##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

fixes issue #206
marcink -
r1392:00b8fca6 beta
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,558 +1,559 b''
1 1 .. _setup:
2 2
3 3 Setup
4 4 =====
5 5
6 6
7 7 Setting up RhodeCode
8 8 --------------------------
9 9
10 10 First, you will need to create a RhodeCode configuration file. Run the
11 11 following command to do this::
12 12
13 13 paster make-config RhodeCode production.ini
14 14
15 15 - This will create the file `production.ini` in the current directory. This
16 16 configuration file contains the various settings for RhodeCode, e.g proxy
17 17 port, email settings, usage of static files, cache, celery settings and
18 18 logging.
19 19
20 20
21 21 Next, you need to create the databases used by RhodeCode. I recommend that you
22 22 use sqlite (default) or postgresql. If you choose a database other than the
23 23 default ensure you properly adjust the db url in your production.ini
24 24 configuration file to use this other database. Create the databases by running
25 25 the following command::
26 26
27 27 paster setup-app production.ini
28 28
29 29 This will prompt you for a "root" path. This "root" path is the location where
30 30 RhodeCode will store all of its repositories on the current machine. After
31 31 entering this "root" path ``setup-app`` will also prompt you for a username
32 32 and password for the initial admin account which ``setup-app`` sets up for you.
33 33
34 34 - The ``setup-app`` command will create all of the needed tables and an admin
35 35 account. When choosing a root path you can either use a new empty location,
36 36 or a location which already contains existing repositories. If you choose a
37 37 location which contains existing repositories RhodeCode will simply add all
38 38 of the repositories at the chosen location to it's database. (Note: make
39 39 sure you specify the correct path to the root).
40 40 - Note: the given path for mercurial_ repositories **must** be write accessible
41 41 for the application. It's very important since the RhodeCode web interface
42 42 will work without write access, but when trying to do a push it will
43 43 eventually fail with permission denied errors unless it has write access.
44 44
45 45 You are now ready to use RhodeCode, to run it simply execute::
46 46
47 47 paster serve production.ini
48 48
49 49 - This command runs the RhodeCode server. The web app should be available at the
50 50 127.0.0.1:5000. This ip and port is configurable via the production.ini
51 51 file created in previous step
52 52 - Use the admin account you created above when running ``setup-app`` to login
53 53 to the web app.
54 54 - The default permissions on each repository is read, and the owner is admin.
55 55 Remember to update these if needed.
56 56 - In the admin panel you can toggle ldap, anonymous, permissions settings. As
57 57 well as edit more advanced options on users and repositories
58 58
59 59 Try copying your own mercurial repository into the "root" directory you are
60 60 using, then from within the RhodeCode web application choose Admin >
61 61 repositories. Then choose Add New Repository. Add the repository you copied
62 62 into the root. Test that you can browse your repository from within RhodeCode
63 63 and then try cloning your repository from RhodeCode with::
64 64
65 65 hg clone http://127.0.0.1:5000/<repository name>
66 66
67 67 where *repository name* is replaced by the name of your repository.
68 68
69 69 Using RhodeCode with SSH
70 70 ------------------------
71 71
72 72 RhodeCode currently only hosts repositories using http and https. (The addition
73 73 of ssh hosting is a planned future feature.) However you can easily use ssh in
74 74 parallel with RhodeCode. (Repository access via ssh is a standard "out of
75 75 the box" feature of mercurial_ and you can use this to access any of the
76 76 repositories that RhodeCode is hosting. See PublishingRepositories_)
77 77
78 78 RhodeCode repository structures are kept in directories with the same name
79 79 as the project. When using repository groups, each group is a subdirectory.
80 80 This allows you to easily use ssh for accessing repositories.
81 81
82 82 In order to use ssh you need to make sure that your web-server and the users
83 83 login accounts have the correct permissions set on the appropriate directories.
84 84 (Note that these permissions are independent of any permissions you have set up
85 85 using the RhodeCode web interface.)
86 86
87 87 If your main directory (the same as set in RhodeCode settings) is for example
88 88 set to **/home/hg** and the repository you are using is named `rhodecode`, then
89 89 to clone via ssh you should run::
90 90
91 91 hg clone ssh://user@server.com/home/hg/rhodecode
92 92
93 93 Using other external tools such as mercurial-server_ or using ssh key based
94 94 authentication is fully supported.
