##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

Added example wsgi config into docs
marcink -
r1386:5a31d387 beta
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,543 +1,558 b''
1 1 .. _setup:
2 2
3 3 Setup
4 4 =====
5 5
6 6
7 7 Setting up RhodeCode
8 8 --------------------------
9 9
10 10 First, you will need to create a RhodeCode configuration file. Run the
11 11 following command to do this::
12 12
13 13 paster make-config RhodeCode production.ini
14 14
15 15 - This will create the file `production.ini` in the current directory. This
16 16 configuration file contains the various settings for RhodeCode, e.g proxy
17 17 port, email settings, usage of static files, cache, celery settings and
18 18 logging.
19 19
20 20
21 21 Next, you need to create the databases used by RhodeCode. I recommend that you
22 22 use sqlite (default) or postgresql. If you choose a database other than the
23 23 default ensure you properly adjust the db url in your production.ini
24 24 configuration file to use this other database. Create the databases by running
25 25 the following command::
26 26
27 27 paster setup-app production.ini
28 28
29 29 This will prompt you for a "root" path. This "root" path is the location where
30 30 RhodeCode will store all of its repositories on the current machine. After
31 31 entering this "root" path ``setup-app`` will also prompt you for a username
32 32 and password for the initial admin account which ``setup-app`` sets up for you.
33 33
34 34 - The ``setup-app`` command will create all of the needed tables and an admin
35 35 account. When choosing a root path you can either use a new empty location,
36 36 or a location which already contains existing repositories. If you choose a
37 37 location which contains existing repositories RhodeCode will simply add all
38 38 of the repositories at the chosen location to it's database. (Note: make
39 39 sure you specify the correct path to the root).
40 40 - Note: the given path for mercurial_ repositories **must** be write accessible
41 41 for the application. It's very important since the RhodeCode web interface
42 42 will work without write access, but when trying to do a push it will
43 43 eventually fail with permission denied errors unless it has write access.
44 44
45 45 You are now ready to use RhodeCode, to run it simply execute::
46 46
47 47 paster serve production.ini
48 48
49 49 - This command runs the RhodeCode server. The web app should be available at the
50 50 127.0.0.1:5000. This ip and port is configurable via the production.ini
51 51 file created in previous step
52 52 - Use the admin account you created above when running ``setup-app`` to login
53 53 to the web app.
54 54 - The default permissions on each repository is read, and the owner is admin.
55 55 Remember to update these if needed.
56 56 - In the admin panel you can toggle ldap, anonymous, permissions settings. As
57 57 well as edit more advanced options on users and repositories
58 58
59 59 Try copying your own mercurial repository into the "root" directory you are
60 60 using, then from within the RhodeCode web application choose Admin >
61 61 repositories. Then choose Add New Repository. Add the repository you copied
62 62 into the root. Test that you can browse your repository from within RhodeCode
63 63 and then try cloning your repository from RhodeCode with::
64 64
65 65 hg clone http://127.0.0.1:5000/<repository name>
66 66
67 67 where *repository name* is replaced by the name of your repository.
68 68
69 69 Using RhodeCode with SSH
70 70 ------------------------
71 71
72 72 RhodeCode currently only hosts repositories using http and https. (The addition
73 73 of ssh hosting is a planned future feature.) However you can easily use ssh in
74 74 parallel with RhodeCode. (Repository access via ssh is a standard "out of
75 75 the box" feature of mercurial_ and you can use this to access any of the
76 76 repositories that RhodeCode is hosting. See PublishingRepositories_)
77 77
78 78 RhodeCode repository structures are kept in directories with the same name
79 79 as the project. When using repository groups, each group is a subdirectory.
80 80 This allows you to easily use ssh for accessing repositories.
81 81
82 82 In order to use ssh you need to make sure that your web-server and the users
83 83 login accounts have the correct permissions set on the appropriate directories.
84 84 (Note that these permissions are independent of any permissions you have set up
85 85 using the RhodeCode web interface.)
86 86
87 87 If your main directory (the same as set in RhodeCode settings) is for example
88 88 set to **/home/hg** and the repository you are using is named `rhodecode`, then
89 89 to clone via ssh you should run::
90 90
91 91 hg clone ssh://user@server.com/home/hg/rhodecode
92 92
93 93 Using other external tools such as mercurial-server_ or using ssh key based
94 94 authentication is fully supported.
