##// END OF EJS Templates
Merged in herrmann/rhodecode (pull request #10)
marcink -
r1560:a682eda6 merge beta
parent child Browse files
Show More
@@ -1,573 +1,605
1 1 .. _setup:
2 2
3 3 Setup
4 4 =====
5 5
6 6
7 7 Setting up RhodeCode
8 8 --------------------
9 9
10 10 First, you will need to create a RhodeCode configuration file. Run the
11 11 following command to do this::
12 12
13 13 paster make-config RhodeCode production.ini
14 14
15 15 - This will create the file `production.ini` in the current directory. This
16 16 configuration file contains the various settings for RhodeCode, e.g proxy
17 17 port, email settings, usage of static files, cache, celery settings and
18 18 logging.
19 19
20 20
21 21 Next, you need to create the databases used by RhodeCode. I recommend that you
22 22 use sqlite (default) or postgresql. If you choose a database other than the
23 23 default ensure you properly adjust the db url in your production.ini
24 24 configuration file to use this other database. Create the databases by running
25 25 the following command::
26 26
27 27 paster setup-app production.ini
28 28
29 29 This will prompt you for a "root" path. This "root" path is the location where
30 30 RhodeCode will store all of its repositories on the current machine. After
31 31 entering this "root" path ``setup-app`` will also prompt you for a username
32 32 and password for the initial admin account which ``setup-app`` sets up for you.
33 33
34 34 - The ``setup-app`` command will create all of the needed tables and an admin
35 35 account. When choosing a root path you can either use a new empty location,
36 36 or a location which already contains existing repositories. If you choose a
37 37 location which contains existing repositories RhodeCode will simply add all
38 38 of the repositories at the chosen location to it's database. (Note: make
39 39 sure you specify the correct path to the root).
40 40 - Note: the given path for mercurial_ repositories **must** be write accessible
41 41 for the application. It's very important since the RhodeCode web interface
42 42 will work without write access, but when trying to do a push it will
43 43 eventually fail with permission denied errors unless it has write access.
44 44
45 45 You are now ready to use RhodeCode, to run it simply execute::
46 46
47 47 paster serve production.ini
48 48
49 49 - This command runs the RhodeCode server. The web app should be available at the
50 50 127.0.0.1:5000. This ip and port is configurable via the production.ini
51 51 file created in previous step
52 52 - Use the admin account you created above when running ``setup-app`` to login
53 53 to the web app.
54 54 - The default permissions on each repository is read, and the owner is admin.
55 55 Remember to update these if needed.
56 56 - In the admin panel you can toggle ldap, anonymous, permissions settings. As
57 57 well as edit more advanced options on users and repositories
58 58
59 59 Try copying your own mercurial repository into the "root" directory you are
60 60 using, then from within the RhodeCode web application choose Admin >
61 61 repositories. Then choose Add New Repository. Add the repository you copied
62 62 into the root. Test that you can browse your repository from within RhodeCode
63 63 and then try cloning your repository from RhodeCode with::
64 64
65 65 hg clone http://127.0.0.1:5000/<repository name>
66 66
67 67 where *repository name* is replaced by the name of your repository.
68 68
69 69 Using RhodeCode with SSH
70 70 ------------------------
71 71
72 72 RhodeCode currently only hosts repositories using http and https. (The addition
73 73 of ssh hosting is a planned future feature.) However you can easily use ssh in
74 74 parallel with RhodeCode. (Repository access via ssh is a standard "out of
75 75 the box" feature of mercurial_ and you can use this to access any of the
76 76 repositories that RhodeCode is hosting. See PublishingRepositories_)
77 77
78 78 RhodeCode repository structures are kept in directories with the same name
79 79 as the project. When using repository groups, each group is a subdirectory.
80 80 This allows you to easily use ssh for accessing repositories.
81 81
82 82 In order to use ssh you need to make sure that your web-server and the users
83 83 login accounts have the correct permissions set on the appropriate directories.
84 84 (Note that these permissions are independent of any permissions you have set up
85 85 using the RhodeCode web interface.)
86 86
87 87 If your main directory (the same as set in RhodeCode settings) is for example
88 88 set to **/home/hg** and the repository you are using is named `rhodecode`, then
89 89 to clone via ssh you should run::
90 90
91 91 hg clone ssh://user@server.com/home/hg/rhodecode
92 92
93 93 Using other external tools such as mercurial-server_ or using ssh key based
94 94 authentication is fully supported.
95 95
96 96 Note: In an advanced setup, in order for your ssh access to use the same
97 97 permissions as set up via the RhodeCode web interface, you can create an
98 98 authentication hook to connect to the rhodecode db and runs check functions for
99 99 permissions against that.
