Here's how I installed trac with mod_fcgid on Fedora to create the bug tracker for my repository. I use the AccountManager plugin to enable users to register themselves and manage their own accounts. I had an existing httpd server on the system, serving an existing subversion repository.
Install the Software
This is straightforward as all requirements are available in Fedora.
# yum install mod_fcgid trac trac-accountmanager-plugin
Filesystem Layout
My trac instance is set up under /srv/www/cfo-trac, with subdirectories as follows:
env for the trac environment
egg-cache to cache any plugins later installed from python eggs
cgi-bin for the FastCGI script wrapper
My existing subversion repository lives under /srv/subversion/repos/cfo-repo
As I use SELinux in enforcing mode on my server, I defined a local policy module to define the file contexts to use for these directories:
file_contexts.te:
policy_module(file_contexts, 0.0.1) require { type httpd_sys_content_t; type httpd_sys_content_rw_t; type httpd_sys_script_exec_t; };
file_contexts.fc:
# Local web server config /srv/subversion(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /srv/subversion/repos/[^/]*/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /srv/www/cfo-trac -d gen_context(system_u:object_r:httpd_sys_content_t,s0) /srv/www/cfo-trac/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /srv/www/cfo-trac/egg-cache(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /srv/www/cfo-trac/env(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
Having installed this module (see BuildSeLinuxPolicyModules for details of how to build and install a policy module), I then set up the filesystem:
# mkdir -p /srv/www/cfo-trac # cd /srv/www/cfo-trac # mkdir cgi-bin egg-cache env # chown apache:apache egg-cache env # restorecon -rvF /srv/www/cfo-trac
Trac Configuration
The trac environment is initially set up using the trac-admin tool, which needs to run as user apache to ensure that the files it creates have the correct ownership. Since it's sometimes necessary to use this tool at runtime too, I created a short wrapper script /root/bin/tracadm to run trac-admin as user apache from a root login:
#!/bin/sh cd /srv/www/cfo-trac runuser -s /bin/sh -c "/usr/bin/trac-admin /srv/www/cfo-trac/env" apache
This script is then used to create a new trac environment:
# tracadm Welcome to trac-admin 0.11.3 Interactive Trac administration console. Copyright (c) 2003-2009 Edgewall Software Type: '?' or 'help' for help on commands. Trac [/srv/www/cfo-trac/env]> initenv Creating a new Trac environment at /srv/www/cfo-trac/env Trac will first ask a few questions about your environment in order to initialize and prepare the project database. Please enter the name of your project. This name will be used in page titles and descriptions. Project Name [My Project]> City-Fan.Org Package Repository Please specify the connection string for the database to use. By default, a local SQLite database is created in the environment directory. It is also possible to use an already existing PostgreSQL database (check the Trac documentation for the exact connection string syntax). Database connection string [sqlite:db/trac.db]> Please specify the type of version control system, By default, it will be svn. If you don't want to use Trac with version control integration, choose the default here and don't specify a repository directory. in the next question. Repository type [svn]> Please specify the absolute path to the version control repository, or leave it blank to use Trac without a repository. You can also set the repository location later. Path to repository [/path/to/repos]> /srv/subversion/repos/cfo-repo Creating and Initializing Project Installing default wiki pages WikiProcessors imported from /usr/lib/python2.6/site-packages/trac/wiki/default-pages/WikiProcessors ... (snip) ... TracRevisionLog imported from /usr/lib/python2.6/site-packages/trac/wiki/default-pages/TracRevisionLog Indexing repository [9] --------------------------------------------------------------------- Project environment for 'City-Fan.Org Package Repository' created. You may now configure the environment by editing the file: /srv/www/cfo-trac/env/conf/trac.ini If you'd like to take this new project environment for a test drive, try running the Trac standalone web server `tracd`: tracd --port 8000 /srv/www/cfo-trac/env Then point your browser to http://localhost:8000/env. There you can also browse the documentation for your installed version of Trac, including information on further setup (such as deploying Trac to a real web server). The latest documentation can also always be found on the project website: http://trac.edgewall.org/ Congratulations! Trac [/srv/www/cfo-trac/env]> quit
I then edited /srv/www/cfo-trac/env/conf/trac.ini to enable various AccountManager modules and configuring it to use HtDigest-format passwords in the file /srv/www/cfo-trac/env/conf/passwd:
Add to [account-manager] section:
htdigest_realm = cfo-repo-trac password_file = /srv/www/cfo-trac/env/conf/passwd password_store = HtDigestStore
Add a new [components] section:
[components] acct_mgr.admin.accountmanageradminpage = enabled acct_mgr.api.accountmanager = enabled acct_mgr.db.sessionstore = enabled acct_mgr.htfile.htdigeststore = enabled acct_mgr.pwhash.htdigesthashmethod = enabled acct_mgr.web_ui.accountmodule = enabled acct_mgr.web_ui.loginmodule = enabled acct_mgr.web_ui.registrationmodule = enabled trac.web.auth.loginmodule = disabled
Disabling trac.web.auth.loginmodule is necessary to support AccountManager's HTML form-based logins
Art isn't my forté so I grabbed the /usr/share/pixmaps/redhat/rpmlogo-200.png file from the fedora-logos package and copied it to /srv/www/html (my web server's DocumentRoot) to use as the site logo, then changed the [header_logo] section of trac.ini to be:
[header_logo] alt = City-Fan.Org Package Repository height = 200 link = http://www.city-fan.org/ftp/contrib/ src = /rpmlogo-200.png width = 200
Set base_url in [trac] section:
base_url = http://trac.city-fan.org/cfo-trac/
Web Server Configuration
I configured the trac instance to appear at URL http://trac.city-fan.org/cfo-trac/
The default /etc/httpd/conf.d/trac.conf is set up to use mod_python, so I replaced it with this version to use mod_fcgid:
# Serve static content directly from httpd Alias /cfo-trac/chrome/common "/usr/lib/python2.6/site-packages/trac/htdocs" <Directory "/usr/lib/python2.6/site-packages/trac/htdocs"> Order allow,deny Allow from all </Directory> # Invoke custom FCGI script for trac instance <IfModule mod_fcgid.c> ScriptAlias /cfo-trac/ "/srv/www/cfo-trac/cgi-bin/trac.fcgi/" </IfModule>
The directory where the static content is packaged may be different in different Fedora releases; use the output of:
$ rpm -ql trac | grep '/htdocs$'
I then created the custom FCGI script /srv/www/cfo-trac/cgi-bin/trac.fcgi by first copying the supplied template:
# cd /srv/www/cfo-trac/cgi-bin # cp $(rpm -ql trac | grep '/trac.fcgi') trac.fcgi
and then adding the following lines after the initial comment block and before the first line of python code:
import os os.environ['TRAC_ENV'] = '/srv/www/cfo-trac/env' os.environ['LC_TIME'] = 'en_GB' os.environ['PYTHON_EGG_CACHE'] = '/srv/www/cfo-trac/egg-cache'
I could then reload the httpd configuration and test out my new trac instance by browsing to http://trac.city-fan.org/cfo-trac/
# service httpd reload
Permissions
The last step was to set myself up with a trac account and give it TRAC_ADMIN permission. Creating the account is easy with the AccountManager` plugin - just click on the Register link near the top right of the screen and follow the instructions (I created user paul for this purpose), then log in using the just-created account. Adding the TRAC_ADMIN permission is then done using the tracadm script prepared earlier:
# tracadm Welcome to trac-admin 0.11.3 Interactive Trac administration console. Copyright (c) 2003-2009 Edgewall Software Type: '?' or 'help' for help on commands. Trac [/srv/www/cfo-trac/env]> permission list User Action ------------------------------ anonymous BROWSER_VIEW anonymous CHANGESET_VIEW anonymous FILE_VIEW anonymous LOG_VIEW anonymous MILESTONE_VIEW anonymous REPORT_SQL_VIEW anonymous REPORT_VIEW anonymous ROADMAP_VIEW anonymous SEARCH_VIEW anonymous TICKET_VIEW anonymous TIMELINE_VIEW anonymous WIKI_VIEW authenticated TICKET_CREATE authenticated TICKET_MODIFY authenticated WIKI_CREATE authenticated WIKI_MODIFY Available actions: BROWSER_VIEW, CHANGESET_VIEW, CONFIG_VIEW, EMAIL_VIEW, FILE_VIEW, LOG_VIEW, MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE, MILESTONE_MODIFY, MILESTONE_VIEW, PERMISSION_ADMIN, PERMISSION_GRANT, PERMISSION_REVOKE, REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE, REPORT_MODIFY, REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW, SEARCH_VIEW, TICKET_ADMIN, TICKET_APPEND, TICKET_CHGPROP, TICKET_CREATE, TICKET_EDIT_CC, TICKET_EDIT_DESCRIPTION, TICKET_MODIFY, TICKET_VIEW, TIMELINE_VIEW, TRAC_ADMIN, WIKI_ADMIN, WIKI_CREATE, WIKI_DELETE, WIKI_MODIFY, WIKI_VIEW Trac [/srv/www/cfo-trac/env]> permission add paul TRAC_ADMIN Trac [/srv/www/cfo-trac/env]> permission list User Action ------------------------------ anonymous BROWSER_VIEW anonymous CHANGESET_VIEW anonymous FILE_VIEW anonymous LOG_VIEW anonymous MILESTONE_VIEW anonymous REPORT_SQL_VIEW anonymous REPORT_VIEW anonymous ROADMAP_VIEW anonymous SEARCH_VIEW anonymous TICKET_VIEW anonymous TIMELINE_VIEW anonymous WIKI_VIEW authenticated TICKET_CREATE authenticated TICKET_MODIFY authenticated WIKI_CREATE authenticated WIKI_MODIFY paul TRAC_ADMIN Available actions: BROWSER_VIEW, CHANGESET_VIEW, CONFIG_VIEW, EMAIL_VIEW, FILE_VIEW, LOG_VIEW, MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE, MILESTONE_MODIFY, MILESTONE_VIEW, PERMISSION_ADMIN, PERMISSION_GRANT, PERMISSION_REVOKE, REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE, REPORT_MODIFY, REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW, SEARCH_VIEW, TICKET_ADMIN, TICKET_APPEND, TICKET_CHGPROP, TICKET_CREATE, TICKET_EDIT_CC, TICKET_EDIT_DESCRIPTION, TICKET_MODIFY, TICKET_VIEW, TIMELINE_VIEW, TRAC_ADMIN, WIKI_ADMIN, WIKI_CREATE, WIKI_DELETE, WIKI_MODIFY, WIKI_VIEW Trac [/srv/www/cfo-trac/env]> quit
After clicking the Wiki button in the browser window, I new had a new Admin button I could use to access the administration features to tailor my trac instance. All done!
Spam Filtering
A publicly-accessible trac instance is very likely to attract the attention of spammers, who can find them using google searches for standard text on trac wiki pages. One of the common defences against wiki spammers is to require wiki editors to be authenticated users. Unfortunately this defence doesn't work if you're using the AccountManager plugin to allow users to register themselves, as spammers can (and do) do this too. So I have also installed the SpamFilter plugin:
# yum install trac-spamfilter-plugin
The default configuration for this plugin is to trust submissions made by authenticated users, which again is no good if you're using the AccountManager plugin to allow users to register themselves. To fix this, it's necessary to edit trac.ini:
[spam-filter] trust_authenticated = false
It's also worth mentioning that when making test submissions to check the operation of the spam filtering and logging, don't do this from an account with TRAC_ADMIN permission as these are also trusted and there's no way to turn that off.