95 95
96 96 Note: In an advanced setup, in order for your ssh access to use the same
97 97 permissions as set up via the RhodeCode web interface, you can create an
98 98 authentication hook to connect to the rhodecode db and runs check functions for
99 99 permissions against that.
100 100
101 101 Setting up Whoosh full text search
102 102 ----------------------------------
103 103
104 104 Starting from version 1.1 the whoosh index can be build by using the paster
105 105 command ``make-index``. To use ``make-index`` you must specify the configuration
106 106 file that stores the location of the index, and the location of the repositories
107 107 (`--repo-location`).Starting from version 1.2 it is
108 108 also possible to specify a comma separated list of repositories (`--index-only`)
109 109 to build index only on chooses repositories skipping any other found in repos
110 110 location
111 111
112 112 You may optionally pass the option `-f` to enable a full index rebuild. Without
113 113 the `-f` option, indexing will run always in "incremental" mode.
114 114
115 115 For an incremental index build use::
116 116
117 117 paster make-index production.ini --repo-location=<location for repos>
118 118
119 119 For a full index rebuild use::
120 120
121 121 paster make-index production.ini -f --repo-location=<location for repos>
122 122
123 123
124 124 building index just for chosen repositories is possible with such command::
125 125
126 126 paster make-index production.ini --repo-location=<location for repos> --index-only=vcs,rhodecode
127 127
128 128
129 129 In order to do periodical index builds and keep your index always up to date.
130 130 It's recommended to do a crontab entry for incremental indexing.
131 131 An example entry might look like this::
132 132
133 133 /path/to/python/bin/paster /path/to/rhodecode/production.ini --repo-location=<location for repos>
134 134
135 135 When using incremental mode (the default) whoosh will check the last
136 136 modification date of each file and add it to be reindexed if a newer file is
137 137 available. The indexing daemon checks for any removed files and removes them
138 138 from index.
139 139
140 140 If you want to rebuild index from scratch, you can use the `-f` flag as above,
141 141 or in the admin panel you can check `build from scratch` flag.
142 142
143 143
144 144 Setting up LDAP support
145 145 -----------------------
146 146
147 147 RhodeCode starting from version 1.1 supports ldap authentication. In order
148 148 to use LDAP, you have to install the python-ldap_ package. This package is
149 149 available via pypi, so you can install it by running
150 150
151 151 using easy_install::
152 152
153 153 easy_install python-ldap
154 154
155 155 using pip::
156 156
157 157 pip install python-ldap
158 158
159 159 .. note::
160 160 python-ldap requires some certain libs on your system, so before installing
161 161 it check that you have at least `openldap`, and `sasl` libraries.
162 162
163 163 LDAP settings are located in admin->ldap section,
164 164
165 165 Here's a typical ldap setup::
166 166
167 167 Connection settings
168 168 Enable LDAP = checked
169 169 Host = host.example.org
170 170 Port = 389
171 171 Account = <account>
172 172 Password = <password>
173 173 Connection Security = LDAPS connection
174 174 Certificate Checks = DEMAND
175 175
176 176 Search settings
177 177 Base DN = CN=users,DC=host,DC=example,DC=org
178 178 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
179 179 LDAP Search Scope = SUBTREE
180 180
181 181 Attribute mappings
182 182 Login Attribute = uid
183 183 First Name Attribute = firstName
184 184 Last Name Attribute = lastName
185 185 E-mail Attribute = mail
186 186
187 187 .. _enable_ldap:
188 188
189 189 Enable LDAP : required
190 190 Whether to use LDAP for authenticating users.
191 191
192 192 .. _ldap_host:
193 193
194 194 Host : required
195 195 LDAP server hostname or IP address.
196 196
197 197 .. _Port:
198 198
199 199 Port : required
200 200 389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
201 201
202 202 .. _ldap_account:
203 203
204 204 Account : optional
205 205 Only required if the LDAP server does not allow anonymous browsing of
206 206 records. This should be a special account for record browsing. This
207 207 will require `LDAP Password`_ below.
