|
|
@@
-1,819
+1,819
b''
|
|
|
1
|
.. _setup:
|
|
1
|
.. _setup:
|
|
|
2
|
|
|
2
|
|
|
|
3
|
=====
|
|
3
|
=====
|
|
|
4
|
Setup
|
|
4
|
Setup
|
|
|
5
|
=====
|
|
5
|
=====
|
|
|
6
|
|
|
6
|
|
|
|
7
|
|
|
7
|
|
|
|
8
|
Setting up Kallithea
|
|
8
|
Setting up Kallithea
|
|
|
9
|
--------------------
|
|
9
|
--------------------
|
|
|
10
|
|
|
10
|
|
|
|
11
|
First, you will need to create a Kallithea configuration file. Run the
|
|
11
|
First, you will need to create a Kallithea configuration file. Run the
|
|
|
12
|
following command to do so::
|
|
12
|
following command to do so::
|
|
|
13
|
|
|
13
|
|
|
|
14
|
paster make-config Kallithea my.ini
|
|
14
|
paster make-config Kallithea my.ini
|
|
|
15
|
|
|
15
|
|
|
|
16
|
This will create the file ``my.ini`` in the current directory. This
|
|
16
|
This will create the file ``my.ini`` in the current directory. This
|
|
|
17
|
configuration file contains the various settings for Kallithea, e.g.
|
|
17
|
configuration file contains the various settings for Kallithea, e.g.
|
|
|
18
|
proxy port, email settings, usage of static files, cache, Celery
|
|
18
|
proxy port, email settings, usage of static files, cache, Celery
|
|
|
19
|
settings, and logging.
|
|
19
|
settings, and logging.
|
|
|
20
|
|
|
20
|
|
|
|
21
|
Next, you need to create the databases used by Kallithea. It is recommended to
|
|
21
|
Next, you need to create the databases used by Kallithea. It is recommended to
|
|
|
22
|
use PostgreSQL or SQLite (default). If you choose a database other than the
|
|
22
|
use PostgreSQL or SQLite (default). If you choose a database other than the
|
|
|
23
|
default, ensure you properly adjust the database URL in your ``my.ini``
|
|
23
|
default, ensure you properly adjust the database URL in your ``my.ini``
|
|
|
24
|
configuration file to use this other database. Kallithea currently supports
|
|
24
|
configuration file to use this other database. Kallithea currently supports
|
|
|
25
|
PostgreSQL, SQLite and MySQL databases. Create the database by running
|
|
25
|
PostgreSQL, SQLite and MySQL databases. Create the database by running
|
|
|
26
|
the following command::
|
|
26
|
the following command::
|
|
|
27
|
|
|
27
|
|
|
|
28
|
paster setup-db my.ini
|
|
28
|
paster setup-db my.ini
|
|
|
29
|
|
|
29
|
|
|
|
30
|
This will prompt you for a "root" path. This "root" path is the location where
|
|
30
|
This will prompt you for a "root" path. This "root" path is the location where
|
|
|
31
|
Kallithea will store all of its repositories on the current machine. After
|
|
31
|
Kallithea will store all of its repositories on the current machine. After
|
|
|
32
|
entering this "root" path ``setup-db`` will also prompt you for a username
|
|
32
|
entering this "root" path ``setup-db`` will also prompt you for a username
|
|
|
33
|
and password for the initial admin account which ``setup-db`` sets
|
|
33
|
and password for the initial admin account which ``setup-db`` sets
|
|
|
34
|
up for you.
|
|
34
|
up for you.
|
|
|
35
|
|
|
35
|
|
|
|
36
|
The ``setup-db`` values can also be given on the command line.
|
|
36
|
The ``setup-db`` values can also be given on the command line.
|
|
|
37
|
Example::
|
|
37
|
Example::
|
|
|
38
|
|
|
38
|
|
|
|
39
|
paster setup-db my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
|
|
39
|
paster setup-db my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
|
|
|
40
|
|
|
40
|
|
|
|
41
|
The ``setup-db`` command will create all needed tables and an
|
|
41
|
The ``setup-db`` command will create all needed tables and an
|
|
|
42
|
admin account. When choosing a root path you can either use a new
|
|
42
|
admin account. When choosing a root path you can either use a new
|
|
|
43
|
empty location, or a location which already contains existing
|
|
43
|
empty location, or a location which already contains existing
|
|
|
44
|
repositories. If you choose a location which contains existing
|
|
44
|
repositories. If you choose a location which contains existing
|
|
|
45
|
repositories Kallithea will add all of the repositories at the chosen
|
|
45
|
repositories Kallithea will add all of the repositories at the chosen
|
|
|
46
|
location to its database. (Note: make sure you specify the correct
|
|
46
|
location to its database. (Note: make sure you specify the correct
|
|
|
47
|
path to the root).
|
|
47
|
path to the root).
|
|
|
48
|
|
|
48
|
|
|
|
49
|
.. note:: the given path for Mercurial_ repositories **must** be write
|
|
49
|
.. note:: the given path for Mercurial_ repositories **must** be write
|
|
|
50
|
accessible for the application. It's very important since
|
|
50
|
accessible for the application. It's very important since
|
|
|
51
|
the Kallithea web interface will work without write access,
|
|
51
|
the Kallithea web interface will work without write access,
|
|
|
52
|
but when trying to do a push it will fail with permission
|
|
52
|
but when trying to do a push it will fail with permission
|
|
|
53
|
denied errors unless it has write access.
|
|
53
|
denied errors unless it has write access.
|
|
|
54
|
|
|
54
|
|
|
|
55
|
You are now ready to use Kallithea. To run it simply execute::
|
|
55
|
You are now ready to use Kallithea. To run it simply execute::
|
|
|
56
|
|
|
56
|
|
|
|
57
|
paster serve my.ini
|
|
57
|
paster serve my.ini
|
|
|
58
|
|
|
58
|
|
|
|
59
|
- This command runs the Kallithea server. The web app should be available at
|
|
59
|
- This command runs the Kallithea server. The web app should be available at
|
|
|
60
|
http://127.0.0.1:5000. The IP address and port is configurable via the
|
|
60
|
http://127.0.0.1:5000. The IP address and port is configurable via the
|
|
|
61
|
configuration file created in the previous step.
|
|
61
|
configuration file created in the previous step.
|
|
|
62
|
- Log in to Kallithea using the admin account created when running ``setup-db``.
|
|
62
|
- Log in to Kallithea using the admin account created when running ``setup-db``.
|
|
|
63
|
- The default permissions on each repository is read, and the owner is admin.
|
|
63
|
- The default permissions on each repository is read, and the owner is admin.
|
|
|
64
|
Remember to update these if needed.
|
|
64
|
Remember to update these if needed.
|
|
|
65
|
- In the admin panel you can toggle LDAP, anonymous, and permissions
|
|
65
|
- In the admin panel you can toggle LDAP, anonymous, and permissions
|
|
|
66
|
settings, as well as edit more advanced options on users and
|
|
66
|
settings, as well as edit more advanced options on users and
|
|
|
67
|
repositories.
|
|
67
|
repositories.
|
|
|
68
|
|
|
68
|
|
|
|
69
|
|
|
69
|
|
|
|
70
|
Extensions
|
|
70
|
Extensions
|
|
|
71
|
----------
|
|
71
|
----------
|
|
|
72
|
|
|
72
|
|
|
|
73
|
Optionally one can create an ``rcextensions`` package that extends Kallithea
|
|
73
|
Optionally one can create an ``rcextensions`` package that extends Kallithea
|
|
|
74
|
functionality.
|
|
74
|
functionality.
|
|
|
75
|
To generate a skeleton extensions package, run::
|
|
75
|
To generate a skeleton extensions package, run::
|
|
|
76
|
|
|
76
|
|
|
|
77
|
paster make-rcext my.ini
|
|
77
|
paster make-rcext my.ini
|
|
|
78
|
|
|
78
|
|
|
|
79
|
This will create an ``rcextensions`` package next to the specified ``ini`` file.
|
|
79
|
This will create an ``rcextensions`` package next to the specified ``ini`` file.
|
|
|
80
|
With ``rcextensions`` it's possible to add additional mapping for whoosh,
|
|
80
|
With ``rcextensions`` it's possible to add additional mapping for whoosh,
|
|
|
81
|
stats and add additional code into the push/pull/create/delete repo hooks,
|
|
81
|
stats and add additional code into the push/pull/create/delete repo hooks,
|
|
|
82
|
for example for sending signals to build-bots such as Jenkins.
|
|
82
|
for example for sending signals to build-bots such as Jenkins.
|
|
|
83
|
|
|
83
|
|
|
|
84
|
See the ``__init__.py`` file inside the generated ``rcextensions`` package
|
|
84
|
See the ``__init__.py`` file inside the generated ``rcextensions`` package
|
|
|
85
|
for more details.
|
|
85
|
for more details.
|
|
|
86
|
|
|
86
|
|
|
|
87
|
|
|
87
|
|
|
|
88
|
Using Kallithea with SSH
|
|
88
|
Using Kallithea with SSH
|
|
|
89
|
------------------------
|
|
89
|
------------------------
|
|
|
90
|
|
|
90
|
|
|
|
91
|
Kallithea currently only hosts repositories using http and https. (The addition
|
|
91
|
Kallithea currently only hosts repositories using http and https. (The addition
|
|
|
92
|
of ssh hosting is a planned future feature.) However you can easily use ssh in
|
|
92
|
of ssh hosting is a planned future feature.) However you can easily use ssh in
|
|
|
93
|
parallel with Kallithea. (Repository access via ssh is a standard "out of
|
|
93
|
parallel with Kallithea. (Repository access via ssh is a standard "out of
|
|
|
94
|
the box" feature of Mercurial_ and you can use this to access any of the
|
|
94
|
the box" feature of Mercurial_ and you can use this to access any of the
|
|
|
95
|
repositories that Kallithea is hosting. See PublishingRepositories_)
|
|
95
|
repositories that Kallithea is hosting. See PublishingRepositories_)
|
|
|
96
|
|
|
96
|
|
|
|
97
|
Kallithea repository structures are kept in directories with the same name
|
|
97
|
Kallithea repository structures are kept in directories with the same name
|
|
|
98
|
as the project. When using repository groups, each group is a subdirectory.
