Upload page content

You can upload content for the page named below. If you change the page name, you can also upload content for another page. If the page name is empty, we derive the page name from the file name.

File to load page content from
Page name
Comment

    TracWithFastCGIonFedora

Trac With FastCGI on Fedora

Here's how I installed trac with mod_fcgid on Fedora to create the bug tracker for my repository. I use the AccountManager plugin to enable users to register themselves and manage their own accounts. I had an existing httpd server on the system, serving an existing subversion repository.

Install the Software

This is straightforward as all requirements are available in Fedora.

# yum install mod_fcgid trac trac-accountmanager-plugin

Filesystem Layout

My trac instance is set up under /srv/www/cfo-trac, with subdirectories as follows:

  • env for the trac environment

  • egg-cache to cache any plugins later installed from python eggs

  • cgi-bin for the FastCGI script wrapper

My existing subversion repository lives under /srv/subversion/repos/cfo-repo

As I use SELinux in enforcing mode on my server, I defined a local policy module to define the file contexts to use for these directories:

file_contexts.te:

policy_module(file_contexts, 0.0.1)

require {
        type httpd_sys_content_t;
        type httpd_sys_content_rw_t;
        type httpd_sys_script_exec_t;
};

file_contexts.fc:

# Local web server config
/srv/subversion(/.*)?                           gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/srv/subversion/repos/[^/]*/hooks(/.*)?         gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/srv/www/cfo-trac                       -d      gen_context(system_u:object_r:httpd_sys_content_t,s0)
/srv/www/cfo-trac/cgi-bin(/.*)?                 gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/srv/www/cfo-trac/egg-cache(/.*)?               gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/srv/www/cfo-trac/env(/.*)?                     gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)

Having installed this module (see BuildSeLinuxPolicyModules for details of how to build and install a policy module), I then set up the filesystem:

# mkdir -p /srv/www/cfo-trac
# cd /srv/www/cfo-trac
# mkdir cgi-bin egg-cache env
# chown apache:apache egg-cache env
# restorecon -rvF /srv/www/cfo-trac

Trac Configuration

The trac environment is initially set up using the trac-admin tool, which needs to run as user apache to ensure that the files it creates have the correct ownership. Since it's sometimes necessary to use this tool at runtime too, I created a short wrapper script /root/bin/tracadm to run trac-admin as user apache from a root login:

#!/bin/sh

cd /srv/www/cfo-trac
runuser -s /bin/sh -c "/usr/bin/trac-admin /srv/www/cfo-trac/env" apache

This script is then used to create a new trac environment:

# tracadm
Welcome to trac-admin 0.11.3
Interactive Trac administration console.
Copyright (c) 2003-2009 Edgewall Software

Type:  '?' or 'help' for help on commands.

Trac [/srv/www/cfo-trac/env]> initenv
Creating a new Trac environment at /srv/www/cfo-trac/env

Trac will first ask a few questions about your environment 
in order to initialize and prepare the project database.

 Please enter the name of your project.
 This name will be used in page titles and descriptions.

Project Name [My Project]> City-Fan.Org Package Repository
 
 Please specify the connection string for the database to use.
 By default, a local SQLite database is created in the environment
 directory. It is also possible to use an already existing
 PostgreSQL database (check the Trac documentation for the exact
 connection string syntax).

Database connection string [sqlite:db/trac.db]> 
 
 Please specify the type of version control system,
 By default, it will be svn.

 If you don't want to use Trac with version control integration,
 choose the default here and don't specify a repository directory.
 in the next question.

Repository type [svn]> 

 Please specify the absolute path to the version control
 repository, or leave it blank to use Trac without a repository.
 You can also set the repository location later.

Path to repository [/path/to/repos]> /srv/subversion/repos/cfo-repo

Creating and Initializing Project
 Installing default wiki pages
 WikiProcessors imported from /usr/lib/python2.6/site-packages/trac/wiki/default-pages/WikiProcessors
... (snip) ...
 TracRevisionLog imported from /usr/lib/python2.6/site-packages/trac/wiki/default-pages/TracRevisionLog
 Indexing repository
 [9]
---------------------------------------------------------------------
Project environment for 'City-Fan.Org Package Repository' created.