95 95
96 96 Note: In an advanced setup, in order for your ssh access to use the same
97 97 permissions as set up via the RhodeCode web interface, you can create an
98 98 authentication hook to connect to the rhodecode db and runs check functions for
99 99 permissions against that.
100 100
101 101 Setting up Whoosh full text search
102 102 ----------------------------------
103 103
104 104 Starting from version 1.1 the whoosh index can be build by using the paster
105 105 command ``make-index``. To use ``make-index`` you must specify the configuration
106 106 file that stores the location of the index, and the location of the repositories
107 107 (`--repo-location`).Starting from version 1.2 it is
108 108 also possible to specify a comma separated list of repositories (`--index-only`)
109 109 to build index only on chooses repositories skipping any other found in repos
110 110 location
111 111
112 112 You may optionally pass the option `-f` to enable a full index rebuild. Without
113 113 the `-f` option, indexing will run always in "incremental" mode.
114 114
115 115 For an incremental index build use::
116 116
117 117 paster make-index production.ini --repo-location=<location for repos>
118 118
119 119 For a full index rebuild use::
120 120
121 121 paster make-index production.ini -f --repo-location=<location for repos>
122 122
123 123
124 124 building index just for chosen repositories is possible with such command::
125 125
126 126 paster make-index production.ini --repo-location=<location for repos> --index-only=vcs,rhodecode
127 127
128 128
129 129 In order to do periodical index builds and keep your index always up to date.
130 130 It's recommended to do a crontab entry for incremental indexing.
131 131 An example entry might look like this::
132 132
133 133 /path/to/python/bin/paster /path/to/rhodecode/production.ini --repo-location=<location for repos>
134 134
135 135 When using incremental mode (the default) whoosh will check the last
136 136 modification date of each file and add it to be reindexed if a newer file is
137 137 available. The indexing daemon checks for any removed files and removes them
138 138 from index.
139 139
140 140 If you want to rebuild index from scratch, you can use the `-f` flag as above,
141 141 or in the admin panel you can check `build from scratch` flag.
142 142
143 143
144 144 Setting up LDAP support
145 145 -----------------------
146 146
147 147 RhodeCode starting from version 1.1 supports ldap authentication. In order
148 148 to use LDAP, you have to install the python-ldap_ package. This package is
149 149 available via pypi, so you can install it by running
150 150
151 151 using easy_install::
152 152
153 153 easy_install python-ldap
154 154
155 155 using pip::
156 156
157 157 pip install python-ldap
158 158
159 159 .. note::
160 160 python-ldap requires some certain libs on your system, so before installing
161 161 it check that you have at least `openldap`, and `sasl` libraries.
162 162
163 163 LDAP settings are located in admin->ldap section,
164 164
165 165 Here's a typical ldap setup::
166 166
167 167 Connection settings
168 168 Enable LDAP = checked
169 169 Host = host.example.org
170 170 Port = 389
171 171 Account = <account>
172 172 Password = <password>
173 173 Connection Security = LDAPS connection
174 174 Certificate Checks = DEMAND
175 175
176 176 Search settings
177 177 Base DN = CN=users,DC=host,DC=example,DC=org
178 178 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
179 179 LDAP Search Scope = SUBTREE
180 180
181 181 Attribute mappings
182 182 Login Attribute = uid
183 183 First Name Attribute = firstName
184 184 Last Name Attribute = lastName
185 185 E-mail Attribute = mail
186 186
187 187 .. _enable_ldap:
188 188
189 189 Enable LDAP : required
190 190 Whether to use LDAP for authenticating users.
191 191
192 192 .. _ldap_host:
193 193
194 194 Host : required
195 195 LDAP server hostname or IP address.
196 196
197 197 .. _Port:
198 198
199 199 Port : required
200 200 389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
201 201
202 202 .. _ldap_account:
203 203
204 204 Account : optional
205 205 Only required if the LDAP server does not allow anonymous browsing of
206 206 records. This should be a special account for record browsing. This
207 207 will require `LDAP Password`_ below.