|
|
98
|
as the project. When using repository groups, each group is a subdirectory.
|
|
|
99
|
This allows you to easily use ssh for accessing repositories.
|
|
99
|
This allows you to easily use ssh for accessing repositories.
|
|
|
100
|
|
|
100
|
|
|
|
101
|
In order to use ssh you need to make sure that your web server and the users'
|
|
101
|
In order to use ssh you need to make sure that your web server and the users'
|
|
|
102
|
login accounts have the correct permissions set on the appropriate directories.
|
|
102
|
login accounts have the correct permissions set on the appropriate directories.
|
|
|
103
|
|
|
103
|
|
|
|
104
|
.. note:: These permissions are independent of any permissions you
|
|
104
|
.. note:: These permissions are independent of any permissions you
|
|
|
105
|
have set up using the Kallithea web interface.
|
|
105
|
have set up using the Kallithea web interface.
|
|
|
106
|
|
|
106
|
|
|
|
107
|
If your main directory (the same as set in Kallithea settings) is for
|
|
107
|
If your main directory (the same as set in Kallithea settings) is for
|
|
|
108
|
example set to ``/srv/repos`` and the repository you are using is
|
|
108
|
example set to ``/srv/repos`` and the repository you are using is
|
|
|
109
|
named ``kallithea``, then to clone via ssh you should run::
|
|
109
|
named ``kallithea``, then to clone via ssh you should run::
|
|
|
110
|
|
|
110
|
|
|
|
111
|
hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
|
|
111
|
hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
|
|
|
112
|
|
|
112
|
|
|
|
113
|
Using other external tools such as mercurial-server_ or using ssh key-based
|
|
113
|
Using other external tools such as mercurial-server_ or using ssh key-based
|
|
|
114
|
authentication is fully supported.
|
|
114
|
authentication is fully supported.
|
|
|
115
|
|
|
115
|
|
|
|
116
|
.. note:: In an advanced setup, in order for your ssh access to use
|
|
116
|
.. note:: In an advanced setup, in order for your ssh access to use
|
|
|
117
|
the same permissions as set up via the Kallithea web
|
|
117
|
the same permissions as set up via the Kallithea web
|
|
|
118
|
interface, you can create an authentication hook to connect
|
|
118
|
interface, you can create an authentication hook to connect
|
|
|
119
|
to the Kallithea db and run check functions for permissions
|
|
119
|
to the Kallithea db and run check functions for permissions
|
|
|
120
|
against that.
|
|
120
|
against that.
|
|
|
121
|
|
|
121
|
|
|
|
122
|
|
|
122
|
|
|
|
123
|
Setting up Whoosh full text search
|
|
123
|
Setting up Whoosh full text search
|
|
|
124
|
----------------------------------
|
|
124
|
----------------------------------
|
|
|
125
|
|
|
125
|
|
|
|
126
|
Kallithea provides full text search of repositories using `Whoosh`__.
|
|
126
|
Kallithea provides full text search of repositories using `Whoosh`__.
|
|
|
127
|
|
|
127
|
|
|
|
128
|
.. __: https://pythonhosted.org/Whoosh/
|
|
128
|
.. __: https://pythonhosted.org/Whoosh/
|
|
|
129
|
|
|
129
|
|
|
|
130
|
For an incremental index build, run::
|
|
130
|
For an incremental index build, run::
|
|
|
131
|
|
|
131
|
|
|
|
132
|
paster make-index my.ini
|
|
132
|
paster make-index my.ini
|
|
|
133
|
|
|
133
|
|
|
|
134
|
For a full index rebuild, run::
|
|
134
|
For a full index rebuild, run::
|
|
|
135
|
|
|
135
|
|
|
|
136
|
paster make-index my.ini -f
|
|
136
|
paster make-index my.ini -f
|
|
|
137
|
|
|
137
|
|
|
|
138
|
The ``--repo-location`` option allows the location of the repositories to be overriden;
|
|
138
|
The ``--repo-location`` option allows the location of the repositories to be overriden;
|
|
|
139
|
usually, the location is retrieved from the Kallithea database.
|
|
139
|
usually, the location is retrieved from the Kallithea database.
|
|
|
140
|
|
|
140
|
|
|
|
141
|
The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
|
|
141
|
The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
|
|
|
142
|
|
|
142
|
|
|
|
143
|
paster make-index my.ini --index-only=vcs,kallithea
|
|
143
|
paster make-index my.ini --index-only=vcs,kallithea
|
|
|
144
|
|
|
144
|
|
|
|
145
|
To keep your index up-to-date it is necessary to do periodic index builds;
|
|
145
|
To keep your index up-to-date it is necessary to do periodic index builds;
|
|
|
146
|
for this, it is recommended to use a crontab entry. Example::
|
|
146
|
for this, it is recommended to use a crontab entry. Example::
|
|
|
147
|
|
|
147
|
|
|
|
148
|
0 3 * * * /path/to/virtualenv/bin/paster make-index /path/to/kallithea/my.ini
|
|
148
|
0 3 * * * /path/to/virtualenv/bin/paster make-index /path/to/kallithea/my.ini
|
|
|
149
|
|
|
149
|
|
|
|
150
|
When using incremental mode (the default), Whoosh will check the last
|
|
150
|
When using incremental mode (the default), Whoosh will check the last
|
|
|
151
|
modification date of each file and add it to be reindexed if a newer file is
|
|
151
|
modification date of each file and add it to be reindexed if a newer file is
|
|
|
152
|
available. The indexing daemon checks for any removed files and removes them
|
|
152
|
available. The indexing daemon checks for any removed files and removes them
|
|
|
153
|
from index.
|
|
153
|
from index.
|
|
|
154
|
|
|
154
|
|
|
|
155
|
If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
|
|
155
|
If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
|
|
|
156
|
or in the admin panel you can check the "build from scratch" checkbox.
|
|
156
|
or in the admin panel you can check the "build from scratch" checkbox.
|
|
|
157
|
|
|
157
|
|
|
|
158
|
.. _ldap-setup:
|
|
158
|
.. _ldap-setup:
|
|
|
159
|
|
|
159
|
|
|
|
160
|
Setting up LDAP support
|
|
160
|
Setting up LDAP support
|
|
|
161
|
-----------------------
|
|
161
|
-----------------------
|
|
|
162
|
|
|
162
|
|
|
|
163
|
Kallithea supports LDAP authentication. In order
|
|
163
|
Kallithea supports LDAP authentication. In order
|
|
|
164
|
to use LDAP, you have to install the python-ldap_ package. This package is
|
|
164
|
to use LDAP, you have to install the python-ldap_ package. This package is
|
|
|
165
|
available via PyPI, so you can install it by running::
|
|
165
|
available via PyPI, so you can install it by running::
|
|
|
166
|
|
|
166
|
|
|
|
167
|
pip install python-ldap
|
|
167
|
pip install python-ldap
|
|
|
168
|
|
|
168
|
|
|
|
169
|
.. note:: ``python-ldap`` requires some libraries to be installed on
|
|
169
|
.. note:: ``python-ldap`` requires some libraries to be installed on
|
|
|
170
|
your system, so before installing it check that you have at
|
|
170
|
your system, so before installing it check that you have at
|
|
|
171
|
least the ``openldap`` and ``sasl`` libraries.
|
|
171
|
least the ``openldap`` and ``sasl`` libraries.
|
|
|
172
|
|
|
172
|
|
|
|
173
|
Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
|
|
173
|
Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
|
|
|
174
|
and then *Save*, to enable the LDAP plugin and configure its settings.
|
|
174
|
and then *Save*, to enable the LDAP plugin and configure its settings.
|
|
|
175
|
|
|
175
|
|
|
|
176
|
Here's a typical LDAP setup::
|
|
176
|
Here's a typical LDAP setup::
|
|
|
177
|
|
|
177
|
|
|
|
178
|
Connection settings
|
|
178
|
Connection settings
|
|
|
179
|
Enable LDAP = checked
|
|
179
|
Enable LDAP = checked
|
|
|
180
|
Host = host.example.com
|
|
180
|
Host = host.example.com
|
|
|
181
|
Port = 389
|
|
181
|
Port = 389
|
|
|
182
|
Account = <account>
|
|
182
|
Account = <account>
|
|
|
183
|
Password = <password>
|
|
183
|
Password = <password>
|
|
|
184
|
Connection Security = LDAPS connection
|
|
184
|
Connection Security = LDAPS connection
|
|
|
185
|
Certificate Checks = DEMAND
|
|
185
|
Certificate Checks = DEMAND
|
|
|
186
|
|
|
186
|
|
|
|
187
|
Search settings
|
|
187
|
Search settings
|
|
|
188
|
Base DN = CN=users,DC=host,DC=example,DC=org
|
|
188
|
Base DN = CN=users,DC=host,DC=example,DC=org
|
|
|
189
|
LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
|
|
189
|
LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
|
|
|
190
|
LDAP Search Scope = SUBTREE
|
|
190
|
LDAP Search Scope = SUBTREE
|
|
|
191
|
|
|
191
|
|
|
|
192
|
Attribute mappings
|
|
192
|
Attribute mappings
|
|
|
193
|
Login Attribute = uid
|
|
193
|
Login Attribute = uid
|
|
|
194
|
First Name Attribute = firstName
|
|
194
|
First Name Attribute = firstName
|
|
|
195
|
Last Name Attribute = lastName
|
|
195
|
Last Name Attribute = lastName
|
|
|
196
|
Email Attribute = mail
|
|
196
|
Email Attribute = mail
|
|
|
197
|
|
|
197
|
|
|
|
198
|
If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
|
|
198
|
If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
|
|
|
199
|
|
|
199
|
|
|
|
200
|
Search settings
|
|
200
|
Search settings
|
|
|
201
|
Base DN = DC=host,DC=example,DC=org
|
|
201
|
Base DN = DC=host,DC=example,DC=org
|
|
|
202
|
LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
|
|
202
|
LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
|
|
|
203
|
LDAP Search Scope = SUBTREE
|
|
203
|
LDAP Search Scope = SUBTREE
|
|
|
204
|
|
|
204
|
|
|
|
205
|
.. _enable_ldap:
|
|
205
|
.. _enable_ldap:
|
|
|
206
|
|
|
206
|
|
|
|
207
|
Enable LDAP : required
|
|
207
|
Enable LDAP : required
|
|
|
208
|
Whether to use LDAP for authenticating users.
