= Trac With FastCGI on Fedora =
Here's how I installed [[http://trac.edgewall.org/|trac]] with [[http://fastcgi.coremail.cn/|mod_fcgid]] on Fedora
to create the [[http://trac.city-fan.org/cfo-trac/|bug tracker for my repository]].
I use the [[http://trac-hacks.org/wiki/AccountManagerPlugin|AccountManager plugin]] to enable users to register
themselves and manage their own accounts.
I had an existing `httpd` server on the system, serving an existing subversion repository.
== Install the Software ==
This is straightforward as all requirements are available in Fedora.
{{{
# yum install mod_fcgid trac trac-accountmanager-plugin
}}}
== Filesystem Layout ==
My `trac` instance is set up under `/srv/www/cfo-trac`, with subdirectories as follows:
* `env` for the `trac` environment
* `egg-cache` to cache any plugins later installed from python eggs
* `cgi-bin` for the FastCGI script wrapper
My existing subversion repository lives under `/srv/subversion/repos/cfo-repo`
As I use SELinux in enforcing mode on my server, I defined a local policy module to define the file contexts to use for these directories:
`file_contexts.te`:
{{{
policy_module(file_contexts, 0.0.1)
require {
type httpd_sys_content_t;
type httpd_sys_content_rw_t;
type httpd_sys_script_exec_t;
};
}}}
`file_contexts.fc`:
{{{
# Local web server config
/srv/subversion(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/srv/subversion/repos/[^/]*/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/srv/www/cfo-trac -d gen_context(system_u:object_r:httpd_sys_content_t,s0)
/srv/www/cfo-trac/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/srv/www/cfo-trac/egg-cache(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/srv/www/cfo-trac/env(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
}}}
Having installed this module (see BuildSeLinuxPolicyModules for details of how to build and install a policy module),
I then set up the filesystem:
{{{
# mkdir -p /srv/www/cfo-trac
# cd /srv/www/cfo-trac
# mkdir cgi-bin egg-cache env
# chown apache:apache egg-cache env
# restorecon -rvF /srv/www/cfo-trac
}}}
== Trac Configuration ==
The `trac` environment is initially set up using the `trac-admin` tool, which needs to run as user `apache` to ensure that the
files it creates have the correct ownership. Since it's sometimes necessary to use this tool at runtime too, I created a short
wrapper script `/root/bin/tracadm` to run `trac-admin` as user `apache` from a `root` login:
{{{#!format plain
#!/bin/sh
cd /srv/www/cfo-trac
runuser -s /bin/sh -c "/usr/bin/trac-admin /srv/www/cfo-trac/env" apache
}}}
This script is then used to create a new `trac` environment:
{{{
# tracadm
Welcome to trac-admin 0.11.3
Interactive Trac administration console.
Copyright (c) 2003-2009 Edgewall Software
Type: '?' or 'help' for help on commands.
Trac [/srv/www/cfo-trac/env]> initenv
Creating a new Trac environment at /srv/www/cfo-trac/env
Trac will first ask a few questions about your environment
in order to initialize and prepare the project database.
Please enter the name of your project.
This name will be used in page titles and descriptions.
Project Name [My Project]> City-Fan.Org Package Repository
Please specify the connection string for the database to use.
By default, a local SQLite database is created in the environment
directory. It is also possible to use an already existing
PostgreSQL database (check the Trac documentation for the exact
connection string syntax).
Database connection string [sqlite:db/trac.db]>
Please specify the type of version control system,
By default, it will be svn.
If you don't want to use Trac with version control integration,
choose the default here and don't specify a repository directory.
in the next question.
Repository type [svn]>
Please specify the absolute path to the version control
repository, or leave it blank to use Trac without a repository.
You can also set the repository location later.
Path to repository [/path/to/repos]> /srv/subversion/repos/cfo-repo
Creating and Initializing Project
Installing default wiki pages
WikiProcessors imported from /usr/lib/python2.6/site-packages/trac/wiki/default-pages/WikiProcessors
... (snip) ...
TracRevisionLog imported from /usr/lib/python2.6/site-packages/trac/wiki/default-pages/TracRevisionLog
Indexing repository
[9]
---------------------------------------------------------------------
Project environment for 'City-Fan.Org Package Repository' created.
