Installing Trac with more then one project and svn integration

This post will show you how to setup the Trac enhanced wiki and issue tracking system on your linux box for more then one project and with svn integration. This setup is good if you have more then one client and you want to give each client it’s own separated environment.

You will need:

  • Python 2.7
  • setuptools
  • Genshi
  • htdigest (came with the Apache server)
  • Subversion (optional)
  • Imagemagick (optional)

We’ll use imagemagick to create the project logo and we need htdigest for setting up users.

So let’s start.

One time only installations:

First you need to have Python 2.7 installed so do that by using yum, app-get or compiling from the source code.

After that you have Python you will need setuptools:


wget https://bootstrap.pypa.io/ez_setup.py -O - | python

You also need Genshi:


easy_install Genshi

And now you are ready for installing Trac itself:


easy_install Trac==1.0

You can now install imagemagick by using yum, app-get or compiling from the source code. It’s optional but it can help you later.
Also install svn if you want to integrate repositories to Trac.

Understanding Trac and our setup plan:

Now you have all the tools needed but noting been done yet. Trac creates for each project it’s own environment and you can have more then one project installed on your system. The trac-admin command line tool is used to control project. The first parameter for this tool is always the path to the project. So you don’t have any problems if you want to setup more then one project for different projects with different users.

As for the HTTP server we’ll use tracd which is Trac’s own stand alone HTTP server. The tracd server not supporting SSL but you can run it on localhost only and wrap it with htproxy or any other proxy. I’m preferring that solution then using Apache. Tracd can handle all of our projects in one tracd instance. You can also execute tracd as a daemon. In my case I’m running all my servers (Apache based, node.js apps, lighttp based, Nginx based, Trac standalone, etc) as localhost only and I’m giving each server it’s own port number. Then I’m configuring haproxy to route each domain / sub-domain to the appropriate server.

Our plan will be:

  • Create a directory for holding all the trac environments
  • Create password file (or more, depend on your setup)
  • Use trac-admin to create each project
  • Execute the tracd server

I’m putting all my trac projects under /var/trac:


mkdir /var/trac

We’ll put the list of all the valid users inside one or more password files. Remember that this password file is only been used by the tracd server itself and if you’re not adding a user to a Trac project then it can’t access it unless that you keep the ‘authenticated’ user group of this Trac project. So in other words, every project has it’s own permissions system but the users list can be shared.

One password file:

Pros:

  • You can give a user access to more then one project without need to add it again to a password list.
  • No need to change the tracd starting command when adding new Trac environment

Cons:

  • Every logged user will get all the permissions in the ‘authenticated’ group of each Trac project.
  • Different users with the same name which not belong to the same project can’t have the same account name.
  • Less secured.

More then one password file:

Pros:

  • Separation of all the users between projects.
  • You can implement a way to edit the passwords file of a project by user that should not access other projects.
  • More secured.

Cons:

  • If you want to have the same user and password combination in 2 or more projects can you must add this user to any passwords lit file.
  • You must update your tracd executing command if adding a new passwords file.

You can also mix both options, i.e. using the same passwords file for project 1 and 2 but using separated passwords file for project 3.

More on permissions:

Every visitor of the project’s site which is not logged in will get all the permissions under the ‘anonymous’ group. Any user that managed to login getting all the permissions in the ‘authenticated’ group. The default permissions setup for a new project is giving view permission for any user and modify permissions to any logged in user. I’m preferring to setup my own groups and removing all the permissions on both ‘anonymous’ and ‘authenticated’.

Declaring users:

Creating the first user:


htdigest -c passfile secname username

passfile is the name of the passwords list file
secname can be anything you want but it should match the same name that you giving to the –auth flag when running tracd (see below when executing the tracd server).

To create more users just run it again but this time WITHOUT the -c flag.

