes) will also require php support, so going to add a bunch more packages for that.

I wish to use SSL to support https

I’m going to place both subversion repositories and trac pages on a seperate disk under a /subversion mount.
/subversion/repos - subversion
/subversion/trac - trac

Subversion repositories will be available as
https://localhost/svnrepos/
Trac as
https://localhost/trac/

Trac is anonymous browsing enabled, authentication required for the login option. Subversion should require login anyway - yes, there’s no point having login required in subversion if you allow anonymous for the “browse source” option in trac - this is a test setup. It’s easy to modify the necessary apache directives to require authentication for all of trac.

Standard http pages may still be served out of the default

Firewall enabled, and SSH, http/https only allowed

# Firewall - I like to work with firewalls on at the start/at all times:
sudo ufw enable
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# check it
sudo ufw status 

# get some packages
sudo apt-get install subversion libapache2-svn apache2 python2.4-pysqlite2 python-clearsilver python-subversion

# get trac and install it
wget http://ftp.edgewall.com/pub/trac/trac-0.10.4.tar.gz
tar -xzf trac-0.10.4.tar.gz
cd trac-0.10.4 
sudo python setup.py install

# get some more php related packages
sudo apt-get install libapache2-mod-php5 php5 php5-common php5-curl php5-dev php5-gd php5-imagick php5-mcrypt php5-memcache php5-mhash php5-mysql php5-pspell php5-snmp php5-sqlite php5-xmlrpc php5-xsl

# Ensure relevent modules are loaded
sudo a2enmod ssl
sudo a2enmod php5

# Bounce apache after any changes
sudo /etc/init.d/apache2 restart

# I like to test that pages are being served, and .php is supported at this point

# Deal with SSL.
sudo mkdir /etc/apache2/ssl
sudo apt-get install ssl-cert
sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
	follow the text based wizard

As I want access to be via https only for trac and the repositories, ie /svnrepos and /trac, amend /etc/apache2/sites-available/default as follows (following the end of the default VirtualHost directives) :

NameVirtualHost *:443
<VirtualHost *:443>
        
SSLEngine on

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM

ScriptAlias /trac /usr/share/trac/cgi-bin/trac.cgi

<Location "/trac">
        SetEnv  TRAC_ENV_PARENT_DIR "/subversion/trac"
</Location>

<LocationMatch "/trac/[^/]+/login">
        AuthType Basic
        AuthName "Trac"
        AuthUserFile /etc/svn-auth-conf2
        Require valid-user
</LocationMatch>

<Location /svnrepos>
        DAV svn
        SVNParentPath /subversion/repos
        AuthType Basic
        AuthName "Subversion"
        AuthUserFile /etc/svn-auth-conf2
        Require valid-user
</Location>

</VirtualHost>

# /etc/svn-auth-conf2 is the file storing passwords created with 
sudo htpasswd -c -m /etc/svn-auth-conf2 username

I’m doing all my testing under VMware ESXi, so adding a 2nd disk is easier from a resources perspective. See my principles post for my reasons on a 2nd disk - separate system from data. This 2nd disk will appear as a SCSI disk - in my case /dev/sdb.

Use fdisk to create a partition - again, just accepting the defaults, which as a partition will be /dev/sdb1, and format as ext3

# Create mount point - /subversion and my directories /subversion/repos and /subversion/trac
sudo mkdir /subversion
sudo mkdir /subversion/trac /subversion/repos

# Add entry to /etc/fstab to mount on reboot.

# I create my svn repository in /subversion/repos with :
sudo svnadmin create repositoryname
# I set permissions
sudo chown -R www-data.www-data repositoryname

# I create the trac layout with :
sudo trac-admin repositoryname initenv
# And answer the questions posed
# I set permissions with
sudo chown -R www-data.www-data repositoryname

Saturday, September 6, 2008

Some principles

Some principles which I strongly believe in (no particular order). All common sense, nothing new, nothing unique or inspiring. But things I believe in, and apply to any postings given here - now or in the future.

Never run as administrator/root. There’s really no need. Applications that “require” it, are (in my opinion) broken. Much can be done with RunAs. All can be done with sudo. Just because you don’t know how to do something as a non administrator, doesn’t mean it can’t be done.

Separate data from system. Keep data at least on a seperate partition (I never use C: for data in Windows, just system and application installations), and where possible, on a different disk (servers obviously an appropriate RAID level). If you use VMWare or any virtualization, the option for seperate disks makes it trivial. It means recovery is easier and less stressful.

Servers are not workstations. Production servers do a role. They’re not a plaything. They’re not for casual use or browsing the internet etc. That said, Windows Server 2008 is a nice OS on a laptop.