You may now configure the environment by editing the file:

  /srv/www/cfo-trac/env/conf/trac.ini

If you'd like to take this new project environment for a test drive,
try running the Trac standalone web server `tracd`:

  tracd --port 8000 /srv/www/cfo-trac/env

Then point your browser to http://localhost:8000/env.
There you can also browse the documentation for your installed
version of Trac, including information on further setup (such as
deploying Trac to a real web server).

The latest documentation can also always be found on the project
website:

  http://trac.edgewall.org/

Congratulations!

Trac [/srv/www/cfo-trac/env]> quit

I then edited /srv/www/cfo-trac/env/conf/trac.ini to enable various AccountManager modules and configuring it to use HtDigest-format passwords in the file /srv/www/cfo-trac/env/conf/passwd:

  • Add to [account-manager] section:

  • htdigest_realm = cfo-repo-trac
    password_file = /srv/www/cfo-trac/env/conf/passwd
    password_store = HtDigestStore
  • Add a new [components] section:

  • [components]
    acct_mgr.admin.accountmanageradminpage = enabled
    acct_mgr.api.accountmanager = enabled
    acct_mgr.db.sessionstore = enabled
    acct_mgr.htfile.htdigeststore = enabled
    acct_mgr.pwhash.htdigesthashmethod = enabled
    acct_mgr.web_ui.accountmodule = enabled
    acct_mgr.web_ui.loginmodule = enabled
    acct_mgr.web_ui.registrationmodule = enabled
    trac.web.auth.loginmodule = disabled
  • {i} Disabling trac.web.auth.loginmodule is necessary to support AccountManager's HTML form-based logins

  • Art isn't my forté so I grabbed the /usr/share/pixmaps/redhat/rpmlogo-200.png file from the fedora-logos package and copied it to /srv/www/html (my web server's DocumentRoot) to use as the site logo, then changed the [header_logo] section of trac.ini to be:

  • [header_logo]
    alt = City-Fan.Org Package Repository
    height = 200
    link = http://www.city-fan.org/ftp/contrib/
    src = /rpmlogo-200.png
    width = 200
  • Set base_url in [trac] section:

  • base_url = http://trac.city-fan.org/cfo-trac/

Web Server Configuration

I configured the trac instance to appear at URL http://trac.city-fan.org/cfo-trac/

The default /etc/httpd/conf.d/trac.conf is set up to use mod_python, so I replaced it with this version to use mod_fcgid:

# Serve static content directly from httpd
Alias /cfo-trac/chrome/common "/usr/lib/python2.6/site-packages/trac/htdocs"
<Directory "/usr/lib/python2.6/site-packages/trac/htdocs">
    Order allow,deny
    Allow from all
</Directory>

# Invoke custom FCGI script for trac instance
<IfModule mod_fcgid.c>
    ScriptAlias /cfo-trac/ "/srv/www/cfo-trac/cgi-bin/trac.fcgi/"
</IfModule>

{i} The directory where the static content is packaged may be different in different Fedora releases; use the output of:

$ rpm -ql trac | grep '/htdocs$'

I then created the custom FCGI script /srv/www/cfo-trac/cgi-bin/trac.fcgi by first copying the supplied template:

# cd /srv/www/cfo-trac/cgi-bin
# cp $(rpm -ql trac | grep '/trac.fcgi') trac.fcgi

and then adding the following lines after the initial comment block and before the first line of python code:

import os
os.environ['TRAC_ENV'] = '/srv/www/cfo-trac/env'
os.environ['LC_TIME'] = 'en_GB'
os.environ['PYTHON_EGG_CACHE'] = '/srv/www/cfo-trac/egg-cache'

I could then reload the httpd configuration and test out my new trac instance by browsing to http://trac.city-fan.org/cfo-trac/

# service httpd reload

Permissions

The last step was to set myself up with a trac account and give it TRAC_ADMIN permission. Creating the account is easy with the AccountManager` plugin - just click on the Register link near the top right of the screen and follow the instructions (I created user paul for this purpose), then log in using the just-created account. Adding the TRAC_ADMIN permission is then done using the tracadm script prepared earlier:

# tracadm
Welcome to trac-admin 0.11.3
Interactive Trac administration console.
Copyright (c) 2003-2009 Edgewall Software

Type:  '?' or 'help' for help on commands.
        