100 100
101 101 Setting up Whoosh full text search
102 102 ----------------------------------
103 103
104 104 Starting from version 1.1 the whoosh index can be build by using the paster
105 105 command ``make-index``. To use ``make-index`` you must specify the configuration
106 106 file that stores the location of the index. You may specify the location of the
107 107 repositories (`--repo-location`). If not specified, this value is retrieved
108 108 from the RhodeCode database. This was required prior to 1.2. Starting from
109 109 version 1.2 it is also possible to specify a comma separated list of
110 110 repositories (`--index-only`) to build index only on chooses repositories
111 111 skipping any other found in repos location
112 112
113 113 You may optionally pass the option `-f` to enable a full index rebuild. Without
114 114 the `-f` option, indexing will run always in "incremental" mode.
115 115
116 116 For an incremental index build use::
117 117
118 118 paster make-index production.ini
119 119
120 120 For a full index rebuild use::
121 121
122 122 paster make-index production.ini -f
123 123
124 124
125 125 building index just for chosen repositories is possible with such command::
126 126
127 127 paster make-index production.ini --index-only=vcs,rhodecode
128 128
129 129
130 130 In order to do periodical index builds and keep your index always up to date.
131 131 It's recommended to do a crontab entry for incremental indexing.
132 132 An example entry might look like this::
133 133
134 134 /path/to/python/bin/paster make-index /path/to/rhodecode/production.ini
135 135
136 136 When using incremental mode (the default) whoosh will check the last
137 137 modification date of each file and add it to be reindexed if a newer file is
138 138 available. The indexing daemon checks for any removed files and removes them
139 139 from index.
140 140
141 141 If you want to rebuild index from scratch, you can use the `-f` flag as above,
142 142 or in the admin panel you can check `build from scratch` flag.
143 143
144 144
145 145 Setting up LDAP support
146 146 -----------------------
147 147
148 148 RhodeCode starting from version 1.1 supports ldap authentication. In order
149 149 to use LDAP, you have to install the python-ldap_ package. This package is
150 150 available via pypi, so you can install it by running
151 151
152 152 using easy_install::
153 153
154 154 easy_install python-ldap
155 155
156 156 using pip::
157 157
158 158 pip install python-ldap
159 159
160 160 .. note::
161 161 python-ldap requires some certain libs on your system, so before installing
162 162 it check that you have at least `openldap`, and `sasl` libraries.
163 163
164 164 LDAP settings are located in admin->ldap section,
165 165
166 166 Here's a typical ldap setup::
167 167
168 168 Connection settings
169 169 Enable LDAP = checked
170 170 Host = host.example.org
171 171 Port = 389
172 172 Account = <account>
173 173 Password = <password>
174 174 Connection Security = LDAPS connection
175 175 Certificate Checks = DEMAND
176 176
177 177 Search settings
178 178 Base DN = CN=users,DC=host,DC=example,DC=org
179 179 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
180 180 LDAP Search Scope = SUBTREE
181 181
182 182 Attribute mappings
183 183 Login Attribute = uid
184 184 First Name Attribute = firstName
185 185 Last Name Attribute = lastName
186 186 E-mail Attribute = mail
187 187
188 188 .. _enable_ldap:
189 189
190 190 Enable LDAP : required
191 191 Whether to use LDAP for authenticating users.
192 192
193 193 .. _ldap_host:
194 194
195 195 Host : required
196 196 LDAP server hostname or IP address.
197 197
198 198 .. _Port:
199 199
200 200 Port : required
201 201 389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
202 202
203 203 .. _ldap_account:
204 204
205 205 Account : optional
206 206 Only required if the LDAP server does not allow anonymous browsing of
207 207 records. This should be a special account for record browsing. This
208 208 will require `LDAP Password`_ below.
209 209
210 210 .. _LDAP Password:
211 211
212 212 Password : optional
213 213 Only required if the LDAP server does not allow anonymous browsing of
214 214 records.
215 215
216 216 .. _Enable LDAPS:
217 217
218 218 Connection Security : required
219 219 Defines the connection to LDAP server
220 220
221 221 No encryption
222 222 Plain non encrypted connection
223 223
224 224 LDAPS connection
225 225 Enable ldaps connection. It will likely require `Port`_ to be set to
226 226 a different value (standard LDAPS port is 636). When LDAPS is enabled
227 227 then `Certificate Checks`_ is required.
