Setting up a repository server based on SCM-Manager under Debian
Faced with the fact that the repositories are scattered across different servers with different settings without the possibility of centralized management and monitoring. The idea was to make one storage with the following requirements:
Studying Google and test installations of various software led me to the SCM-manager, which allowed me to practically implement all the requirements set out of the box.
The service was implemented on Debian 8.3 x64.
')
Under the cat installation process and settings:
Install Mercurial and add. packages:
Go to the directory where we will install the SCM-Manager:
Download the latest version from the official site :
Unarchive it:
Delete the downloaded archive:
Run SCM-Manager:
At this stage, the service is fully functional and ready to work in its basic configuration. The web interface is available at: localhost : 8080. Default administrator login and password: scmadmin. But continue the setting.
Create the /etc/init.d/scmserver file:
Enter the following into the created file:
Let's correct the rights so that the file is executable:
Add to autoload:
By default, the web interface is available via http on port 8080. To change, you need to do the following steps.
Edit serrver-config.xml:
We are looking for a section:
We change to the one we need, save the file and overload the service:
Go to the directory with the config:
We generate a certificate for 1 year:
We edit the config:
Uncomment the SSL connector lines and specify the password (instead of * password *) for the key store, which we entered when creating it, the port on which it will listen for SSL ("Port"), and also specify the location of the key store:
Look fingerprints if needed:
In the process of setting up SSL, I encountered a problem that when pushing via ssl, the server obstinately swore at SSL and didn’t want to push, it turned out that in Python 2.7.9 and later versions included a default ban on self-signed certificates. To disable this option, edit the file:
Change _create_default_https_context = create_default_context to _create_default_https_context = _create_unverified_context .
Overloading the service to apply changes:
This completes the configuration via the console and the configuration will continue through the web interface.
Go to the web-interface localhost : 8080. Remove anonymous access and change the password to the built-in administrator. In the web interface, go to “Security” - “Users” -> delete the user “anonymous” -> change the password of the user “scmadmin”.
Installing plugins for authorization via AD, sending mail, sending notifications about pushing. In the web-interface, go to “Config” - “Plugins”:
To authorize via AD, install: “scm-auth-ldap-plugin”
To send mail, install: “scm-mail-plugin”
For push notifications, install: “scm-notify-plugin”
Installing the plugin to view the activity in the repositories via the web interface:
In the web-interface, go to "Config" - "Plugins"
Install the plugin: “scm-activity-plugin”
To complete the installation of plugins, restart the service:
Configuration of the LDAP Authentication plugin. In the web-based interface, go to “Config” - “General” - Section “LDAP Authentication”.
Profile: "ActiveDirectory"
Base DN: let the OU with users for authorization
Connection DN: user to authorize SCM-Manager in AD
Connection Password: (User password for authorization of SCM-Manager in AD)
Host URL: ip and port of the domain controller
Enable nester ad groups: no
Use StartTLS: no (Enable / disable encryption when connecting to AD)
Enable: yes (Enable / Disable Plugin)
After making the settings, press the “Save” button to save them. After making the settings, you can test the settings with the “Test Connection” button. Now any domain user from the specified OU can login. But at the same time, it has no rights anywhere by default and it will not be able to see any repository. It is necessary for the administrator to give user access by adding him to the acces-list repository or to the group of which access is given to the necessary repositories.
Configuring the plug-in for sending mail: in the web-interface, go to "Config" - "General" - Section "Mail configuration".
Set the following parameters:
Host: SMTP server address
Port: SMTP server port
Username: username for authorization on the SMTP server
Password: user password for authorization on the SMTP server
From: who the letter will emanate from
Transport Strategy: SMTP_PLAIN (Passing an open type password)
Subject Prefix: (which will be inserted at the beginning of the subject line)
You can test the settings you have made with the "Test Configuration" button.
Change the location of repositories on the server: in the web-interface, go to “Config” - “Repository Types”.
In the sections for SVN, Mercurial, Git write your way in the lines of the “Repository directory”.
Creating repositories: in the web-interface, go to “Main” - “Repositories”, click “Add”. In the field “Name” indicate the name of the repository, in the field “Type” select the type of the repository.