208 208
209 209 .. _LDAP Password:
210 210
211 211 Password : optional
212 212 Only required if the LDAP server does not allow anonymous browsing of
213 213 records.
214 214
215 215 .. _Enable LDAPS:
216 216
217 217 Connection Security : required
218 218 Defines the connection to LDAP server
219 219
220 220 No encryption
221 221 Plain non encrypted connection
222 222
223 223 LDAPS connection
224 224 Enable ldaps connection. It will likely require `Port`_ to be set to
225 225 a different value (standard LDAPS port is 636). When LDAPS is enabled
226 226 then `Certificate Checks`_ is required.
227 227
228 228 START_TLS on LDAP connection
229 229 START TLS connection
230 230
231 231 .. _Certificate Checks:
232 232
233 233 Certificate Checks : optional
234 234 How SSL certificates verification is handled - this is only useful when
235 235 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
236 236 while the other options are susceptible to man-in-the-middle attacks. SSL
237 237 certificates can be installed to /etc/openldap/cacerts so that the
238 238 DEMAND or HARD options can be used with self-signed certificates or
239 239 certificates that do not have traceable certificates of authority.
240 240
241 241 NEVER
242 242 A serve certificate will never be requested or checked.
243 243
244 244 ALLOW
245 245 A server certificate is requested. Failure to provide a
246 246 certificate or providing a bad certificate will not terminate the
247 247 session.
248 248
249 249 TRY
250 250 A server certificate is requested. Failure to provide a
251 251 certificate does not halt the session; providing a bad certificate
252 252 halts the session.
253 253
254 254 DEMAND
255 255 A server certificate is requested and must be provided and
256 256 authenticated for the session to proceed.
257 257
258 258 HARD
259 259 The same as DEMAND.
260 260
261 261 .. _Base DN:
262 262
263 263 Base DN : required
264 264 The Distinguished Name (DN) where searches for users will be performed.
265 265 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
266 266
267 267 .. _LDAP Filter:
268 268
269 269 LDAP Filter : optional
270 270 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
271 271 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
272 272 which LDAP objects are identified as representing Users for
273 273 authentication. The filter is augmented by `Login Attribute`_ below.
274 274 This can commonly be left blank.
275 275
276 276 .. _LDAP Search Scope:
277 277
278 278 LDAP Search Scope : required
279 279 This limits how far LDAP will search for a matching object.
280 280
281 281 BASE
282 282 Only allows searching of `Base DN`_ and is usually not what you
283 283 want.
284 284
285 285 ONELEVEL
286 286 Searches all entries under `Base DN`_, but not Base DN itself.
287 287
288 288 SUBTREE
289 289 Searches all entries below `Base DN`_, but not Base DN itself.
290 290 When using SUBTREE `LDAP Filter`_ is useful to limit object
291 291 location.
292 292
293 293 .. _Login Attribute:
294 294
295 295 Login Attribute : required
296 296 The LDAP record attribute that will be matched as the USERNAME or
297 297 ACCOUNT used to connect to RhodeCode. This will be added to `LDAP
298 298 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
299 299 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
300 300 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
301 301 ::
302 302
303 303 (&(LDAPFILTER)(uid=jsmith))
304 304
305 305 .. _ldap_attr_firstname:
306 306
307 307 First Name Attribute : required
308 308 The LDAP record attribute which represents the user's first name.
309 309
310 310 .. _ldap_attr_lastname:
311 311
312 312 Last Name Attribute : required
313 313 The LDAP record attribute which represents the user's last name.
314 314
315 315 .. _ldap_attr_email:
316 316
317 317 Email Attribute : required
318 318 The LDAP record attribute which represents the user's email address.
319 319
320 320 If all data are entered correctly, and python-ldap_ is properly installed
321 321 users should be granted access to RhodeCode with ldap accounts. At this
322 322 time user information is copied from LDAP into the RhodeCode user database.
323 323 This means that updates of an LDAP user object may not be reflected as a
324 324 user update in RhodeCode.
325 325
326 326 If You have problems with LDAP access and believe You entered correct
327 327 information check out the RhodeCode logs, any error messages sent from LDAP
328 328 will be saved there.