228 228
229 229 START_TLS on LDAP connection
230 230 START TLS connection
231 231
232 232 .. _Certificate Checks:
233 233
234 234 Certificate Checks : optional
235 235 How SSL certificates verification is handled - this is only useful when
236 236 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
237 237 while the other options are susceptible to man-in-the-middle attacks. SSL
238 238 certificates can be installed to /etc/openldap/cacerts so that the
239 239 DEMAND or HARD options can be used with self-signed certificates or
240 240 certificates that do not have traceable certificates of authority.
241 241
242 242 NEVER
243 243 A serve certificate will never be requested or checked.
244 244
245 245 ALLOW
246 246 A server certificate is requested. Failure to provide a
247 247 certificate or providing a bad certificate will not terminate the
248 248 session.
249 249
250 250 TRY
251 251 A server certificate is requested. Failure to provide a
252 252 certificate does not halt the session; providing a bad certificate
253 253 halts the session.
254 254
255 255 DEMAND
256 256 A server certificate is requested and must be provided and
257 257 authenticated for the session to proceed.
258 258
259 259 HARD
260 260 The same as DEMAND.
261 261
262 262 .. _Base DN:
263 263
264 264 Base DN : required
265 265 The Distinguished Name (DN) where searches for users will be performed.
266 266 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
267 267
268 268 .. _LDAP Filter:
269 269
270 270 LDAP Filter : optional
271 271 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
272 272 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
273 273 which LDAP objects are identified as representing Users for
274 274 authentication. The filter is augmented by `Login Attribute`_ below.
275 275 This can commonly be left blank.
276 276
277 277 .. _LDAP Search Scope:
278 278
279 279 LDAP Search Scope : required
280 280 This limits how far LDAP will search for a matching object.
281 281
282 282 BASE
283 283 Only allows searching of `Base DN`_ and is usually not what you
284 284 want.
285 285
286 286 ONELEVEL
287 287 Searches all entries under `Base DN`_, but not Base DN itself.
288 288
289 289 SUBTREE
290 290 Searches all entries below `Base DN`_, but not Base DN itself.
291 291 When using SUBTREE `LDAP Filter`_ is useful to limit object
292 292 location.
293 293
294 294 .. _Login Attribute:
295 295
296 296 Login Attribute : required
297 297 The LDAP record attribute that will be matched as the USERNAME or
298 298 ACCOUNT used to connect to RhodeCode. This will be added to `LDAP
299 299 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
300 300 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
301 301 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
302 302 ::
303 303
304 304 (&(LDAPFILTER)(uid=jsmith))
305 305
306 306 .. _ldap_attr_firstname:
307 307
308 308 First Name Attribute : required
309 309 The LDAP record attribute which represents the user's first name.
310 310
311 311 .. _ldap_attr_lastname:
312 312
313 313 Last Name Attribute : required
314 314 The LDAP record attribute which represents the user's last name.
315 315
316 316 .. _ldap_attr_email:
317 317
318 318 Email Attribute : required
319 319 The LDAP record attribute which represents the user's email address.
320 320
321 321 If all data are entered correctly, and python-ldap_ is properly installed
322 322 users should be granted access to RhodeCode with ldap accounts. At this
323 323 time user information is copied from LDAP into the RhodeCode user database.
324 324 This means that updates of an LDAP user object may not be reflected as a
325 325 user update in RhodeCode.
326 326
327 327 If You have problems with LDAP access and believe You entered correct
328 328 information check out the RhodeCode logs, any error messages sent from LDAP
329 329 will be saved there.
330 330
331 331 Active Directory
332 332 ''''''''''''''''
333 333
334 334 RhodeCode can use Microsoft Active Directory for user authentication. This
335 335 is done through an LDAP or LDAPS connection to Active Directory. The
336 336 following LDAP configuration settings are typical for using Active
337 337 Directory ::
338 338
339 339 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
340 340 Login Attribute = sAMAccountName
341 341 First Name Attribute = givenName
342 342 Last Name Attribute = sn
343 343 E-mail Attribute = mail
344 344
345 345 All other LDAP settings will likely be site-specific and should be
346 346 appropriately configured.
347 347
348 348
349 349
350 350 Hook management
351 351 ---------------
352 352
353 353 Hooks can be managed in similar way to this used in .hgrc files.
354 354 To access hooks setting click `advanced setup` on Hooks section of Mercurial
355 355 Settings in Admin.
356 356
357 357 There are 4 built in hooks that cannot be changed (only enable/disable by
358 358 checkboxes on previos section).
359 359 To add another custom hook simply fill in first section with
360 360 <name>.<hook_type> and the second one with hook path. Example hooks
361 361 can be found at *rhodecode.lib.hooks*.