Configuring email push notifications for repositories: go to “Main” - “Repositories” in the web-based interface, select the repository where you need to set up email push notifications, bookmarks will appear from below, go to the “Notification” tab and complete:
Notify Repository Contact: no
Use Author as From Address : no
Email per Push: no
Maximum Diff Lines: 1000 (maximum number of lines in the letter in which changes made to the repository files will be shown)
Add a mailing address to which notifications will come by clicking on the “Add” button. Save the changes by clicking the “Ok” button.
This completes the server configuration setting according to the specified conditions, and the service is ready for use. SCM-Server allows you to import repositories with one limitation - it does not know how to import repositories from places where authorization is needed.
- user authentication through Active Directory
- email push notifications
- management and creation of repositories, as well as access control through a web interface
- the possibility of placing mercurial, git, svn
- ease of deployment
- SSL support
Studying Google and test installations of various software led me to the SCM-manager, which allowed me to practically implement all the requirements set out of the box.
The service was implemented on Debian 8.3 x64.
')
Under the cat installation process and settings:
1. Installing Mercurial and SCM-Manager
Install Mercurial and add. packages:
sudo apt-get install mercurial ca-certificates default-jre Go to the directory where we will install the SCM-Manager:
cd ...
Download the latest version from the official site :
sudo wget https://maven.scm-manager.org/nexus/content/repositories/releases/sonia/scm//scm-server/1.46/scm-server-1.46-app.tar.gz
Unarchive it:
sudo tar -xvf scm-server-1.46-app.tar.gz
Delete the downloaded archive:
sudo rm scm-server-1.46-app.tar.gz
Run SCM-Manager:
sudo /opt/scm-server/bin/scm-server start
At this stage, the service is fully functional and ready to work in its basic configuration. The web interface is available at: localhost : 8080. Default administrator login and password: scmadmin. But continue the setting.
2. We do autoload SCM-Manager
Create the /etc/init.d/scmserver file:
sudo mcedit /etc/init.d/scmserver
Enter the following into the created file:
#!/bin/sh ### BEGIN INIT INFO # Provides: sscmserver # Required-Start: # Required-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Seapine Surround SCM Server # Description: SCM Server init file ### END INIT INFO SCM_SERVER="<b><i>*path_to_install_directory*</i></b>/scm-server/bin/scm-server" start() { "$SCM_SERVER" start } stop() { "$SCM_SERVER" stop } case "$1" in start) start ;; stop) stop ;; restart) stop start ;; *) echo $"Usage: $0 {start|stop|restart}" exit 2 esac
Let's correct the rights so that the file is executable:
sudo chmod 755 /etc/init.d/scmserver
Add to autoload:
sudo update-rc.d scmserver defaults
3. Transfer service to another port
By default, the web interface is available via http on port 8080. To change, you need to do the following steps.
Edit serrver-config.xml:
sudo mcedit /***path_to_install_directory***/scm-server/conf/server-config.xml
We are looking for a section:
<set name="port"> <systemproperty name="jetty.port" default="<b>8080</b>"> </systemproperty></set>
We change to the one we need, save the file and overload the service:
sudo /etc/init.d/scmserver restart
4. Add SSL
Go to the directory with the config:
cd /***path_to_install_directory***/scm-server/conf/
We generate a certificate for 1 year:
sudo keytool -genkey -alias scm -validity 365 -keyalg RSA -keystore keystore.jks
We edit the config:
sudo mcedit /***path_to_install_directory***/scm-server/conf/server-config.xml
Uncomment the SSL connector lines and specify the password (instead of * password *) for the key store, which we entered when creating it, the port on which it will listen for SSL ("Port"), and also specify the location of the key store:
<Call name="addConnector"> <Arg> <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector"> <Arg> <!-- Exclude SSLv3 to avoid POODLE vulnerability. See https://groups.google.com/d/msg/scmmanager/sX_Ydy-wAPA/-Dvs5i7RHtQJ --> <New class="org.eclipse.jetty.http.ssl.SslContextFactory"> <Set name="excludeProtocols"> <Array type="java.lang.String"> <Item>SSLv2Hello</Item> <Item>SSLv3</Item> </Array> </Set> </New> </Arg> <Set name="Port"><b>443</b></Set> <Set name="maxIdleTime">30000</Set> <Set name="keystore"><SystemProperty name="basedir" default="." />/conf/keystore.jks</Set> <Set name="password">***password***</Set> <Set name="keyPassword"><b>***password***</Set> <Set name="truststore"><SystemProperty name="basedir" default="." />/conf/keystore.jks</Set> <Set name="trustPassword">***password***</Set> </New> </Arg> </Call>
Look fingerprints if needed:
keytool -list -keystore keystore.jks
In the process of setting up SSL, I encountered a problem that when pushing via ssl, the server obstinately swore at SSL and didn’t want to push, it turned out that in Python 2.7.9 and later versions included a default ban on self-signed certificates. To disable this option, edit the file:
sudo mcedit /usr/lib/python2.7/ssl.py
Change _create_default_https_context = create_default_context to _create_default_https_context = _create_unverified_context .