Backups. Just do it. If it’s part of your job, then there isn’t anything more important to do at that time. If at home, do it. Work out what’s best for you, but do it.

Restores. Backups are useless if you can’t restore from them. Sample restores at least once per week.

Patch. OS has become pretty easy and reliable these days. Now all those apps - office, firefox, thunderbird, real player (use an alternative), quicktime (use an alternative), java (ugh), flash, acroread (use foxit) etc etc. Especially if it’s a plugin for a browser. Patch it.

Firewall. Use them. And when something doesn’t work “because of the firewall”, figure out why and a solution, which isn’t “turn off the firewall.”

Documentation. If this stuff is your job, then you document it. All changes. Don’t care that it’s boring. Don’t care that it’s tedious. Don’t care that you have something else you’d rather do. Document.

Testing. In these days of virtualisation, there’s little excuse for not having a test environment for testing those changes before production.

XTSeminars

If you work in Windows administration, John Craddock and Sally Storey are probably known to you for some of the seminars they have given on Active Directory, and the Active Directory Forestry book.

They’re providing seminars under the title XTSeminars. I hope to be at the Windows Server 2008 one in November. If you have training budget left, haven’t been before and want something deeper than typical Microsoft courses, well worth taking a look at.

Good customer service Vs bad customer service

Good service Vs bad service.

Names withheld.

So, place a work order (fairly small, but in the tens of thousands ballpark) for some kit. It arrives missing one (important) part of the order. Supplier contacted, and a few days later new part is shipped.

Good service. No problem, no query. Warm fuzzy feeling, and I can get on with the necessary work.

Personal order made to company. 4 items, dispatched in 3 lots. 1 “tracking link” which goes to 1 courier. 2 of the 3 lots arrive. Via different couriers. 1 hasn’t arrived. Actually the most expensive component.

Firm contacted via their e-messaging system (their preferred option). No e-mail acknowledgement or record of your submission. Just an on-screen “thanks, we’ll be in touch shortly”.

3 attempts. Not a single reply.

Telephone 3 times. Each time told someone will contact me by phone, by the end of the day. Never received any response.

On 3rd conversation, it was said someone started to look into it the day before. All well and good. But this was 2 weeks after it was initially reported.

4th telephone conversation, I’m told the item had never been dispatched by them. I’ve worked around the need for the component now so, arrange a refund.

Over a week later, no refund received. Contact by phone again. After an interminable wait, get told the item hasn’t been dispatched, and invoice department will need to sort it out.

I await…

The firm in question, I’ve done business with before, with no problems. I’d like to use them again. But it would appear if things don’t go smoothly (and let’s face it, that’s going to happen now and then), then the customer service has been absolutely dreadful, and I couldn’t recommend them to anyone without warning of what it’s like. I certainly wouldn’t use them in my work.

[Update 13/09/08].
So, a further week passes. Still no refund. More telephone conversation. Now, I’m told that they only ever thought it had not been dispatched, and that I hadn’t been promised a refund, that they were looking into it. I’m assured the item will be dispatched, and it’s going to be requested to be delievered on the Tuesday. When asked why no-one had EVER contacted me to update on status, I’m given flannel about internal investigation and maybe we don’t have your correct e-mail address. Even though they managed to send invoice details to it, and I’ve received promo e-mails from them subsequently. At the very least, you INFORM customers. Otherwise you end up in a situation like today, where the customer is getting very irate on the telephone, when being given pittiful excuses.

[Update 24/09/08].
So, I have it. Not entirely as promised. I told them I would be available on the Tuesday to receive the delivery, and was told it would be arranged for that morning. So it didn’t turn up. It did arrive Wednesday when I wasn’t available, and so the courier, rather than the normal take it back to the depot to collect, took it to a postoffice, that I had to look up on the Internet for the details. So, I collected it on the Thursday - 5 weeks after it was due to have arrived. After 9 attempts to contact - with NO reply or status update ever. So, I now have the SATA controller that I worked around the need for. It’s a good job, on a 5 week wait, that it wasn’t a mission critical part (yes, you’d never let it reach this point). Still, congratulations to s__v__s d__e_t on eventually managing to deliver a part.

Tuesday, September 2, 2008

VCP

So, part of my work at the moment includes virtualisation (yes, with an S) using VMware ESX. A couple of months back, I did one of the official courses. Then a few weeks ago (actually, the day after the VMware Time Bomb issue), I did the exam, and managed to pass.

Today, the certificate was waiting for me at home, so that’s me a VCP now.