208 208
209 209 .. _LDAP Password:
210 210
211 211 Password : optional
212 212 Only required if the LDAP server does not allow anonymous browsing of
213 213 records.
214 214
215 215 .. _Enable LDAPS:
216 216
217 217 Connection Security : required
218 218 Defines the connection to LDAP server
219 219
220 220 No encryption
221 221 Plain non encrypted connection
222 222
223 223 LDAPS connection
224 224 Enable ldaps connection. It will likely require `Port`_ to be set to
225 225 a different value (standard LDAPS port is 636). When LDAPS is enabled
226 226 then `Certificate Checks`_ is required.
227 227
228 228 START_TLS on LDAP connection
229 229 START TLS connection
230 230
231 231 .. _Certificate Checks:
232 232
233 233 Certificate Checks : optional
234 234 How SSL certificates verification is handled - this is only useful when
235 235 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
236 236 while the other options are susceptible to man-in-the-middle attacks. SSL
237 237 certificates can be installed to /etc/openldap/cacerts so that the
238 238 DEMAND or HARD options can be used with self-signed certificates or
239 239 certificates that do not have traceable certificates of authority.
240 240
241 241 NEVER
242 242 A serve certificate will never be requested or checked.
243 243
244 244 ALLOW
245 245 A server certificate is requested. Failure to provide a
246 246 certificate or providing a bad certificate will not terminate the
247 247 session.
248 248
249 249 TRY
250 250 A server certificate is requested. Failure to provide a
251 251 certificate does not halt the session; providing a bad certificate
252 252 halts the session.
253 253
254 254 DEMAND
255 255 A server certificate is requested and must be provided and
256 256 authenticated for the session to proceed.
257 257
258 258 HARD
259 259 The same as DEMAND.
260 260
261 261 .. _Base DN:
262 262
263 263 Base DN : required
264 264 The Distinguished Name (DN) where searches for users will be performed.
265 265 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
266 266
267 267 .. _LDAP Filter:
268 268
269 269 LDAP Filter : optional
270 270 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
271 271 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
272 272 which LDAP objects are identified as representing Users for
273 273 authentication. The filter is augmented by `Login Attribute`_ below.
274 274 This can commonly be left blank.
275 275
276 276 .. _LDAP Search Scope:
277 277
278 278 LDAP Search Scope : required
279 279 This limits how far LDAP will search for a matching object.
280 280
281 281 BASE
282 282 Only allows searching of `Base DN`_ and is usually not what you
283 283 want.
284 284
285 285 ONELEVEL
286 286 Searches all entries under `Base DN`_, but not Base DN itself.
287 287
288 288 SUBTREE
289 289 Searches all entries below `Base DN`_, but not Base DN itself.
290 290 When using SUBTREE `LDAP Filter`_ is useful to limit object
291 291 location.
292 292
293 293 .. _Login Attribute:
294 294
295 295 Login Attribute : required
296 296 The LDAP record attribute that will be matched as the USERNAME or
297 297 ACCOUNT used to connect to RhodeCode. This will be added to `LDAP
298 298 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
299 299 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
300 300 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
301 301 ::
302 302
303 303 (&(LDAPFILTER)(uid=jsmith))
304 304
305 305 .. _ldap_attr_firstname:
306 306
307 307 First Name Attribute : required
308 308 The LDAP record attribute which represents the user's first name.
309 309
310 310 .. _ldap_attr_lastname:
311 311
312 312 Last Name Attribute : required
313 313 The LDAP record attribute which represents the user's last name.
314 314
315 315 .. _ldap_attr_email:
316 316
317 317 Email Attribute : required
318 318 The LDAP record attribute which represents the user's email address.
319 319
320 320 If all data are entered correctly, and python-ldap_ is properly installed
321 321 users should be granted access to RhodeCode with ldap accounts. At this
322 322 time user information is copied from LDAP into the RhodeCode user database.
323 323 This means that updates of an LDAP user object may not be reflected as a
324 324 user update in RhodeCode.
325 325
326 326 If You have problems with LDAP access and believe You entered correct
327 327 information check out the RhodeCode logs, any error messages sent from LDAP
328 328 will be saved there.