You may now configure the environment by editing the file:
/srv/www/cfo-trac/env/conf/trac.ini
If you'd like to take this new project environment for a test drive,
try running the Trac standalone web server `tracd`:
tracd --port 8000 /srv/www/cfo-trac/env
Then point your browser to http://localhost:8000/env.
There you can also browse the documentation for your installed
version of Trac, including information on further setup (such as
deploying Trac to a real web server).
The latest documentation can also always be found on the project
website:
http://trac.edgewall.org/
Congratulations!
Trac [/srv/www/cfo-trac/env]> quit
}}}
I then edited `/srv/www/cfo-trac/env/conf/trac.ini` to enable various !AccountManager modules and configuring it to use
!HtDigest-format passwords in the file `/srv/www/cfo-trac/env/conf/passwd`:
* Add to `[account-manager]` section:
. {{{
htdigest_realm = cfo-repo-trac
password_file = /srv/www/cfo-trac/env/conf/passwd
password_store = HtDigestStore
}}}
* Add a new `[components]` section:
. {{{
[components]
acct_mgr.admin.accountmanageradminpage = enabled
acct_mgr.api.accountmanager = enabled
acct_mgr.db.sessionstore = enabled
acct_mgr.htfile.htdigeststore = enabled
acct_mgr.pwhash.htdigesthashmethod = enabled
acct_mgr.web_ui.accountmodule = enabled
acct_mgr.web_ui.loginmodule = enabled
acct_mgr.web_ui.registrationmodule = enabled
trac.web.auth.loginmodule = disabled
}}}
. {i} Disabling `trac.web.auth.loginmodule` is necessary to support !AccountManager's HTML form-based logins
* Art isn't my forté so I grabbed the `/usr/share/pixmaps/redhat/rpmlogo-200.png` file from the `fedora-logos` package and copied it to `/srv/www/html` (my web server's `DocumentRoot`) to use as the site logo, then changed the `[header_logo]` section of `trac.ini` to be:
. {{{
[header_logo]
alt = City-Fan.Org Package Repository
height = 200
link = http://www.city-fan.org/ftp/contrib/
src = /rpmlogo-200.png
width = 200
}}}
* Set `base_url` in `[trac]` section:
. {{{
base_url = http://trac.city-fan.org/cfo-trac/
}}}
== Web Server Configuration ==
I configured the `trac` instance to appear at URL http://trac.city-fan.org/cfo-trac/
The default `/etc/httpd/conf.d/trac.conf` is set up to use `mod_python`, so I replaced it with this version to use `mod_fcgid`:
{{{
# Serve static content directly from httpd
Alias /cfo-trac/chrome/common "/usr/lib/python2.6/site-packages/trac/htdocs"
Order allow,deny
Allow from all
# Invoke custom FCGI script for trac instance
ScriptAlias /cfo-trac/ "/srv/www/cfo-trac/cgi-bin/trac.fcgi/"
}}}
{i} The directory where the static content is packaged may be different in different Fedora releases; use the output of:
{{{
$ rpm -ql trac | grep '/htdocs$'
}}}
I then created the custom FCGI script `/srv/www/cfo-trac/cgi-bin/trac.fcgi` by first copying the supplied template:
{{{
# cd /srv/www/cfo-trac/cgi-bin
# cp $(rpm -ql trac | grep '/trac.fcgi') trac.fcgi
}}}
and then adding the following lines after the initial comment block and before the first line of python code:
{{{
import os
os.environ['TRAC_ENV'] = '/srv/www/cfo-trac/env'
os.environ['LC_TIME'] = 'en_GB'
os.environ['PYTHON_EGG_CACHE'] = '/srv/www/cfo-trac/egg-cache'
}}}
I could then reload the `httpd` configuration and test out my new `trac` instance by browsing to http://trac.city-fan.org/cfo-trac/
{{{
# service httpd reload
}}}
== Permissions ==
The last step was to set myself up with a `trac` account and give it `TRAC_ADMIN` permission.
Creating the account is easy with the !AccountManager` plugin - just click on the ''Register'' link near the top right of the screen
and follow the instructions (I created user `paul` for this purpose), then log in using the just-created account.
Adding the `TRAC_ADMIN` permission is then done using the `tracadm` script prepared earlier:
{{{
# tracadm
Welcome to trac-admin 0.11.3
Interactive Trac administration console.
Copyright (c) 2003-2009 Edgewall Software
Type: '?' or 'help' for help on commands.