|
|
208
|
Whether to use LDAP for authenticating users.
|
|
|
209
|
|
|
209
|
|
|
|
210
|
.. _ldap_host:
|
|
210
|
.. _ldap_host:
|
|
|
211
|
|
|
211
|
|
|
|
212
|
Host : required
|
|
212
|
Host : required
|
|
|
213
|
LDAP server hostname or IP address. Can be also a comma separated
|
|
213
|
LDAP server hostname or IP address. Can be also a comma separated
|
|
|
214
|
list of servers to support LDAP fail-over.
|
|
214
|
list of servers to support LDAP fail-over.
|
|
|
215
|
|
|
215
|
|
|
|
216
|
.. _Port:
|
|
216
|
.. _Port:
|
|
|
217
|
|
|
217
|
|
|
|
218
|
Port : required
|
|
218
|
Port : required
|
|
|
219
|
389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
|
|
219
|
389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
|
|
|
220
|
|
|
220
|
|
|
|
221
|
.. _ldap_account:
|
|
221
|
.. _ldap_account:
|
|
|
222
|
|
|
222
|
|
|
|
223
|
Account : optional
|
|
223
|
Account : optional
|
|
|
224
|
Only required if the LDAP server does not allow anonymous browsing of
|
|
224
|
Only required if the LDAP server does not allow anonymous browsing of
|
|
|
225
|
records. This should be a special account for record browsing. This
|
|
225
|
records. This should be a special account for record browsing. This
|
|
|
226
|
will require `LDAP Password`_ below.
|
|
226
|
will require `LDAP Password`_ below.
|
|
|
227
|
|
|
227
|
|
|
|
228
|
.. _LDAP Password:
|
|
228
|
.. _LDAP Password:
|
|
|
229
|
|
|
229
|
|
|
|
230
|
Password : optional
|
|
230
|
Password : optional
|
|
|
231
|
Only required if the LDAP server does not allow anonymous browsing of
|
|
231
|
Only required if the LDAP server does not allow anonymous browsing of
|
|
|
232
|
records.
|
|
232
|
records.
|
|
|
233
|
|
|
233
|
|
|
|
234
|
.. _Enable LDAPS:
|
|
234
|
.. _Enable LDAPS:
|
|
|
235
|
|
|
235
|
|
|
|
236
|
Connection Security : required
|
|
236
|
Connection Security : required
|
|
|
237
|
Defines the connection to LDAP server
|
|
237
|
Defines the connection to LDAP server
|
|
|
238
|
|
|
238
|
|
|
|
239
|
No encryption
|
|
239
|
No encryption
|
|
|
240
|
Plain non encrypted connection
|
|
240
|
Plain non encrypted connection
|
|
|
241
|
|
|
241
|
|
|
|
242
|
LDAPS connection
|
|
242
|
LDAPS connection
|
|
|
243
|
Enable LDAPS connections. It will likely require `Port`_ to be set to
|
|
243
|
Enable LDAPS connections. It will likely require `Port`_ to be set to
|
|
|
244
|
a different value (standard LDAPS port is 636). When LDAPS is enabled
|
|
244
|
a different value (standard LDAPS port is 636). When LDAPS is enabled
|
|
|
245
|
then `Certificate Checks`_ is required.
|
|
245
|
then `Certificate Checks`_ is required.
|
|
|
246
|
|
|
246
|
|
|
|
247
|
START_TLS on LDAP connection
|
|
247
|
START_TLS on LDAP connection
|
|
|
248
|
START TLS connection
|
|
248
|
START TLS connection
|
|
|
249
|
|
|
249
|
|
|
|
250
|
.. _Certificate Checks:
|
|
250
|
.. _Certificate Checks:
|
|
|
251
|
|
|
251
|
|
|
|
252
|
Certificate Checks : optional
|
|
252
|
Certificate Checks : optional
|
|
|
253
|
How SSL certificates verification is handled -- this is only useful when
|
|
253
|
How SSL certificates verification is handled -- this is only useful when
|
|
|
254
|
`Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
|
|
254
|
`Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
|
|
|
255
|
while the other options are susceptible to man-in-the-middle attacks. SSL
|
|
255
|
while the other options are susceptible to man-in-the-middle attacks. SSL
|
|
|
256
|
certificates can be installed to /etc/openldap/cacerts so that the
|
|
256
|
certificates can be installed to /etc/openldap/cacerts so that the
|
|
|
257
|
DEMAND or HARD options can be used with self-signed certificates or
|
|
257
|
DEMAND or HARD options can be used with self-signed certificates or
|
|
|
258
|
certificates that do not have traceable certificates of authority.
|
|
258
|
certificates that do not have traceable certificates of authority.
|
|
|
259
|
|
|
259
|
|
|
|
260
|
NEVER
|
|
260
|
NEVER
|
|
|
261
|
A serve certificate will never be requested or checked.
|
|
261
|
A serve certificate will never be requested or checked.
|
|
|
262
|
|
|
262
|
|
|
|
263
|
ALLOW
|
|
263
|
ALLOW
|
|
|
264
|
A server certificate is requested. Failure to provide a
|
|
264
|
A server certificate is requested. Failure to provide a
|
|
|
265
|
certificate or providing a bad certificate will not terminate the
|
|
265
|
certificate or providing a bad certificate will not terminate the
|
|
|
266
|
session.
|
|
266
|
session.
|
|
|
267
|
|
|
267
|
|
|
|
268
|
TRY
|
|
268
|
TRY
|
|
|
269
|
A server certificate is requested. Failure to provide a
|
|
269
|
A server certificate is requested. Failure to provide a
|
|
|
270
|
certificate does not halt the session; providing a bad certificate
|
|
270
|
certificate does not halt the session; providing a bad certificate
|
|
|
271
|
halts the session.
|
|
271
|
halts the session.
|
|
|
272
|
|
|
272
|
|
|
|
273
|
DEMAND
|
|
273
|
DEMAND
|
|
|
274
|
A server certificate is requested and must be provided and
|
|
274
|
A server certificate is requested and must be provided and
|
|
|
275
|
authenticated for the session to proceed.
|
|
275
|
authenticated for the session to proceed.
|
|
|
276
|
|
|
276
|
|
|
|
277
|
HARD
|
|
277
|
HARD
|
|
|
278
|
The same as DEMAND.
|
|
278
|
The same as DEMAND.
|
|
|
279
|
|
|
279
|
|
|
|
280
|
.. _Base DN:
|
|
280
|
.. _Base DN:
|
|
|
281
|
|
|
281
|
|
|
|
282
|
Base DN : required
|
|
282
|
Base DN : required
|
|
|
283
|
The Distinguished Name (DN) where searches for users will be performed.
|
|
283
|
The Distinguished Name (DN) where searches for users will be performed.
|
|
|
284
|
Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
|
|
284
|
Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
|
|
|
285
|
|
|
285
|
|
|
|
286
|
.. _LDAP Filter:
|
|
286
|
.. _LDAP Filter:
|
|
|
287
|
|
|
287
|
|
|
|
288
|
LDAP Filter : optional
|
|
288
|
LDAP Filter : optional
|
|
|
289
|
A LDAP filter defined by RFC 2254. This is more useful when `LDAP
|
|
289
|
A LDAP filter defined by RFC 2254. This is more useful when `LDAP
|
|
|
290
|
Search Scope`_ is set to SUBTREE. The filter is useful for limiting
|
|
290
|
Search Scope`_ is set to SUBTREE. The filter is useful for limiting
|
|
|
291
|
which LDAP objects are identified as representing Users for
|
|
291
|
which LDAP objects are identified as representing Users for
|
|
|
292
|
authentication. The filter is augmented by `Login Attribute`_ below.
|
|
292
|
authentication. The filter is augmented by `Login Attribute`_ below.
|
|
|
293
|
This can commonly be left blank.
|
|
293
|
This can commonly be left blank.
|
|
|
294
|
|
|
294
|
|
|
|
295
|
.. _LDAP Search Scope:
|
|
295
|
.. _LDAP Search Scope:
|
|
|
296
|
|
|
296
|
|
|
|
297
|
LDAP Search Scope : required
|
|
297
|
LDAP Search Scope : required
|
|
|
298
|
This limits how far LDAP will search for a matching object.
|
|
298
|
This limits how far LDAP will search for a matching object.
|
|
|
299
|
|
|
299
|
|
|
|
300
|
BASE
|
|
300
|
BASE
|
|
|
301
|
Only allows searching of `Base DN`_ and is usually not what you
|
|
301
|
Only allows searching of `Base DN`_ and is usually not what you
|
|
|
302
|
want.
|
|
302
|
want.
|
|
|
303
|
|
|
303
|
|
|
|
304
|
ONELEVEL
|
|
304
|
ONELEVEL
|
|
|
305
|
Searches all entries under `Base DN`_, but not Base DN itself.
|
|
305
|
Searches all entries under `Base DN`_, but not Base DN itself.
|
|
|
306
|
|
|
306
|
|
|
|
307
|
SUBTREE
|
|
307
|
SUBTREE
|
|
|
308
|
Searches all entries below `Base DN`_, but not Base DN itself.