329 329
330 330 Active Directory
331 331 ''''''''''''''''
332 332
333 333 RhodeCode can use Microsoft Active Directory for user authentication. This
334 334 is done through an LDAP or LDAPS connection to Active Directory. The
335 335 following LDAP configuration settings are typical for using Active
336 336 Directory ::
337 337
338 338 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
339 339 Login Attribute = sAMAccountName
340 340 First Name Attribute = givenName
341 341 Last Name Attribute = sn
342 342 E-mail Attribute = mail
343 343
344 344 All other LDAP settings will likely be site-specific and should be
345 345 appropriately configured.
346 346
347 347 Setting Up Celery
348 348 -----------------
349 349
350 350 Since version 1.1 celery is configured by the rhodecode ini configuration files.
351 351 Simply set use_celery=true in the ini file then add / change the configuration
352 352 variables inside the ini file.
353 353
354 354 Remember that the ini files use the format with '.' not with '_' like celery.
355 355 So for example setting `BROKER_HOST` in celery means setting `broker.host` in
356 356 the config file.
357 357
358 358 In order to start using celery run::
359 359
360 360 paster celeryd <configfile.ini>
361 361
362 362
363 363 .. note::
364 364 Make sure you run this command from the same virtualenv, and with the same
365 365 user that rhodecode runs.
366 366
367 367 HTTPS support
368 368 -------------
369 369
370 370 There are two ways to enable https:
371 371
372 372 - Set HTTP_X_URL_SCHEME in your http server headers, than rhodecode will
373 373 recognize this headers and make proper https redirections
374 374 - Alternatively, set `force_https = true` in the ini configuration to force
375 375 using https, no headers are needed than to enable https
376 376
377 377
378 378 Nginx virtual host example
379 379 --------------------------
380 380
381 381 Sample config for nginx using proxy::
382 382
383 383 server {
384 384 listen 80;
385 385 server_name hg.myserver.com;
386 386 access_log /var/log/nginx/rhodecode.access.log;
387 387 error_log /var/log/nginx/rhodecode.error.log;
388 388 location / {
389 389 root /var/www/rhodecode/rhodecode/public/;
390 390 if (!-f $request_filename){
391 391 proxy_pass http://127.0.0.1:5000;
392 392 }
393 393 #this is important if you want to use https !!!
394 394 proxy_set_header X-Url-Scheme $scheme;
395 395 include /etc/nginx/proxy.conf;
396 396 }
397 397 }
398 398
399 399 Here's the proxy.conf. It's tuned so it will not timeout on long
400 400 pushes or large pushes::
401 401
402 402 proxy_redirect off;
403 403 proxy_set_header Host $host;
404 404 proxy_set_header X-Host $http_host;
405 405 proxy_set_header X-Real-IP $remote_addr;
406 406 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
407 407 proxy_set_header Proxy-host $proxy_host;
408 408 client_max_body_size 400m;
409 409 client_body_buffer_size 128k;
410 410 proxy_buffering off;
411 411 proxy_connect_timeout 3600;
412 412 proxy_send_timeout 3600;
413 413 proxy_read_timeout 3600;
414 414 proxy_buffer_size 16k;
415 415 proxy_buffers 4 16k;
416 416 proxy_busy_buffers_size 64k;
417 417 proxy_temp_file_write_size 64k;
418 418
419 419 Also, when using root path with nginx you might set the static files to false
420 420 in the production.ini file::
421 421
422 422 [app:main]
423 423 use = egg:rhodecode
424 424 full_stack = true
425 425 static_files = false
426 426 lang=en
427 427 cache_dir = %(here)s/data
428 428
429 429 In order to not have the statics served by the application. This improves speed.
430 430
431 431
432 432 Apache virtual host example
433 433 ---------------------------
434 434
435 435 Here is a sample configuration file for apache using proxy::
436 436
437 437 <VirtualHost *:80>
438 438 ServerName hg.myserver.com
439 439 ServerAlias hg.myserver.com
440 440
441 441 <Proxy *>
442 442 Order allow,deny
443 443 Allow from all
444 444 </Proxy>
445 445
446 446 #important !