Creating a new project:

Change projectName with the real name of the project folder:


trac-admin /var/trac/projectName initenv

Let’s configure the permissions:

myadmin = your administrator user.


trac-admin /var/trac/projectName permission add admin TRAC_ADMIN
trac-admin /var/trac/projectName permission add myadmin admin
trac-admin /var/trac/projectName permission add viewonly BROWSER_VIEW CHANGESET_VIEW FILE_VIEW LOG_VIEW MILESTONE_VIEW REPORT_SQL_VIEW REPORT_VIEW ROADMAP_VIEW TICKET_VIEW TIMELINE_VIEW WIKI_VIEW
trac-admin /var/trac/projectName permission add modify TICKET_CREATE TICKET_MODIFY 
trac-admin /var/trac/projectName permission add modify viewonly
trac-admin /var/trac/projectName permission remove anonymous BROWSER_VIEW CHANGESET_VIEW FILE_VIEW LOG_VIEW MILESTONE_VIEW REPORT_SQL_VIEW REPORT_VIEW ROADMAP_VIEW TICKET_VIEW TIMELINE_VIEW WIKI_VIEW
trac-admin /var/trac/projectName permission remove authenticated TICKET_CREATE TICKET_MODIFY 

For each user that need view access:

myuser = user name.


trac-admin /var/trac/projectName permission add myuser viewonly

For each user that need edit access:

myuser = user name.


trac-admin /var/trac/projectName permission add myuser modify

For each user that need admin access:

myuser = user name.


trac-admin /var/trac/projectName permission add myuser admin

Let’s create a logo for this project using imagemagick:


convert -background lightblue -fill blue -pointsize 72 label:projectName /var/trac/projectName/htdocs/project.gif 

Edit /var/trac/projectName/config/trac.ini:

Change the logo section to point to the new logo that we just been created:


[header_logo]
alt = project name
height = -1
link = src = site/project.gif
width = -1 

For svn integration you must also add:


[repositories]
project.dir = /rep/local/path
project.description = description
project.type = svn
project.url = http://repsite.com/rep

[components]
tracopt.versioncontrol.svn.* = enabled
tracopt.ticket.commit_updater.committicketreferencemacro = enabled
tracopt.ticket.commit_updater.committicketupdater = enabled 

For svn you also need to give both read and write access to the svn tool. For example if you setup apache to use as your svn gateway:


chown -R apache /var/trac/projectName

svn hooks:

You can connect svn to Trac so on each commit a script will be called to update open tickets depending on special keywords that you writing on your commit comments.
In fact you need two script files:

Create /yourSvnRep/hooks/post-commit:


#!/bin/sh

REPO=“$1” REV=“$2”

/usr/bin/trac-admin /var/trac/ changeset added $REPO $REV

Create /yourSvnRep/hooks/post-revprop-change:


#!/bin/sh

REPO=“$1” REV=“$2”

trac-admin /var/trac/ changeset modified $REPO $REV 

Don’t forget to give these two scripts execute permission:


chmod a+x /yourSvnRep/hooks/post-*

Executing the server:


/usr/bin/tracd –daemonize –hostname=localhost -p 8080 \ –auth=“projectname,passlist,secname” \ -e /var/trac/

8080 is the port number that you want the server to listen on.
Remove –hostname=localhost if you want anyone to access your server (if it can be accessed from the Internet).
The -e file telling tracd to serve all the projects under /var/trac.
The –auth command declaring the password list to use for each project or group of projects. You can have more then one declaration of –auth= if needed.
The syntax of –auth= is:

  • projectname = the name of the project folder under /var/trac. You can use ‘*’ if you want this declaration to effect all the projects (one passwords file setup).
  • passlist = full path to the password file to use for this project.
  • secname = section name if you want to use the same passwords file for different projects but each project will have different users. You can name it whatever you want to.

Now just point your browser to http://localhost:8080/projectName

Using git repositories:

I may write a separated post how to do that but it’s almost the same as for svn. Example hooks can be found here.

Removing the list of projects on http://localhost:8080/:

I’m just disabling access to ‘/’ from haproxy. Please reply with a better solution :)