|
|
308
|
Searches all entries below `Base DN`_, but not Base DN itself.
|
|
|
309
|
When using SUBTREE `LDAP Filter`_ is useful to limit object
|
|
309
|
When using SUBTREE `LDAP Filter`_ is useful to limit object
|
|
|
310
|
location.
|
|
310
|
location.
|
|
|
311
|
|
|
311
|
|
|
|
312
|
.. _Login Attribute:
|
|
312
|
.. _Login Attribute:
|
|
|
313
|
|
|
313
|
|
|
|
314
|
Login Attribute : required
|
|
314
|
Login Attribute : required
|
|
|
315
|
The LDAP record attribute that will be matched as the USERNAME or
|
|
315
|
The LDAP record attribute that will be matched as the USERNAME or
|
|
|
316
|
ACCOUNT used to connect to Kallithea. This will be added to `LDAP
|
|
316
|
ACCOUNT used to connect to Kallithea. This will be added to `LDAP
|
|
|
317
|
Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
|
|
317
|
Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
|
|
|
318
|
"LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
|
|
318
|
"LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
|
|
|
319
|
connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
|
|
319
|
connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
|
|
|
320
|
::
|
|
320
|
::
|
|
|
321
|
|
|
321
|
|
|
|
322
|
(&(LDAPFILTER)(uid=jsmith))
|
|
322
|
(&(LDAPFILTER)(uid=jsmith))
|
|
|
323
|
|
|
323
|
|
|
|
324
|
.. _ldap_attr_firstname:
|
|
324
|
.. _ldap_attr_firstname:
|
|
|
325
|
|
|
325
|
|
|
|
326
|
First Name Attribute : required
|
|
326
|
First Name Attribute : required
|
|
|
327
|
The LDAP record attribute which represents the user's first name.
|
|
327
|
The LDAP record attribute which represents the user's first name.
|
|
|
328
|
|
|
328
|
|
|
|
329
|
.. _ldap_attr_lastname:
|
|
329
|
.. _ldap_attr_lastname:
|
|
|
330
|
|
|
330
|
|
|
|
331
|
Last Name Attribute : required
|
|
331
|
Last Name Attribute : required
|
|
|
332
|
The LDAP record attribute which represents the user's last name.
|
|
332
|
The LDAP record attribute which represents the user's last name.
|
|
|
333
|
|
|
333
|
|
|
|
334
|
.. _ldap_attr_email:
|
|
334
|
.. _ldap_attr_email:
|
|
|
335
|
|
|
335
|
|
|
|
336
|
Email Attribute : required
|
|
336
|
Email Attribute : required
|
|
|
337
|
The LDAP record attribute which represents the user's email address.
|
|
337
|
The LDAP record attribute which represents the user's email address.
|
|
|
338
|
|
|
338
|
|
|
|
339
|
If all data are entered correctly, and python-ldap_ is properly installed
|
|
339
|
If all data are entered correctly, and python-ldap_ is properly installed
|
|
|
340
|
users should be granted access to Kallithea with LDAP accounts. At this
|
|
340
|
users should be granted access to Kallithea with LDAP accounts. At this
|
|
|
341
|
time user information is copied from LDAP into the Kallithea user database.
|
|
341
|
time user information is copied from LDAP into the Kallithea user database.
|
|
|
342
|
This means that updates of an LDAP user object may not be reflected as a
|
|
342
|
This means that updates of an LDAP user object may not be reflected as a
|
|
|
343
|
user update in Kallithea.
|
|
343
|
user update in Kallithea.
|
|
|
344
|
|
|
344
|
|
|
|
345
|
If You have problems with LDAP access and believe You entered correct
|
|
345
|
If You have problems with LDAP access and believe You entered correct
|
|
|
346
|
information check out the Kallithea logs, any error messages sent from LDAP
|
|
346
|
information check out the Kallithea logs, any error messages sent from LDAP
|
|
|
347
|
will be saved there.
|
|
347
|
will be saved there.
|
|
|
348
|
|
|
348
|
|
|
|
349
|
Active Directory
|
|
349
|
Active Directory
|
|
|
350
|
''''''''''''''''
|
|
350
|
''''''''''''''''
|
|
|
351
|
|
|
351
|
|
|
|
352
|
Kallithea can use Microsoft Active Directory for user authentication. This
|
|
352
|
Kallithea can use Microsoft Active Directory for user authentication. This
|
|
|
353
|
is done through an LDAP or LDAPS connection to Active Directory. The
|
|
353
|
is done through an LDAP or LDAPS connection to Active Directory. The
|
|
|
354
|
following LDAP configuration settings are typical for using Active
|
|
354
|
following LDAP configuration settings are typical for using Active
|
|
|
355
|
Directory ::
|
|
355
|
Directory ::
|
|
|
356
|
|
|
356
|
|
|
|
357
|
Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
|
|
357
|
Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
|
|
|
358
|
Login Attribute = sAMAccountName
|
|
358
|
Login Attribute = sAMAccountName
|
|
|
359
|
First Name Attribute = givenName
|
|
359
|
First Name Attribute = givenName
|
|
|
360
|
Last Name Attribute = sn
|
|
360
|
Last Name Attribute = sn
|
|
|
361
|
Email Attribute = mail
|
|
361
|
Email Attribute = mail
|
|
|
362
|
|
|
362
|
|
|
|
363
|
All other LDAP settings will likely be site-specific and should be
|
|
363
|
All other LDAP settings will likely be site-specific and should be
|
|
|
364
|
appropriately configured.
|
|
364
|
appropriately configured.
|
|
|
365
|
|
|
365
|
|
|
|
366
|
|
|
366
|
|
|
|
367
|
Authentication by container or reverse-proxy
|
|
367
|
Authentication by container or reverse-proxy
|
|
|
368
|
--------------------------------------------
|
|
368
|
--------------------------------------------
|
|
|
369
|
|
|
369
|
|
|
|
370
|
Kallithea supports delegating the authentication
|
|
370
|
Kallithea supports delegating the authentication
|
|
|
371
|
of users to its WSGI container, or to a reverse-proxy server through which all
|
|
371
|
of users to its WSGI container, or to a reverse-proxy server through which all
|
|
|
372
|
clients access the application.
|
|
372
|
clients access the application.
|
|
|
373
|
|
|
373
|
|
|
|
374
|
When these authentication methods are enabled in Kallithea, it uses the
|
|
374
|
When these authentication methods are enabled in Kallithea, it uses the
|
|
|
375
|
username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
|
|
375
|
username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
|
|
|
376
|
perform the authentication itself. The authorization, however, is still done by
|
|
376
|
perform the authentication itself. The authorization, however, is still done by
|
|
|
377
|
Kallithea according to its settings.
|
|
377
|
Kallithea according to its settings.
|
|
|
378
|
|
|
378
|
|
|
|
379
|
When a user logs in for the first time using these authentication methods,
|
|
379
|
When a user logs in for the first time using these authentication methods,
|
|
|
380
|
a matching user account is created in Kallithea with default permissions. An
|
|
380
|
a matching user account is created in Kallithea with default permissions. An
|
|
|
381
|
administrator can then modify it using Kallithea's admin interface.
|
|
381
|
administrator can then modify it using Kallithea's admin interface.
|
|
|
382
|
|
|
382
|
|
|
|
383
|
It's also possible for an administrator to create accounts and configure their
|
|
383
|
It's also possible for an administrator to create accounts and configure their
|
|
|
384
|
permissions before the user logs in for the first time, using the :ref:`create-user` API.
|
|
384
|
permissions before the user logs in for the first time, using the :ref:`create-user` API.
|
|
|
385
|
|
|
385
|
|
|
|
386
|
Container-based authentication
|
|
386
|
Container-based authentication
|
|
|
387
|
''''''''''''''''''''''''''''''
|
|
387
|
''''''''''''''''''''''''''''''
|
|
|
388
|
|
|
388
|
|
|
|
389
|
In a container-based authentication setup, Kallithea reads the user name from
|
|
389
|
In a container-based authentication setup, Kallithea reads the user name from
|
|
|
390
|
the ``REMOTE_USER`` server variable provided by the WSGI container.
|
|
390
|
the ``REMOTE_USER`` server variable provided by the WSGI container.
|
|
|
391
|
|
|
391
|
|
|
|
392
|
After setting up your container (see `Apache with mod_wsgi`_), you'll need
|
|
392
|
After setting up your container (see `Apache with mod_wsgi`_), you'll need
|
|
|
393
|
to configure it to require authentication on the location configured for
|
|
393
|
to configure it to require authentication on the location configured for
|
|
|
394
|
Kallithea.
|
|
394
|
Kallithea.
|
|
|
395
|
|
|
395
|
|
|
|
396
|
Proxy pass-through authentication
|
|
396
|
Proxy pass-through authentication
|
|
|
397
|
'''''''''''''''''''''''''''''''''
|
|
397
|
'''''''''''''''''''''''''''''''''
|
|
|
398
|
|
|
398
|
|
|
|
399
|
In a proxy pass-through authentication setup, Kallithea reads the user name
|
|
399
|
In a proxy pass-through authentication setup, Kallithea reads the user name
|
|
|
400
|
from the ``X-Forwarded-User`` request header, which should be configured to be
|
|
400
|
from the ``X-Forwarded-User`` request header, which should be configured to be
|
|
|
401
|
sent by the reverse-proxy server.
|
|
401
|
sent by the reverse-proxy server.
|
|
|
402
|
|
|
402
|
|
|
|
403
|
After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
|
|
403
|
After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
|
|
|
404
|
`Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
|
|
404
|
`Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
|
|
|
405
|
configure the authentication and add the username in a request header named
|
|
405
|
configure the authentication and add the username in a request header named
|
|
|
406
|
``X-Forwarded-User``.
|
|
406
|
``X-Forwarded-User``.