447 447 #Directive to properly generate url (clone url) for pylons
448 448 ProxyPreserveHost On
449 449
450 450 #rhodecode instance
451 451 ProxyPass / http://127.0.0.1:5000/
452 452 ProxyPassReverse / http://127.0.0.1:5000/
453 453
454 454 #to enable https use line below
455 455 #SetEnvIf X-Url-Scheme https HTTPS=1
456 456
457 457 </VirtualHost>
458 458
459 459
460 460 Additional tutorial
461 461 http://wiki.pylonshq.com/display/pylonscookbook/Apache+as+a+reverse+proxy+for+Pylons
462 462
463 463
464 464 Apache as subdirectory
465 465 ----------------------
466 466
467 467 Apache subdirectory part::
468 468
469 469 <Location /<someprefix> >
470 470 ProxyPass http://127.0.0.1:5000/<someprefix>
471 471 ProxyPassReverse http://127.0.0.1:5000/<someprefix>
472 472 SetEnvIf X-Url-Scheme https HTTPS=1
473 473 </Location>
474 474
475 475 Besides the regular apache setup you will need to add the following to your .ini file::
476 476
477 477 filter-with = proxy-prefix
478 478
479 479 Add the following at the end of the .ini file::
480 480
481 481 [filter:proxy-prefix]
482 482 use = egg:PasteDeploy#prefix
483 483 prefix = /<someprefix>
484 484
485 485
486 486 then change <someprefix> into your choosen prefix
487 487
488 Apache's example FCGI config
489 ----------------------------
488 Apache's WSGI config
489 --------------------
490
491
492 Example wsgi dispatch script::
493
494 import os
495 os.environ["HGENCODING"] = "UTF-8"
496 os.environ['PYTHON_EGG_CACHE'] = '/home/web/rhodecode/.egg-cache'
490 497
491 TODO !
498 # sometimes it's needed to set the curent dir
499 os.chdir('/home/web/rhodecode/')
500
501 from paste.deploy import loadapp
502 from paste.script.util.logging_config import fileConfig
503
504 fileConfig('/home/web/rhodecode/production.ini')
505 application = loadapp('config:/home/web/rhodecode/production.ini')
506
492 507
493 508 Other configuration files
494 509 -------------------------
495 510
496 511 Some example init.d scripts can be found here, for debian and gentoo:
497 512
498 513 https://rhodecode.org/rhodecode/files/tip/init.d
499 514
500 515
501 516 Troubleshooting
502 517 ---------------
503 518
504 519 :Q: **Missing static files?**
505 520 :A: Make sure either to set the `static_files = true` in the .ini file or
506 521 double check the root path for your http setup. It should point to
507 522 for example:
508 523 /home/my-virtual-python/lib/python2.6/site-packages/rhodecode/public
509 524
510 525 |
511 526
512 527 :Q: **Can't install celery/rabbitmq**
513 528 :A: Don't worry RhodeCode works without them too. No extra setup is required.
514 529
515 530 |
516 531
517 532 :Q: **Long lasting push timeouts?**
518 533 :A: Make sure you set a longer timeouts in your proxy/fcgi settings, timeouts
519 534 are caused by https server and not RhodeCode.
520 535
521 536 |
522 537
523 538 :Q: **Large pushes timeouts?**
524 539 :A: Make sure you set a proper max_body_size for the http server.
525 540
526 541 |
527 542
528 543 :Q: **Apache doesn't pass basicAuth on pull/push?**
529 544 :A: Make sure you added `WSGIPassAuthorization true`.
530 545
531 546 For further questions search the `Issues tracker`_, or post a message in the
532 547 `google group rhodecode`_
533 548
534 549 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
535 550 .. _python: http://www.python.org/
536 551 .. _mercurial: http://mercurial.selenic.com/
537 552 .. _celery: http://celeryproject.org/
538 553 .. _rabbitmq: http://www.rabbitmq.com/
539 554 .. _python-ldap: http://www.python-ldap.org/
540 555 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
541 556 .. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories
542 557 .. _Issues tracker: https://bitbucket.org/marcinkuzminski/rhodecode/issues
543 558 .. _google group rhodecode: http://groups.google.com/group/rhodecode No newline at end of file
General Comments 0
You need to be logged in to leave comments. Login now