329 329
330 330 Active Directory
331 331 ''''''''''''''''
332 332
333 333 RhodeCode can use Microsoft Active Directory for user authentication. This
334 334 is done through an LDAP or LDAPS connection to Active Directory. The
335 335 following LDAP configuration settings are typical for using Active
336 336 Directory ::
337 337
338 338 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
339 339 Login Attribute = sAMAccountName
340 340 First Name Attribute = givenName
341 341 Last Name Attribute = sn
342 342 E-mail Attribute = mail
343 343
344 344 All other LDAP settings will likely be site-specific and should be
345 345 appropriately configured.
346 346
347 347 Setting Up Celery
348 348 -----------------
349 349
350 350 Since version 1.1 celery is configured by the rhodecode ini configuration files.
351 351 Simply set use_celery=true in the ini file then add / change the configuration
352 352 variables inside the ini file.
353 353
354 354 Remember that the ini files use the format with '.' not with '_' like celery.
355 355 So for example setting `BROKER_HOST` in celery means setting `broker.host` in
356 356 the config file.
357 357
358 358 In order to start using celery run::
359 359
360 360 paster celeryd <configfile.ini>
361 361
362 362
363 363 .. note::
364 364 Make sure you run this command from the same virtualenv, and with the same
365 365 user that rhodecode runs.
366 366
367 367 HTTPS support
368 368 -------------
369 369
370 370 There are two ways to enable https:
371 371
372 372 - Set HTTP_X_URL_SCHEME in your http server headers, than rhodecode will
373 373 recognize this headers and make proper https redirections
374 - Alternatively, set `force_https = true` in the ini configuration to force
374 - Alternatively, set the `force_https = true` in the ini configuration to force
375 375 using https, no headers are needed than to enable https
376 376
377 377
378 378 Nginx virtual host example
379 379 --------------------------
380 380
381 381 Sample config for nginx using proxy::
382 382
383 383 server {
384 384 listen 80;
385 385 server_name hg.myserver.com;
386 386 access_log /var/log/nginx/rhodecode.access.log;
387 387 error_log /var/log/nginx/rhodecode.error.log;
388 388 location / {
389 389 root /var/www/rhodecode/rhodecode/public/;
390 390 if (!-f $request_filename){
391 391 proxy_pass http://127.0.0.1:5000;
392 392 }
393 393 #this is important if you want to use https !!!
394 394 proxy_set_header X-Url-Scheme $scheme;
395 395 include /etc/nginx/proxy.conf;
396 396 }
397 397 }
398 398
399 399 Here's the proxy.conf. It's tuned so it will not timeout on long
400 400 pushes or large pushes::
401 401
402 402 proxy_redirect off;
403 403 proxy_set_header Host $host;
404 404 proxy_set_header X-Host $http_host;
405 405 proxy_set_header X-Real-IP $remote_addr;
406 406 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
407 407 proxy_set_header Proxy-host $proxy_host;
408 408 client_max_body_size 400m;
409 409 client_body_buffer_size 128k;
410 410 proxy_buffering off;
411 411 proxy_connect_timeout 3600;
412 412 proxy_send_timeout 3600;
413 413 proxy_read_timeout 3600;
414 414 proxy_buffer_size 16k;
415 415 proxy_buffers 4 16k;
416 416 proxy_busy_buffers_size 64k;
417 417 proxy_temp_file_write_size 64k;
418 418
419 419 Also, when using root path with nginx you might set the static files to false
420 420 in the production.ini file::
421 421
422 422 [app:main]
423 423 use = egg:rhodecode
424 424 full_stack = true
425 425 static_files = false
426 426 lang=en
427 427 cache_dir = %(here)s/data
428 428
429 429 In order to not have the statics served by the application. This improves speed.
430 430
431 431
432 432 Apache virtual host example
433 433 ---------------------------
434 434
435 435 Here is a sample configuration file for apache using proxy::
436 436
437 437 <VirtualHost *:80>
438 438 ServerName hg.myserver.com
439 439 ServerAlias hg.myserver.com
440 440
441 441 <Proxy *>
442 442 Order allow,deny
443 443 Allow from all
444 444 </Proxy>
445 445
446 446 #important !