|
|
|
407
|
|
|
407
|
|
|
|
408
|
For example, the following config section for Apache sets a subdirectory in a
|
|
408
|
For example, the following config section for Apache sets a subdirectory in a
|
|
|
409
|
reverse-proxy setup with basic auth:
|
|
409
|
reverse-proxy setup with basic auth:
|
|
|
410
|
|
|
410
|
|
|
|
411
|
.. code-block:: apache
|
|
411
|
.. code-block:: apache
|
|
|
412
|
|
|
412
|
|
|
|
413
|
<Location /someprefix>
|
|
413
|
<Location /someprefix>
|
|
|
414
|
ProxyPass http://127.0.0.1:5000/someprefix
|
|
414
|
ProxyPass http://127.0.0.1:5000/someprefix
|
|
|
415
|
ProxyPassReverse http://127.0.0.1:5000/someprefix
|
|
415
|
ProxyPassReverse http://127.0.0.1:5000/someprefix
|
|
|
416
|
SetEnvIf X-Url-Scheme https HTTPS=1
|
|
416
|
SetEnvIf X-Url-Scheme https HTTPS=1
|
|
|
417
|
|
|
417
|
|
|
|
418
|
AuthType Basic
|
|
418
|
AuthType Basic
|
|
|
419
|
AuthName "Kallithea authentication"
|
|
419
|
AuthName "Kallithea authentication"
|
|
|
420
|
AuthUserFile /srv/kallithea/.htpasswd
|
|
420
|
AuthUserFile /srv/kallithea/.htpasswd
|
|
|
421
|
Require valid-user
|
|
421
|
Require valid-user
|
|
|
422
|
|
|
422
|
|
|
|
423
|
RequestHeader unset X-Forwarded-User
|
|
423
|
RequestHeader unset X-Forwarded-User
|
|
|
424
|
|
|
424
|
|
|
|
425
|
RewriteEngine On
|
|
425
|
RewriteEngine On
|
|
|
426
|
RewriteCond %{LA-U:REMOTE_USER} (.+)
|
|
426
|
RewriteCond %{LA-U:REMOTE_USER} (.+)
|
|
|
427
|
RewriteRule .* - [E=RU:%1]
|
|
427
|
RewriteRule .* - [E=RU:%1]
|
|
|
428
|
RequestHeader set X-Forwarded-User %{RU}e
|
|
428
|
RequestHeader set X-Forwarded-User %{RU}e
|
|
|
429
|
</Location>
|
|
429
|
</Location>
|
|
|
430
|
|
|
430
|
|
|
|
431
|
.. note::
|
|
431
|
.. note::
|
|
|
432
|
If you enable proxy pass-through authentication, make sure your server is
|
|
432
|
If you enable proxy pass-through authentication, make sure your server is
|
|
|
433
|
only accessible through the proxy. Otherwise, any client would be able to
|
|
433
|
only accessible through the proxy. Otherwise, any client would be able to
|
|
|
434
|
forge the authentication header and could effectively become authenticated
|
|
434
|
forge the authentication header and could effectively become authenticated
|
|
|
435
|
using any account of their liking.
|
|
435
|
using any account of their liking.
|
|
|
436
|
|
|
436
|
|
|
|
437
|
|
|
437
|
|
|
|
438
|
Integration with issue trackers
|
|
438
|
Integration with issue trackers
|
|
|
439
|
-------------------------------
|
|
439
|
-------------------------------
|
|
|
440
|
|
|
440
|
|
|
|
441
|
Kallithea provides a simple integration with issue trackers. It's possible
|
|
441
|
Kallithea provides a simple integration with issue trackers. It's possible
|
|
|
442
|
to define a regular expression that will match an issue ID in commit messages,
|
|
442
|
to define a regular expression that will match an issue ID in commit messages,
|
|
|
443
|
and have that replaced with a URL to the issue. To enable this simply
|
|
443
|
and have that replaced with a URL to the issue. To enable this simply
|
|
|
444
|
uncomment the following variables in the ini file::
|
|
444
|
uncomment the following variables in the ini file::
|
|
|
445
|
|
|
445
|
|
|
|
446
|
issue_pat = (?:^#|\s#)(\w+)
|
|
446
|
issue_pat = (?:^#|\s#)(\w+)
|
|
|
447
|
issue_server_link = https://issues.example.com/{repo}/issue/{id}
|
|
447
|
issue_server_link = https://issues.example.com/{repo}/issue/{id}
|
|
|
448
|
issue_prefix = #
|
|
448
|
issue_prefix = #
|
|
|
449
|
|
|
449
|
|
|
|
450
|
``issue_pat`` is the regular expression describing which strings in
|
|
450
|
``issue_pat`` is the regular expression describing which strings in
|
|
|
451
|
commit messages will be treated as issue references. A match group in
|
|
451
|
commit messages will be treated as issue references. A match group in
|
|
|
452
|
parentheses should be used to specify the actual issue id.
|
|
452
|
parentheses should be used to specify the actual issue id.
|
|
|
453
|
|
|
453
|
|
|
|
454
|
The default expression matches issues in the format ``#<number>``, e.g., ``#300``.
|
|
454
|
The default expression matches issues in the format ``#<number>``, e.g., ``#300``.
|
|
|
455
|
|
|
455
|
|
|
|
456
|
Matched issue references are replaced with the link specified in
|
|
456
|
Matched issue references are replaced with the link specified in
|
|
|
457
|
``issue_server_link``. ``{id}`` is replaced with the issue ID, and
|
|
457
|
``issue_server_link``. ``{id}`` is replaced with the issue ID, and
|
|
|
458
|
``{repo}`` with the repository name. Since the # is stripped away,
|
|
458
|
``{repo}`` with the repository name. Since the # is stripped away,
|
|
|
459
|
``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't
|
|
459
|
``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't
|
|
|
460
|
necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will
|
|
460
|
necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will
|
|
|
461
|
generate a URL in the format:
|
|
461
|
generate a URL in the format:
|
|
|
462
|
|
|
462
|
|
|
|
463
|
.. code-block:: html
|
|
463
|
.. code-block:: html
|
|
|
464
|
|
|
464
|
|
|
|
465
|
<a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>
|
|
465
|
<a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>
|
|
|
466
|
|
|
466
|
|
|
|
467
|
If needed, more than one pattern can be specified by appending a unique suffix to
|
|
467
|
If needed, more than one pattern can be specified by appending a unique suffix to
|
|
|
468
|
the variables. For example::
|
|
468
|
the variables. For example::
|
|
|
469
|
|
|
469
|
|
|
|
470
|
issue_pat_wiki = (?:wiki-)(.+)
|
|
470
|
issue_pat_wiki = (?:wiki-)(.+)
|
|
|
471
|
issue_server_link_wiki = https://wiki.example.com/{id}
|
|
471
|
issue_server_link_wiki = https://wiki.example.com/{id}
|
|
|
472
|
issue_prefix_wiki = WIKI-
|
|
472
|
issue_prefix_wiki = WIKI-
|
|
|
473
|
|
|
473
|
|
|
|
474
|
With these settings, wiki pages can be referenced as wiki-some-id, and every
|
|
474
|
With these settings, wiki pages can be referenced as wiki-some-id, and every
|
|
|
475
|
such reference will be transformed into:
|
|
475
|
such reference will be transformed into:
|
|
|
476
|
|
|
476
|
|
|
|
477
|
.. code-block:: html
|
|
477
|
.. code-block:: html
|
|
|
478
|
|
|
478
|
|
|
|
479
|
<a href="https://wiki.example.com/some-id">WIKI-some-id</a>
|
|
479
|
<a href="https://wiki.example.com/some-id">WIKI-some-id</a>
|
|
|
480
|
|
|
480
|
|
|
|
481
|
|
|
481
|
|
|
|
482
|
Hook management
|
|
482
|
Hook management
|
|
|
483
|
---------------
|
|
483
|
---------------
|
|
|
484
|
|
|
484
|
|
|
|
485
|
Hooks can be managed in similar way to that used in ``.hgrc`` files.
|
|
485
|
Hooks can be managed in similar way to that used in ``.hgrc`` files.
|
|
|
486
|
To manage hooks, choose *Admin > Settings > Hooks*.
|
|
486
|
To manage hooks, choose *Admin > Settings > Hooks*.
|
|
|
487
|
|
|
487
|
|
|
|
488
|
The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
|
|
488
|
The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
|
|
|
489
|
|
|
489
|
|
|
|
490
|
To add another custom hook simply fill in the first textbox with
|
|
490
|
To add another custom hook simply fill in the first textbox with
|
|
|
491
|
``<name>.<hook_type>`` and the second with the hook path. Example hooks
|
|
491
|
``<name>.<hook_type>`` and the second with the hook path. Example hooks
|
|
|
492
|
can be found in ``kallithea.lib.hooks``.
|
|
492
|
can be found in ``kallithea.lib.hooks``.
|
|
|
493
|
|
|
493
|
|
|
|
494
|
|
|
494
|
|
|
|
495
|
Changing default encoding
|
|
495
|
Changing default encoding
|
|
|
496
|
-------------------------
|
|
496
|
-------------------------
|
|
|
497
|
|
|
497
|
|
|
|
498
|
By default, Kallithea uses UTF-8 encoding.
|
|
498
|
By default, Kallithea uses UTF-8 encoding.
|
|
|
499
|
This is configurable as ``default_encoding`` in the .ini file.
|
|
499
|
This is configurable as ``default_encoding`` in the .ini file.
|
|
|
500
|
This affects many parts in Kallithea including user names, filenames, and
|
|
500
|
This affects many parts in Kallithea including user names, filenames, and
|
|
|
501
|
encoding of commit messages. In addition Kallithea can detect if the ``chardet``
|
|
501
|
encoding of commit messages. In addition Kallithea can detect if the ``chardet``
|
|
|
502
|
library is installed. If ``chardet`` is detected Kallithea will fallback to it
|
|
502
|
library is installed. If ``chardet`` is detected Kallithea will fallback to it
|
|
|
503
|
when there are encode/decode errors.