362 362
363 363
364 364 Setting Up Celery
365 365 -----------------
366 366
367 367 Since version 1.1 celery is configured by the rhodecode ini configuration files.
368 368 Simply set use_celery=true in the ini file then add / change the configuration
369 369 variables inside the ini file.
370 370
371 371 Remember that the ini files use the format with '.' not with '_' like celery.
372 372 So for example setting `BROKER_HOST` in celery means setting `broker.host` in
373 373 the config file.
374 374
375 375 In order to start using celery run::
376 376
377 377 paster celeryd <configfile.ini>
378 378
379 379
380 380 .. note::
381 381 Make sure you run this command from the same virtualenv, and with the same
382 382 user that rhodecode runs.
383 383
384 384 HTTPS support
385 385 -------------
386 386
387 387 There are two ways to enable https:
388 388
389 389 - Set HTTP_X_URL_SCHEME in your http server headers, than rhodecode will
390 390 recognize this headers and make proper https redirections
391 391 - Alternatively, change the `force_https = true` flag in the ini configuration
392 392 to force using https, no headers are needed than to enable https
393 393
394 394
395 395 Nginx virtual host example
396 396 --------------------------
397 397
398 398 Sample config for nginx using proxy::
399 399
400 400 server {
401 401 listen 80;
402 402 server_name hg.myserver.com;
403 403 access_log /var/log/nginx/rhodecode.access.log;
404 404 error_log /var/log/nginx/rhodecode.error.log;
405 405 location / {
406 406 root /var/www/rhodecode/rhodecode/public/;
407 407 if (!-f $request_filename){
408 408 proxy_pass http://127.0.0.1:5000;
409 409 }
410 410 #this is important if you want to use https !!!
411 411 proxy_set_header X-Url-Scheme $scheme;
412 412 include /etc/nginx/proxy.conf;
413 413 }
414 414 }
415 415
416 416 Here's the proxy.conf. It's tuned so it will not timeout on long
417 417 pushes or large pushes::
418 418
419 419 proxy_redirect off;
420 420 proxy_set_header Host $host;
421 421 proxy_set_header X-Host $http_host;
422 422 proxy_set_header X-Real-IP $remote_addr;
423 423 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
424 424 proxy_set_header Proxy-host $proxy_host;
425 425 client_max_body_size 400m;
426 426 client_body_buffer_size 128k;
427 427 proxy_buffering off;
428 428 proxy_connect_timeout 7200;
429 429 proxy_send_timeout 7200;
430 430 proxy_read_timeout 7200;
431 431 proxy_buffers 8 32k;
432 432
433 433 Also, when using root path with nginx you might set the static files to false
434 434 in the production.ini file::
435 435
436 436 [app:main]
437 437 use = egg:rhodecode
438 438 full_stack = true
439 439 static_files = false
440 440 lang=en
441 441 cache_dir = %(here)s/data
442 442
443 443 In order to not have the statics served by the application. This improves speed.
444 444
445 445
446 Apache virtual host example
447 ---------------------------
446 Apache virtual host reverse proxy example
447 -----------------------------------------
448 448
449 449 Here is a sample configuration file for apache using proxy::
450 450
451 451 <VirtualHost *:80>
452 452 ServerName hg.myserver.com
453 453 ServerAlias hg.myserver.com
454 454
455 455 <Proxy *>
456 456 Order allow,deny
457 457 Allow from all
458 458 </Proxy>
459 459
460 460 #important !
461 461 #Directive to properly generate url (clone url) for pylons
462 462 ProxyPreserveHost On
463 463
464 464 #rhodecode instance
465 465 ProxyPass / http://127.0.0.1:5000/
466 466 ProxyPassReverse / http://127.0.0.1:5000/
467 467
468 468 #to enable https use line below
469 469 #SetEnvIf X-Url-Scheme https HTTPS=1
470 470
471 471 </VirtualHost>
472 472
473 473
474 474 Additional tutorial
475 475 http://wiki.pylonshq.com/display/pylonscookbook/Apache+as+a+reverse+proxy+for+Pylons
476 476
477 477
478 478 Apache as subdirectory
479 479 ----------------------
480 480
481 481 Apache subdirectory part::
482 482
483 483 <Location /<someprefix> >
484 484 ProxyPass http://127.0.0.1:5000/<someprefix>
485 485 ProxyPassReverse http://127.0.0.1:5000/<someprefix>
486 486 SetEnvIf X-Url-Scheme https HTTPS=1
487 487 </Location>
488 488
489 489 Besides the regular apache setup you will need to add the following line
490 490 into [app:main] section of your .ini file::
491 491
492 492 filter-with = proxy-prefix
493 493
494 494 Add the following at the end of the .ini file::
495 495
496 496 [filter:proxy-prefix]
497 497 use = egg:PasteDeploy#prefix
498 498 prefix = /<someprefix>
499 499
500 500
501 501 then change <someprefix> into your choosen prefix
502 502
503 503 Apache's WSGI config
504 504 --------------------
505 505
506 Alternatively, RhodeCode can be set up with Apache under mod_wsgi. For
507 that, you'll need to:
508
509 - Install mod_wsgi. If using a Debian-based distro, you can install
510 the package libapache2-mod-wsgi::
511
512 aptitude install libapache2-mod-wsgi
513
514 - Enable mod_wsgi::
515
516 a2enmod wsgi
517
518 - Create a wsgi dispatch script, like the one below. Make sure you
519 check the paths correctly point to where you installed RhodeCode
520 and its Python Virtual Environment.