Trac [/srv/www/cfo-trac/env]> permission list
User Action
------------------------------
anonymous BROWSER_VIEW
anonymous CHANGESET_VIEW
anonymous FILE_VIEW
anonymous LOG_VIEW
anonymous MILESTONE_VIEW
anonymous REPORT_SQL_VIEW
anonymous REPORT_VIEW
anonymous ROADMAP_VIEW
anonymous SEARCH_VIEW
anonymous TICKET_VIEW
anonymous TIMELINE_VIEW
anonymous WIKI_VIEW
authenticated TICKET_CREATE
authenticated TICKET_MODIFY
authenticated WIKI_CREATE
authenticated WIKI_MODIFY
Available actions:
BROWSER_VIEW, CHANGESET_VIEW, CONFIG_VIEW, EMAIL_VIEW, FILE_VIEW,
LOG_VIEW, MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE,
MILESTONE_MODIFY, MILESTONE_VIEW, PERMISSION_ADMIN, PERMISSION_GRANT,
PERMISSION_REVOKE, REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE,
REPORT_MODIFY, REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW,
SEARCH_VIEW, TICKET_ADMIN, TICKET_APPEND, TICKET_CHGPROP, TICKET_CREATE,
TICKET_EDIT_CC, TICKET_EDIT_DESCRIPTION, TICKET_MODIFY, TICKET_VIEW,
TIMELINE_VIEW, TRAC_ADMIN, WIKI_ADMIN, WIKI_CREATE, WIKI_DELETE,
WIKI_MODIFY, WIKI_VIEW
Trac [/srv/www/cfo-trac/env]> permission add paul TRAC_ADMIN
Trac [/srv/www/cfo-trac/env]> permission list
User Action
------------------------------
anonymous BROWSER_VIEW
anonymous CHANGESET_VIEW
anonymous FILE_VIEW
anonymous LOG_VIEW
anonymous MILESTONE_VIEW
anonymous REPORT_SQL_VIEW
anonymous REPORT_VIEW
anonymous ROADMAP_VIEW
anonymous SEARCH_VIEW
anonymous TICKET_VIEW
anonymous TIMELINE_VIEW
anonymous WIKI_VIEW
authenticated TICKET_CREATE
authenticated TICKET_MODIFY
authenticated WIKI_CREATE
authenticated WIKI_MODIFY
paul TRAC_ADMIN
Available actions:
BROWSER_VIEW, CHANGESET_VIEW, CONFIG_VIEW, EMAIL_VIEW, FILE_VIEW,
LOG_VIEW, MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE,
MILESTONE_MODIFY, MILESTONE_VIEW, PERMISSION_ADMIN, PERMISSION_GRANT,
PERMISSION_REVOKE, REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE,
REPORT_MODIFY, REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW,
SEARCH_VIEW, TICKET_ADMIN, TICKET_APPEND, TICKET_CHGPROP, TICKET_CREATE,
TICKET_EDIT_CC, TICKET_EDIT_DESCRIPTION, TICKET_MODIFY, TICKET_VIEW,
TIMELINE_VIEW, TRAC_ADMIN, WIKI_ADMIN, WIKI_CREATE, WIKI_DELETE,
WIKI_MODIFY, WIKI_VIEW
Trac [/srv/www/cfo-trac/env]> quit
}}}
After clicking the ''Wiki'' button in the browser window, I new had a new ''Admin'' button I could use to access the
administration features to tailor my `trac` instance. All done!
== Spam Filtering ==
A publicly-accessible `trac` instance is very likely to attract the attention of spammers, who can find them
using google searches for standard text on `trac` wiki pages.
One of the common defences against wiki spammers is to require wiki editors to be authenticated users.
Unfortunately this defence doesn't work if you're using the !AccountManager plugin to allow users to
register themselves, as spammers can (and do) do this too.
So I have also installed the [[TracUpstream:wiki/SpamFilter|SpamFilter]] plugin:
{{{
# yum install trac-spamfilter-plugin
}}}
The default configuration for this plugin is to trust submissions made by authenticated users,
which again is no good if you're using the !AccountManager plugin to allow users to
register themselves. To fix this, it's necessary to edit `trac.ini`:
{{{
[spam-filter]
trust_authenticated = false
}}}
It's also worth mentioning that when making test submissions to check the operation of the spam filtering and logging,
don't do this from an account with `TRAC_ADMIN` permission as these are also trusted and there's no way to turn that off.
----
CategoryTip