|
|
503
|
when there are encode/decode errors.
|
|
|
504
|
|
|
504
|
|
|
|
505
|
|
|
505
|
|
|
|
506
|
Celery configuration
|
|
506
|
Celery configuration
|
|
|
507
|
--------------------
|
|
507
|
--------------------
|
|
|
508
|
|
|
508
|
|
|
|
509
|
Kallithea can use the distributed task queue system Celery_ to run tasks like
|
|
509
|
Kallithea can use the distributed task queue system Celery_ to run tasks like
|
|
|
510
|
cloning repositories or sending emails.
|
|
510
|
cloning repositories or sending emails.
|
|
|
511
|
|
|
511
|
|
|
|
512
|
Kallithea will in most setups work perfectly fine out of the box (without
|
|
512
|
Kallithea will in most setups work perfectly fine out of the box (without
|
|
|
513
|
Celery), executing all tasks in the web server process. Some tasks can however
|
|
513
|
Celery), executing all tasks in the web server process. Some tasks can however
|
|
|
514
|
take some time to run and it can be better to run such tasks asynchronously in
|
|
514
|
take some time to run and it can be better to run such tasks asynchronously in
|
|
|
515
|
a separate process so the web server can focus on serving web requests.
|
|
515
|
a separate process so the web server can focus on serving web requests.
|
|
|
516
|
|
|
516
|
|
|
|
517
|
For installation and configuration of Celery, see the `Celery documentation`_.
|
|
517
|
For installation and configuration of Celery, see the `Celery documentation`_.
|
|
|
518
|
Note that Celery requires a message broker service like RabbitMQ_ (recommended)
|
|
518
|
Note that Celery requires a message broker service like RabbitMQ_ (recommended)
|
|
|
519
|
or Redis_.
|
|
519
|
or Redis_.
|
|
|
520
|
|
|
520
|
|
|
|
521
|
The use of Celery is configured in the Kallithea ini configuration file.
|
|
521
|
The use of Celery is configured in the Kallithea ini configuration file.
|
|
|
522
|
To enable it, simply set::
|
|
522
|
To enable it, simply set::
|
|
|
523
|
|
|
523
|
|
|
|
524
|
use_celery = true
|
|
524
|
use_celery = true
|
|
|
525
|
|
|
525
|
|
|
|
526
|
and add or change the ``celery.*`` and ``broker.*`` configuration variables.
|
|
526
|
and add or change the ``celery.*`` and ``broker.*`` configuration variables.
|
|
|
527
|
|
|
527
|
|
|
|
528
|
Remember that the ini files use the format with '.' and not with '_' like
|
|
528
|
Remember that the ini files use the format with '.' and not with '_' like
|
|
|
529
|
Celery. So for example setting `BROKER_HOST` in Celery means setting
|
|
529
|
Celery. So for example setting `BROKER_HOST` in Celery means setting
|
|
|
530
|
`broker.host` in the configuration file.
|
|
530
|
`broker.host` in the configuration file.
|
|
|
531
|
|
|
531
|
|
|
|
532
|
To start the Celery process, run::
|
|
532
|
To start the Celery process, run::
|
|
|
533
|
|
|
533
|
|
|
|
534
|
paster celeryd <configfile.ini>
|
|
534
|
paster celeryd <configfile.ini>
|
|
|
535
|
|
|
535
|
|
|
|
536
|
.. note::
|
|
536
|
.. note::
|
|
|
537
|
Make sure you run this command from the same virtualenv, and with the same
|
|
537
|
Make sure you run this command from the same virtualenv, and with the same
|
|
|
538
|
user that Kallithea runs.
|
|
538
|
user that Kallithea runs.
|
|
|
539
|
|
|
539
|
|
|
|
540
|
|
|
540
|
|
|
|
541
|
HTTPS support
|
|
541
|
HTTPS support
|
|
|
542
|
-------------
|
|
542
|
-------------
|
|
|
543
|
|
|
543
|
|
|
|
544
|
Kallithea will by default generate URLs based on the WSGI environment.
|
|
544
|
Kallithea will by default generate URLs based on the WSGI environment.
|
|
|
545
|
|
|
545
|
|
|
|
546
|
Alternatively, you can use some special configuration settings to control
|
|
546
|
Alternatively, you can use some special configuration settings to control
|
|
|
547
|
directly which scheme/protocol Kallithea will use when generating URLs:
|
|
547
|
directly which scheme/protocol Kallithea will use when generating URLs:
|
|
|
548
|
|
|
548
|
|
|
|
549
|
- With ``https_fixup = true``, the scheme will be taken from the
|
|
549
|
- With ``https_fixup = true``, the scheme will be taken from the
|
|
|
550
|
``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
|
|
550
|
``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
|
|
|
551
|
(default ``http``).
|
|
551
|
(default ``http``).
|
|
|
552
|
- With ``force_https = true`` the default will be ``https``.
|
|
552
|
- With ``force_https = true`` the default will be ``https``.
|
|
|
553
|
- With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
|
|
553
|
- With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
|
|
|
554
|
|
|
554
|
|
|
|
555
|
|
|
555
|
|
|
|
556
|
Nginx virtual host example
|
|
556
|
Nginx virtual host example
|
|
|
557
|
--------------------------
|
|
557
|
--------------------------
|
|
|
558
|
|
|
558
|
|
|
|
559
|
Sample config for Nginx using proxy:
|
|
559
|
Sample config for Nginx using proxy:
|
|
|
560
|
|
|
560
|
|
|
|
561
|
.. code-block:: nginx
|
|
561
|
.. code-block:: nginx
|
|
|
562
|
|
|
562
|
|
|
|
563
|
upstream kallithea {
|
|
563
|
upstream kallithea {
|
|
|
564
|
server 127.0.0.1:5000;
|
|
564
|
server 127.0.0.1:5000;
|
|
|
565
|
# add more instances for load balancing
|
|
565
|
# add more instances for load balancing
|
|
|
566
|
#server 127.0.0.1:5001;
|
|
566
|
#server 127.0.0.1:5001;
|
|
|
567
|
#server 127.0.0.1:5002;
|
|
567
|
#server 127.0.0.1:5002;
|
|
|
568
|
}
|
|
568
|
}
|
|
|
569
|
|
|
569
|
|
|
|
570
|
## gist alias
|
|
570
|
## gist alias
|
|
|
571
|
server {
|
|
571
|
server {
|
|
|
572
|
listen 443;
|
|
572
|
listen 443;
|
|
|
573
|
server_name gist.example.com;
|
|
573
|
server_name gist.example.com;
|
|
|
574
|
access_log /var/log/nginx/gist.access.log;
|
|
574
|
access_log /var/log/nginx/gist.access.log;
|
|
|
575
|
error_log /var/log/nginx/gist.error.log;
|
|
575
|
error_log /var/log/nginx/gist.error.log;
|
|
|
576
|
|
|
576
|
|
|
|
577
|
ssl on;
|
|
577
|
ssl on;
|
|
|
578
|
ssl_certificate gist.your.kallithea.server.crt;
|
|
578
|
ssl_certificate gist.your.kallithea.server.crt;
|
|
|
579
|
ssl_certificate_key gist.your.kallithea.server.key;
|
|
579
|
ssl_certificate_key gist.your.kallithea.server.key;
|
|
|
580
|
|
|
580
|
|
|
|
581
|
ssl_session_timeout 5m;
|
|
581
|
ssl_session_timeout 5m;
|
|
|
582
|
|
|
582
|
|
|
|
583
|
ssl_protocols SSLv3 TLSv1;
|
|
583
|
ssl_protocols SSLv3 TLSv1;
|
|
|
584
|
ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
|
|
584
|
ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
|
|
|
585
|
ssl_prefer_server_ciphers on;
|
|
585
|
ssl_prefer_server_ciphers on;
|
|
|
586
|
|
|
586
|
|
|
|
587
|
rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
|
|
587
|
rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
|
|
|
588
|
rewrite (.*) https://kallithea.example.com/_admin/gists;
|
|
588
|
rewrite (.*) https://kallithea.example.com/_admin/gists;
|
|
|
589
|
}
|
|
589
|
}
|
|
|
590
|
|
|
590
|
|
|
|
591
|
server {
|
|
591
|
server {
|
|
|
592
|
listen 443;
|
|
592
|
listen 443;
|
|
|
593
|
server_name kallithea.example.com
|
|
593
|
server_name kallithea.example.com
|
|
|
594
|
access_log /var/log/nginx/kallithea.access.log;
|
|
594
|
access_log /var/log/nginx/kallithea.access.log;
|
|
|
595
|
error_log /var/log/nginx/kallithea.error.log;
|
|
595
|
error_log /var/log/nginx/kallithea.error.log;
|
|
|
596
|
|
|
596
|
|
|
|
597
|
ssl on;
|
|
597
|
ssl on;
|
|
|
598
|
ssl_certificate your.kallithea.server.crt;
|
|
598
|
ssl_certificate your.kallithea.server.crt;
|
|
|
599
|
ssl_certificate_key your.kallithea.server.key;
|
|
599
|
ssl_certificate_key your.kallithea.server.key;
|
|
|
600
|
|
|
600
|
|
|
|
601
|
ssl_session_timeout 5m;
|
|
601
|
ssl_session_timeout 5m;
|
|
|
602
|
|
|
602
|
|
|
|
603
|
ssl_protocols SSLv3 TLSv1;
|
|
603
|
ssl_protocols SSLv3 TLSv1;
|
|
|
604
|
ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
|
|
604
|
ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
|
|
|
605
|
ssl_prefer_server_ciphers on;
|
|
605
|
ssl_prefer_server_ciphers on;
|
|
|
606
|
|
|
606
|
|
|
|
607
|
## uncomment root directive if you want to serve static files by nginx
|
|
607
|
## uncomment root directive if you want to serve static files by nginx
|
|
|
608
|
## requires static_files = false in .ini file
|
|
608
|
## requires static_files = false in .ini file
|