447 447 #Directive to properly generate url (clone url) for pylons
448 448 ProxyPreserveHost On
449 449
450 450 #rhodecode instance
451 451 ProxyPass / http://127.0.0.1:5000/
452 452 ProxyPassReverse / http://127.0.0.1:5000/
453 453
454 454 #to enable https use line below
455 455 #SetEnvIf X-Url-Scheme https HTTPS=1
456 456
457 457 </VirtualHost>
458 458
459 459
460 460 Additional tutorial
461 461 http://wiki.pylonshq.com/display/pylonscookbook/Apache+as+a+reverse+proxy+for+Pylons
462 462
463 463
464 464 Apache as subdirectory
465 465 ----------------------
466 466
467 467 Apache subdirectory part::
468 468
469 469 <Location /<someprefix> >
470 470 ProxyPass http://127.0.0.1:5000/<someprefix>
471 471 ProxyPassReverse http://127.0.0.1:5000/<someprefix>
472 472 SetEnvIf X-Url-Scheme https HTTPS=1
473 473 </Location>
474 474
475 Besides the regular apache setup you will need to add the following to your .ini file::
475 Besides the regular apache setup you will need to add the following line
476 into [app:main] section of your .ini file::
476 477
477 478 filter-with = proxy-prefix
478 479
479 480 Add the following at the end of the .ini file::
480 481
481 482 [filter:proxy-prefix]
482 483 use = egg:PasteDeploy#prefix
483 484 prefix = /<someprefix>
484 485
485 486
486 487 then change <someprefix> into your choosen prefix
487 488
488 489 Apache's WSGI config
489 490 --------------------
490 491
491 492
492 493 Example wsgi dispatch script::
493 494
494 495 import os
495 496 os.environ["HGENCODING"] = "UTF-8"
496 497 os.environ['PYTHON_EGG_CACHE'] = '/home/web/rhodecode/.egg-cache'
497 498
498 499 # sometimes it's needed to set the curent dir
499 500 os.chdir('/home/web/rhodecode/')
500 501
501 502 from paste.deploy import loadapp
502 503 from paste.script.util.logging_config import fileConfig
503 504
504 505 fileConfig('/home/web/rhodecode/production.ini')
505 506 application = loadapp('config:/home/web/rhodecode/production.ini')
506 507
507 508
508 509 Other configuration files
509 510 -------------------------
510 511
511 512 Some example init.d scripts can be found here, for debian and gentoo:
512 513
513 514 https://rhodecode.org/rhodecode/files/tip/init.d
514 515
515 516
516 517 Troubleshooting
517 518 ---------------
518 519
519 520 :Q: **Missing static files?**
520 521 :A: Make sure either to set the `static_files = true` in the .ini file or
521 522 double check the root path for your http setup. It should point to
522 523 for example:
523 524 /home/my-virtual-python/lib/python2.6/site-packages/rhodecode/public
524 525
525 526 |
526 527
527 528 :Q: **Can't install celery/rabbitmq**
528 529 :A: Don't worry RhodeCode works without them too. No extra setup is required.
529 530
530 531 |
531 532
532 533 :Q: **Long lasting push timeouts?**
533 534 :A: Make sure you set a longer timeouts in your proxy/fcgi settings, timeouts
534 535 are caused by https server and not RhodeCode.
535 536
536 537 |
537 538
538 539 :Q: **Large pushes timeouts?**
539 540 :A: Make sure you set a proper max_body_size for the http server.
540 541
541 542 |
542 543
543 544 :Q: **Apache doesn't pass basicAuth on pull/push?**
544 545 :A: Make sure you added `WSGIPassAuthorization true`.
545 546
546 547 For further questions search the `Issues tracker`_, or post a message in the
547 548 `google group rhodecode`_
548 549
549 550 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
550 551 .. _python: http://www.python.org/
551 552 .. _mercurial: http://mercurial.selenic.com/
552 553 .. _celery: http://celeryproject.org/
553 554 .. _rabbitmq: http://www.rabbitmq.com/
554 555 .. _python-ldap: http://www.python-ldap.org/
555 556 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
556 557 .. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories
557 558 .. _Issues tracker: https://bitbucket.org/marcinkuzminski/rhodecode/issues
558 559 .. _google group rhodecode: http://groups.google.com/group/rhodecode No newline at end of file
General Comments 0
You need to be logged in to leave comments. Login now