521 - Enable the WSGIScriptAlias directive for the wsgi dispatch script,
522 as in the following example. Once again, check the paths are
523 correctly specified.
524
525 Here is a sample excerpt from an Apache Virtual Host configuration file::
526
527 WSGIDaemonProcess pylons user=www-data group=www-data processes=1 \
528 threads=4 \
529 python-path=/home/web/rhodecode/pyenv/lib/python2.6/site-packages
530 WSGIScriptAlias / /home/web/rhodecode/dispatch.wsgi
506 531
507 532 Example wsgi dispatch script::
508 533
509 534 import os
510 535 os.environ["HGENCODING"] = "UTF-8"
511 536 os.environ['PYTHON_EGG_CACHE'] = '/home/web/rhodecode/.egg-cache'
512 537
513 538 # sometimes it's needed to set the curent dir
514 539 os.chdir('/home/web/rhodecode/')
515 540
541 import site
542 site.addsitedir("/home/web/rhodecode/pyenv/lib/python2.6/site-packages")
543
516 544 from paste.deploy import loadapp
517 545 from paste.script.util.logging_config import fileConfig
518 546
519 547 fileConfig('/home/web/rhodecode/production.ini')
520 548 application = loadapp('config:/home/web/rhodecode/production.ini')
521 549
550 Note: when using mod_wsgi you'll need to install the same version of
551 Mercurial that's inside RhodeCode's virtualenv also on the system's Python
552 environment.
553
522 554
523 555 Other configuration files
524 556 -------------------------
525 557
526 558 Some example init.d scripts can be found here, for debian and gentoo:
527 559
528 560 https://rhodecode.org/rhodecode/files/tip/init.d
529 561
530 562
531 563 Troubleshooting
532 564 ---------------
533 565
534 566 :Q: **Missing static files?**
535 567 :A: Make sure either to set the `static_files = true` in the .ini file or
536 568 double check the root path for your http setup. It should point to
537 569 for example:
538 570 /home/my-virtual-python/lib/python2.6/site-packages/rhodecode/public
539 571
540 572 |
541 573
542 574 :Q: **Can't install celery/rabbitmq**
543 575 :A: Don't worry RhodeCode works without them too. No extra setup is required.
544 576
545 577 |
546 578
547 579 :Q: **Long lasting push timeouts?**
548 580 :A: Make sure you set a longer timeouts in your proxy/fcgi settings, timeouts
549 581 are caused by https server and not RhodeCode.
550 582
551 583 |
552 584
553 585 :Q: **Large pushes timeouts?**
554 586 :A: Make sure you set a proper max_body_size for the http server.
555 587
556 588 |
557 589
558 590 :Q: **Apache doesn't pass basicAuth on pull/push?**
559 591 :A: Make sure you added `WSGIPassAuthorization true`.
560 592
561 593 For further questions search the `Issues tracker`_, or post a message in the
562 594 `google group rhodecode`_
563 595
564 596 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
565 597 .. _python: http://www.python.org/
566 598 .. _mercurial: http://mercurial.selenic.com/
567 599 .. _celery: http://celeryproject.org/
568 600 .. _rabbitmq: http://www.rabbitmq.com/
569 601 .. _python-ldap: http://www.python-ldap.org/
570 602 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
571 603 .. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories
572 604 .. _Issues tracker: https://bitbucket.org/marcinkuzminski/rhodecode/issues
573 605 .. _google group rhodecode: http://groups.google.com/group/rhodecode
General Comments 0
You need to be logged in to leave comments. Login now