|
|
609
|
#root /path/to/installation/kallithea/public;
|
|
609
|
#root /path/to/installation/kallithea/public;
|
|
|
610
|
include /etc/nginx/proxy.conf;
|
|
610
|
include /etc/nginx/proxy.conf;
|
|
|
611
|
location / {
|
|
611
|
location / {
|
|
|
612
|
try_files $uri @kallithea;
|
|
612
|
try_files $uri @kallithea;
|
|
|
613
|
}
|
|
613
|
}
|
|
|
614
|
|
|
614
|
|
|
|
615
|
location @kallithea {
|
|
615
|
location @kallithea {
|
|
|
616
|
proxy_pass http://127.0.0.1:5000;
|
|
616
|
proxy_pass http://127.0.0.1:5000;
|
|
|
617
|
}
|
|
617
|
}
|
|
|
618
|
|
|
618
|
|
|
|
619
|
}
|
|
619
|
}
|
|
|
620
|
|
|
620
|
|
|
|
621
|
Here's the proxy.conf. It's tuned so it will not timeout on long
|
|
621
|
Here's the proxy.conf. It's tuned so it will not timeout on long
|
|
|
622
|
pushes or large pushes::
|
|
622
|
pushes or large pushes::
|
|
|
623
|
|
|
623
|
|
|
|
624
|
proxy_redirect off;
|
|
624
|
proxy_redirect off;
|
|
|
625
|
proxy_set_header Host $host;
|
|
625
|
proxy_set_header Host $host;
|
|
|
626
|
## needed for container auth
|
|
626
|
## needed for container auth
|
|
|
627
|
#proxy_set_header REMOTE_USER $remote_user;
|
|
627
|
#proxy_set_header REMOTE_USER $remote_user;
|
|
|
628
|
#proxy_set_header X-Forwarded-User $remote_user;
|
|
628
|
#proxy_set_header X-Forwarded-User $remote_user;
|
|
|
629
|
proxy_set_header X-Url-Scheme $scheme;
|
|
629
|
proxy_set_header X-Url-Scheme $scheme;
|
|
|
630
|
proxy_set_header X-Host $http_host;
|
|
630
|
proxy_set_header X-Host $http_host;
|
|
|
631
|
proxy_set_header X-Real-IP $remote_addr;
|
|
631
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
632
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
632
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
633
|
proxy_set_header Proxy-host $proxy_host;
|
|
633
|
proxy_set_header Proxy-host $proxy_host;
|
|
|
634
|
proxy_buffering off;
|
|
634
|
proxy_buffering off;
|
|
|
635
|
proxy_connect_timeout 7200;
|
|
635
|
proxy_connect_timeout 7200;
|
|
|
636
|
proxy_send_timeout 7200;
|
|
636
|
proxy_send_timeout 7200;
|
|
|
637
|
proxy_read_timeout 7200;
|
|
637
|
proxy_read_timeout 7200;
|
|
|
638
|
proxy_buffers 8 32k;
|
|
638
|
proxy_buffers 8 32k;
|
|
|
639
|
client_max_body_size 1024m;
|
|
639
|
client_max_body_size 1024m;
|
|
|
640
|
client_body_buffer_size 128k;
|
|
640
|
client_body_buffer_size 128k;
|
|
|
641
|
large_client_header_buffers 8 64k;
|
|
641
|
large_client_header_buffers 8 64k;
|
|
|
642
|
|
|
642
|
|
|
|
643
|
|
|
643
|
|
|
|
644
|
Apache virtual host reverse proxy example
|
|
644
|
Apache virtual host reverse proxy example
|
|
|
645
|
-----------------------------------------
|
|
645
|
-----------------------------------------
|
|
|
646
|
|
|
646
|
|
|
|
647
|
Here is a sample configuration file for Apache using proxy:
|
|
647
|
Here is a sample configuration file for Apache using proxy:
|
|
|
648
|
|
|
648
|
|
|
|
649
|
.. code-block:: apache
|
|
649
|
.. code-block:: apache
|
|
|
650
|
|
|
650
|
|
|
|
651
|
<VirtualHost *:80>
|
|
651
|
<VirtualHost *:80>
|
|
|
652
|
ServerName kallithea.example.com
|
|
652
|
ServerName kallithea.example.com
|
|
|
653
|
|
|
653
|
|
|
|
654
|
<Proxy *>
|
|
654
|
<Proxy *>
|
|
|
655
|
# For Apache 2.4 and later:
|
|
655
|
# For Apache 2.4 and later:
|
|
|
656
|
Require all granted
|
|
656
|
Require all granted
|
|
|
657
|
|
|
657
|
|
|
|
658
|
# For Apache 2.2 and earlier, instead use:
|
|
658
|
# For Apache 2.2 and earlier, instead use:
|
|
|
659
|
# Order allow,deny
|
|
659
|
# Order allow,deny
|
|
|
660
|
# Allow from all
|
|
660
|
# Allow from all
|
|
|
661
|
</Proxy>
|
|
661
|
</Proxy>
|
|
|
662
|
|
|
662
|
|
|
|
663
|
#important !
|
|
663
|
#important !
|
|
|
664
|
#Directive to properly generate url (clone url) for pylons
|
|
664
|
#Directive to properly generate url (clone url) for pylons
|
|
|
665
|
ProxyPreserveHost On
|
|
665
|
ProxyPreserveHost On
|
|
|
666
|
|
|
666
|
|
|
|
667
|
#kallithea instance
|
|
667
|
#kallithea instance
|
|
|
668
|
ProxyPass / http://127.0.0.1:5000/
|
|
668
|
ProxyPass / http://127.0.0.1:5000/
|
|
|
669
|
ProxyPassReverse / http://127.0.0.1:5000/
|
|
669
|
ProxyPassReverse / http://127.0.0.1:5000/
|
|
|
670
|
|
|
670
|
|
|
|
671
|
#to enable https use line below
|
|
671
|
#to enable https use line below
|
|
|
672
|
#SetEnvIf X-Url-Scheme https HTTPS=1
|
|
672
|
#SetEnvIf X-Url-Scheme https HTTPS=1
|
|
|
673
|
</VirtualHost>
|
|
673
|
</VirtualHost>
|
|
|
674
|
|
|
674
|
|
|
|
675
|
Additional tutorial
|
|
675
|
Additional tutorial
|
|
|
676
|
http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
|
|
676
|
http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
|
|
|
677
|
|
|
677
|
|
|
|
678
|
|
|
678
|
|
|
|
679
|
Apache as subdirectory
|
|
679
|
Apache as subdirectory
|
|
|
680
|
----------------------
|
|
680
|
----------------------
|
|
|
681
|
|
|
681
|
|
|
|
682
|
Apache subdirectory part:
|
|
682
|
Apache subdirectory part:
|
|
|
683
|
|
|
683
|
|
|
|
684
|
.. code-block:: apache
|
|
684
|
.. code-block:: apache
|
|
|
685
|
|
|
685
|
|
|
|
686
|
<Location /<someprefix> >
|
|
686
|
<Location /<someprefix> >
|
|
|
687
|
ProxyPass http://127.0.0.1:5000/<someprefix>
|
|
687
|
ProxyPass http://127.0.0.1:5000/<someprefix>
|
|
|
688
|
ProxyPassReverse http://127.0.0.1:5000/<someprefix>
|
|
688
|
ProxyPassReverse http://127.0.0.1:5000/<someprefix>
|
|
|
689
|
SetEnvIf X-Url-Scheme https HTTPS=1
|
|
689
|
SetEnvIf X-Url-Scheme https HTTPS=1
|
|
|
690
|
</Location>
|
|
690
|
</Location>
|
|
|
691
|
|
|
691
|
|
|
|
692
|
Besides the regular apache setup you will need to add the following line
|
|
692
|
Besides the regular apache setup you will need to add the following line
|
|
|
693
|
into ``[app:main]`` section of your .ini file::
|
|
693
|
into ``[app:main]`` section of your .ini file::
|
|
|
694
|
|
|
694
|
|
|
|
695
|
filter-with = proxy-prefix
|
|
695
|
filter-with = proxy-prefix
|
|
|
696
|
|
|
696
|
|
|
|
697
|
Add the following at the end of the .ini file::
|
|
697
|
Add the following at the end of the .ini file::
|
|
|
698
|
|
|
698
|
|
|
|
699
|
[filter:proxy-prefix]
|
|
699
|
[filter:proxy-prefix]
|
|
|
700
|
use = egg:PasteDeploy#prefix
|
|
700
|
use = egg:PasteDeploy#prefix
|
|
|
701
|
prefix = /<someprefix>
|
|
701
|
prefix = /<someprefix>
|
|
|
702
|
|
|
702
|
|
|
|
703
|
then change ``<someprefix>`` into your chosen prefix
|
|
703
|
then change ``<someprefix>`` into your chosen prefix
|
|
|
704
|
|
|
704
|
|
|
|
705
|
|
|
705
|
|
|
|
706
|
Apache with mod_wsgi
|
|
706
|
Apache with mod_wsgi
|
|
|
707
|
--------------------
|
|
707
|
--------------------
|
|
|
708
|
|
|
708
|
|
|
|
709
|
Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
|
|
709
|
Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
|
|
|
710
|
that, you'll need to:
|
|
710
|
that, you'll need to:
|
|
|
711
|
|
|
711
|
|
|
|
712
|
- Install mod_wsgi. If using a Debian-based distro, you can install
|
|
712
|
- Install mod_wsgi. If using a Debian-based distro, you can install
|
|
|
713
|
the package libapache2-mod-wsgi::
|
|
713
|
the package libapache2-mod-wsgi::
|
|
|
714
|
|
|
714
|
|
|
|
715
|
aptitude install libapache2-mod-wsgi
|
|
715
|
aptitude install libapache2-mod-wsgi
|
|
|
716
|
|
|
716
|
|
|
|
717
|
- Enable mod_wsgi::
|
|
717
|
- Enable mod_wsgi::
|
|
|
718
|
|
|
718
|
|
|
|
719
|
a2enmod wsgi
|
|
719
|
a2enmod wsgi
|
|
|
720
|
|
|
720
|
|
|
|
721
|
- Add global Apache configuration to tell mod_wsgi that Python only will be
|
|
721
|
- Add global Apache configuration to tell mod_wsgi that Python only will be
|
|
|
722
|
used in the WSGI processes and shouldn't be initialized in the Apache
|
|
722
|
used in the WSGI processes and shouldn't be initialized in the Apache
|
|
|
723
|
processes::
|
|
723
|
processes::
|
|
|
724
|
|
|
724
|
|
|
|
725
|
WSGIRestrictEmbedded On
|
|
725
|
WSGIRestrictEmbedded On
|
|
|
726
|
|
|
726
|
|
|
|
727
|
- Create a wsgi dispatch script, like the one below. Make sure you
|
|
727
|
- Create a wsgi dispatch script, like the one below. Make sure you
|
|
|
728
|
check that the paths correctly point to where you installed Kallithea
|
|
728
|
check that the paths correctly point to where you installed Kallithea
|
|
|
729
|
and its Python Virtual Environment.