Trac [/srv/www/cfo-trac/env]> permission list

User           Action         
------------------------------
anonymous      BROWSER_VIEW   
anonymous      CHANGESET_VIEW 
anonymous      FILE_VIEW      
anonymous      LOG_VIEW       
anonymous      MILESTONE_VIEW 
anonymous      REPORT_SQL_VIEW
anonymous      REPORT_VIEW    
anonymous      ROADMAP_VIEW   
anonymous      SEARCH_VIEW    
anonymous      TICKET_VIEW    
anonymous      TIMELINE_VIEW  
anonymous      WIKI_VIEW      
authenticated  TICKET_CREATE  
authenticated  TICKET_MODIFY  
authenticated  WIKI_CREATE    
authenticated  WIKI_MODIFY    


Available actions:
 BROWSER_VIEW, CHANGESET_VIEW, CONFIG_VIEW, EMAIL_VIEW, FILE_VIEW,
 LOG_VIEW, MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE,
 MILESTONE_MODIFY, MILESTONE_VIEW, PERMISSION_ADMIN, PERMISSION_GRANT,
 PERMISSION_REVOKE, REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE,
 REPORT_MODIFY, REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW,
 SEARCH_VIEW, TICKET_ADMIN, TICKET_APPEND, TICKET_CHGPROP, TICKET_CREATE,
 TICKET_EDIT_CC, TICKET_EDIT_DESCRIPTION, TICKET_MODIFY, TICKET_VIEW,
 TIMELINE_VIEW, TRAC_ADMIN, WIKI_ADMIN, WIKI_CREATE, WIKI_DELETE,
 WIKI_MODIFY, WIKI_VIEW

Trac [/srv/www/cfo-trac/env]> permission add paul TRAC_ADMIN
Trac [/srv/www/cfo-trac/env]> permission list

User           Action         
------------------------------
anonymous      BROWSER_VIEW   
anonymous      CHANGESET_VIEW 
anonymous      FILE_VIEW      
anonymous      LOG_VIEW       
anonymous      MILESTONE_VIEW 
anonymous      REPORT_SQL_VIEW
anonymous      REPORT_VIEW    
anonymous      ROADMAP_VIEW   
anonymous      SEARCH_VIEW    
anonymous      TICKET_VIEW    
anonymous      TIMELINE_VIEW  
anonymous      WIKI_VIEW      
authenticated  TICKET_CREATE  
authenticated  TICKET_MODIFY  
authenticated  WIKI_CREATE    
authenticated  WIKI_MODIFY    
paul           TRAC_ADMIN     


Available actions:
 BROWSER_VIEW, CHANGESET_VIEW, CONFIG_VIEW, EMAIL_VIEW, FILE_VIEW,
 LOG_VIEW, MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE,
 MILESTONE_MODIFY, MILESTONE_VIEW, PERMISSION_ADMIN, PERMISSION_GRANT,
 PERMISSION_REVOKE, REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE,
 REPORT_MODIFY, REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW,
 SEARCH_VIEW, TICKET_ADMIN, TICKET_APPEND, TICKET_CHGPROP, TICKET_CREATE,
 TICKET_EDIT_CC, TICKET_EDIT_DESCRIPTION, TICKET_MODIFY, TICKET_VIEW,
 TIMELINE_VIEW, TRAC_ADMIN, WIKI_ADMIN, WIKI_CREATE, WIKI_DELETE,
 WIKI_MODIFY, WIKI_VIEW

Trac [/srv/www/cfo-trac/env]> quit

After clicking the Wiki button in the browser window, I new had a new Admin button I could use to access the administration features to tailor my trac instance. All done!

Spam Filtering

A publicly-accessible trac instance is very likely to attract the attention of spammers, who can find them using google searches for standard text on trac wiki pages. One of the common defences against wiki spammers is to require wiki editors to be authenticated users. Unfortunately this defence doesn't work if you're using the AccountManager plugin to allow users to register themselves, as spammers can (and do) do this too. So I have also installed the SpamFilter plugin:

# yum install trac-spamfilter-plugin

The default configuration for this plugin is to trust submissions made by authenticated users, which again is no good if you're using the AccountManager plugin to allow users to register themselves. To fix this, it's necessary to edit trac.ini:

[spam-filter]
trust_authenticated = false

It's also worth mentioning that when making test submissions to check the operation of the spam filtering and logging, don't do this from an account with TRAC_ADMIN permission as these are also trusted and there's no way to turn that off.


CategoryTip

Recent