Overloading the service to apply changes:
sudo /etc/init.d/scmserver restart
This completes the configuration via the console and the configuration will continue through the web interface.
5. Configuring SCM-Manager via web-interface
Go to the web-interface localhost : 8080. Remove anonymous access and change the password to the built-in administrator. In the web interface, go to “Security” - “Users” -> delete the user “anonymous” -> change the password of the user “scmadmin”.
Installing plugins for authorization via AD, sending mail, sending notifications about pushing. In the web-interface, go to “Config” - “Plugins”:
To authorize via AD, install: “scm-auth-ldap-plugin”
To send mail, install: “scm-mail-plugin”
For push notifications, install: “scm-notify-plugin”
Installing the plugin to view the activity in the repositories via the web interface:
In the web-interface, go to "Config" - "Plugins"
Install the plugin: “scm-activity-plugin”
To complete the installation of plugins, restart the service:
sudo /etc/init.d/scmserver restart
Configuration of the LDAP Authentication plugin. In the web-based interface, go to “Config” - “General” - Section “LDAP Authentication”.
Profile: "ActiveDirectory"
Base DN: let the OU with users for authorization
Connection DN: user to authorize SCM-Manager in AD
Connection Password: (User password for authorization of SCM-Manager in AD)
Host URL: ip and port of the domain controller
Enable nester ad groups: no
Use StartTLS: no (Enable / disable encryption when connecting to AD)
Enable: yes (Enable / Disable Plugin)
After making the settings, press the “Save” button to save them. After making the settings, you can test the settings with the “Test Connection” button. Now any domain user from the specified OU can login. But at the same time, it has no rights anywhere by default and it will not be able to see any repository. It is necessary for the administrator to give user access by adding him to the acces-list repository or to the group of which access is given to the necessary repositories.
Configuring the plug-in for sending mail: in the web-interface, go to "Config" - "General" - Section "Mail configuration".
Set the following parameters:
Host: SMTP server address
Port: SMTP server port
Username: username for authorization on the SMTP server
Password: user password for authorization on the SMTP server
From: who the letter will emanate from
Transport Strategy: SMTP_PLAIN (Passing an open type password)
Subject Prefix: (which will be inserted at the beginning of the subject line)
You can test the settings you have made with the "Test Configuration" button.
Change the location of repositories on the server: in the web-interface, go to “Config” - “Repository Types”.
In the sections for SVN, Mercurial, Git write your way in the lines of the “Repository directory”.
Creating repositories: in the web-interface, go to “Main” - “Repositories”, click “Add”. In the field “Name” indicate the name of the repository, in the field “Type” select the type of the repository.
Configuring email push notifications for repositories: go to “Main” - “Repositories” in the web-based interface, select the repository where you need to set up email push notifications, bookmarks will appear from below, go to the “Notification” tab and complete:
Notify Repository Contact: no
Use Author as From Address : no
Email per Push: no
Maximum Diff Lines: 1000 (maximum number of lines in the letter in which changes made to the repository files will be shown)
Add a mailing address to which notifications will come by clicking on the “Add” button. Save the changes by clicking the “Ok” button.
This completes the server configuration setting according to the specified conditions, and the service is ready for use. SCM-Server allows you to import repositories with one limitation - it does not know how to import repositories from places where authorization is needed.
Source: https://habr.com/ru/post/279505/
All Articles