|
|
729
|
and its Python Virtual Environment.
|
|
|
730
|
- Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
|
|
730
|
- Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
|
|
|
731
|
as in the following example. Once again, check the paths are
|
|
731
|
as in the following example. Once again, check the paths are
|
|
|
732
|
correctly specified.
|
|
732
|
correctly specified.
|
|
|
733
|
|
|
733
|
|
|
|
734
|
Here is a sample excerpt from an Apache Virtual Host configuration file:
|
|
734
|
Here is a sample excerpt from an Apache Virtual Host configuration file:
|
|
|
735
|
|
|
735
|
|
|
|
736
|
.. code-block:: apache
|
|
736
|
.. code-block:: apache
|
|
|
737
|
|
|
737
|
|
|
|
738
|
WSGIDaemonProcess kallithea \
|
|
738
|
WSGIDaemonProcess kallithea \
|
|
|
739
|
threads=4 \
|
|
739
|
threads=4 \
|
|
|
740
|
python-home=/srv/kallithea/venv
|
|
740
|
python-home=/srv/kallithea/venv
|
|
|
741
|
WSGIProcessGroup kallithea
|
|
741
|
WSGIProcessGroup kallithea
|
|
|
742
|
WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
|
|
742
|
WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
|
|
|
743
|
WSGIPassAuthorization On
|
|
743
|
WSGIPassAuthorization On
|
|
|
744
|
|
|
744
|
|
|
|
745
|
Or if using a dispatcher WSGI script with proper virtualenv activation:
|
|
745
|
Or if using a dispatcher WSGI script with proper virtualenv activation:
|
|
|
746
|
|
|
746
|
|
|
|
747
|
.. code-block:: apache
|
|
747
|
.. code-block:: apache
|
|
|
748
|
|
|
748
|
|
|
|
749
|
WSGIDaemonProcess kallithea threads=4
|
|
749
|
WSGIDaemonProcess kallithea threads=4
|
|
|
750
|
WSGIProcessGroup kallithea
|
|
750
|
WSGIProcessGroup kallithea
|
|
|
751
|
WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
|
|
751
|
WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
|
|
|
752
|
WSGIPassAuthorization On
|
|
752
|
WSGIPassAuthorization On
|
|
|
753
|
|
|
753
|
|
|
|
754
|
Apache will by default run as a special Apache user, on Linux systems
|
|
754
|
Apache will by default run as a special Apache user, on Linux systems
|
|
|
755
|
usually ``www-data`` or ``apache``. If you need to have the repositories
|
|
755
|
usually ``www-data`` or ``apache``. If you need to have the repositories
|
|
|
756
|
directory owned by a different user, use the user and group options to
|
|
756
|
directory owned by a different user, use the user and group options to
|
|
|
757
|
WSGIDaemonProcess to set the name of the user and group.
|
|
757
|
WSGIDaemonProcess to set the name of the user and group.
|
|
|
758
|
|
|
758
|
|
|
|
759
|
.. note::
|
|
759
|
.. note::
|
|
|
760
|
If running Kallithea in multiprocess mode,
|
|
760
|
If running Kallithea in multiprocess mode,
|
|
|
761
|
make sure you set ``instance_id = *`` in the configuration so each process
|
|
761
|
make sure you set ``instance_id = *`` in the configuration so each process
|
|
|
762
|
gets it's own cache invalidation key.
|
|
762
|
gets it's own cache invalidation key.
|
|
|
763
|
|
|
763
|
|
|
|
764
|
Example WSGI dispatch script:
|
|
764
|
Example WSGI dispatch script:
|
|
|
765
|
|
|
765
|
|
|
|
766
|
.. code-block:: python
|
|
766
|
.. code-block:: python
|
|
|
767
|
|
|
767
|
|
|
|
768
|
import os
|
|
768
|
import os
|
|
|
769
|
os.environ["HGENCODING"] = "UTF-8"
|
|
769
|
os.environ["HGENCODING"] = "UTF-8"
|
|
|
770
|
os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
|
|
770
|
os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
|
|
|
771
|
|
|
771
|
|
|
|
772
|
# sometimes it's needed to set the curent dir
|
|
772
|
# sometimes it's needed to set the curent dir
|
|
|
773
|
os.chdir('/srv/kallithea/')
|
|
773
|
os.chdir('/srv/kallithea/')
|
|
|
774
|
|
|
774
|
|
|
|
775
|
import site
|
|
775
|
import site
|
|
|
776
|
site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
|
|
776
|
site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
|
|
|
777
|
|
|
777
|
|
|
|
778
|
ini = '/srv/kallithea/my.ini'
|
|
778
|
ini = '/srv/kallithea/my.ini'
|
|
|
779
|
from paste.script.util.logging_config import fileConfig
|
|
779
|
from paste.script.util.logging_config import fileConfig
|
|
|
780
|
fileConfig(ini)
|
|
780
|
fileConfig(ini)
|
|
|
781
|
from paste.deploy import loadapp
|
|
781
|
from paste.deploy import loadapp
|
|
|
782
|
application = loadapp('config:' + ini)
|
|
782
|
application = loadapp('config:' + ini)
|
|
|
783
|
|
|
783
|
|
|
|
784
|
Or using proper virtualenv activation:
|
|
784
|
Or using proper virtualenv activation:
|
|
|
785
|
|
|
785
|
|
|
|
786
|
.. code-block:: python
|
|
786
|
.. code-block:: python
|
|
|
787
|
|
|
787
|
|
|
|
788
|
activate_this = '/srv/kallithea/venv/bin/activate_this.py'
|
|
788
|
activate_this = '/srv/kallithea/venv/bin/activate_this.py'
|
|
|
789
|
execfile(activate_this, dict(__file__=activate_this))
|
|
789
|
execfile(activate_this, dict(__file__=activate_this))
|
|
|
790
|
|
|
790
|
|
|
|
791
|
import os
|
|
791
|
import os
|
|
|
792
|
os.environ['HOME'] = '/srv/kallithea'
|
|
792
|
os.environ['HOME'] = '/srv/kallithea'
|
|
|
793
|
|
|
793
|
|
|
|
794
|
ini = '/srv/kallithea/kallithea.ini'
|
|
794
|
ini = '/srv/kallithea/kallithea.ini'
|
|
|
795
|
from paste.script.util.logging_config import fileConfig
|
|
795
|
from paste.script.util.logging_config import fileConfig
|
|
|
796
|
fileConfig(ini)
|
|
796
|
fileConfig(ini)
|
|
|
797
|
from paste.deploy import loadapp
|
|
797
|
from paste.deploy import loadapp
|
|
|
798
|
application = loadapp('config:' + ini)
|
|
798
|
application = loadapp('config:' + ini)
|
|
|
799
|
|
|
799
|
|
|
|
800
|
|
|
800
|
|
|
|
801
|
Other configuration files
|
|
801
|
Other configuration files
|
|
|
802
|
-------------------------
|
|
802
|
-------------------------
|
|
|
803
|
|
|
803
|
|
|
|
804
|
A number of `example init.d scripts`__ can be found in
|
|
804
|
A number of `example init.d scripts`__ can be found in
|
|
|
805
|
the ``init.d`` directory of the Kallithea source.
|
|
805
|
the ``init.d`` directory of the Kallithea source.
|
|
|
806
|
|
|
806
|
|
|
|
807
|
.. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
|
|
807
|
.. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
|
|
|
808
|
|
|
808
|
|
|
|
809
|
|
|
809
|
|
|
|
810
|
.. _virtualenv: http://pypi.python.org/pypi/virtualenv
|
|
810
|
.. _virtualenv: http://pypi.python.org/pypi/virtualenv
|
|
|
811
|
.. _python: http://www.python.org/
|
|
811
|
.. _python: http://www.python.org/
|
|
|
812
|
.. _Mercurial: http://mercurial.selenic.com/
|
|
812
|
.. _Mercurial: https://www.mercurial-scm.org/
|
|
|
813
|
.. _Celery: http://celeryproject.org/
|
|
813
|
.. _Celery: http://celeryproject.org/
|
|
|
814
|
.. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
|
|
814
|
.. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
|
|
|
815
|
.. _RabbitMQ: http://www.rabbitmq.com/
|
|
815
|
.. _RabbitMQ: http://www.rabbitmq.com/
|
|
|
816
|
.. _Redis: http://redis.io/
|
|
816
|
.. _Redis: http://redis.io/
|
|
|
817
|
.. _python-ldap: http://www.python-ldap.org/
|
|
817
|
.. _python-ldap: http://www.python-ldap.org/
|
|
|
818
|
.. _mercurial-server: http://www.lshift.net/mercurial-server.html
|
|
818
|
.. _mercurial-server: http://www.lshift.net/mercurial-server.html
|
|
|
819
|
.. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories
|
|
819
|
.. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories
|
