This page describes installation and configuration of subversion (version >= 1.2) and trac on RHEL4/Centos 5 with apache server employing virtual hosts with SSL.

Installation assumes that apache on and svn/trac on

Svn and trac reside under /var/www/svn//var/www/trac, respectively to avoid SElinux configuration problems.

Install apache

  • install on

    yum install httpd
    chkconfig --levels 235 httpd on
    service httpd restart

Configure virtual hosts

Enable local testing of apache

  • add to etc/hosts on

    and to etc/hosts on a test machine:


    where XX.XX.XX.XX is the IP of

After testing of svn/trac, to deploy the server remove the entries from etc/hosts and modify the Zone File; do not forget to modify the serial number in the file!:

; Our svn server:
svn             IN      CNAME
; Our Trac server:
trac            IN      CNAME

Enable name based virtual hosts

  • create the /etc/httpd/conf.d/00name-virtual-host.conf file on`:

    # Enable name-based virtual hosting
    NameVirtualHost ???.???.???.???:80
    NameVirtualHost ???.???.???.???:443

Configure SSL

The Secure Socket Layer (SSL) implementation in Linux is made by the OpenSSL project.

SSL is used to encrypt network communication protocols such as HTTP and IMAP.

We use SSL with our Apache Web-server as described in Red Hat Enterprise Linux Deployment Guide, there is also an Apache SSL FAQ.

Install SSL packages

yum install mod_ssl openssl

Generate SSL certificate request

  • generate radom key file on webserver:

    cd /etc/pki/tls/private/ # (CentOS4: cd /etc/httpd/conf/ssl.key/)
    openssl genrsa -out 1024
    chmod 600                  # Protect the key file
    Note: on CentOS 5 you find private key in e.g, /etc/pki/tls/private/server.key and the public key in /etc/pki/tls/certs/server.cert,

    on RHEL4 in /etc/httpd/conf/ssl.key/server.key and /etc/httpd/conf/ssl.crt/server.crt, respectively.

  • generate a signed-certificate request. See for example Apache+modssl certificate request:

    openssl req -new -key -out

    Provide suitable answers:

    Country Name (2 letter code) [GB]:
    State or Province Name (full name) [Berkshire]:
    Locality Name (eg, city) [Newbury]:
    Organization Name (eg, company) [My Company Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:*
    Email Address []

    Protect the request:

    chmod 600 /etc/pki/tls/private/ # (CentOS4: chmod 600 /etc/httpd/conf/ssl.key/


    • you may chose the password protection "Set private key passphrase" (not recommended, you may get from apache: "Init: Unable to read pass phrase" error).
    • * (star) in Common Name is used to allow multiple name-based virtual hosts with SSL.???
  • you can display the contents of the certificate request:

    openssl req -noout -text -in

Generate SSL self-signed certificate

  • for testing of the service only, while waiting for the certificate create a self-signed certificate:

    openssl x509 -req -days 365 -in -signkey -out
  • you can remove the password protection of the certificate by:

    cd /etc/pki/tls/private/ # (CentOS4: cd /etc/httpd/conf/ssl.key/)
    cp -p
    openssl rsa -in -out

Install SSL certificates

  • protect and install the certificate file:

    chmod 600 /etc/pki/tls/private/ # (CentOS4: chmod 600 /etc/httpd/conf/ssl.key/
    cp -p /etc/pki/tls/private/ /etc/pki/tls/certs/ # (CentOS4: cp -p /etc/httpd/conf/ssl.key/ /etc/httpd/conf/ssl.crt/)
  • make sure that /etc/httpd/conf.d/ssl.conf contains:

    # On EL5
    SSLCertificateFile /etc/pki/tls/certs/
    SSLCertificateKeyFile /etc/pki/tls/private/
    # On EL4
    SSLCertificateFile  /etc/httpd/conf/ssl.crt/
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/


Install svn packages

The subversion provided by EL4/EL5 is rather outdated therefore download a recent version from There is also a version available from

  • if choosing install rpmforge-release as described at rpmforge, and make sure /etc/yum.repos.d/rpmforge.repo contains:

    enabled = 0

    or configure rpmforge in a fast way:

    echo '[rpmforge]' > /etc/yum.repos.d/rpmforge.repo
    echo 'name= RHEL $releasever - - dag' >> /etc/yum.repos.d/rpmforge.repo
    echo '#baseurl=$basearch/rpmforge' >> /etc/yum.repos.d/rpmforge.repo
    echo 'mirrorlist=' >> /etc/yum.repos.d/rpmforge.repo
    echo 'gpgkey=' >> /etc/yum.repos.d/rpmforge.repo
    echo 'gpgcheck=1' >> /etc/yum.repos.d/rpmforge.repo
    echo 'protect=0' >> /etc/yum.repos.d/rpmforge.repo
    echo 'enabled=0' >> /etc/yum.repos.d/rpmforge.repo
  • install (tested with version 1.6.6-1):

    yum -y install yum-utils
    # rpm --import # installing from WANdisco
    # yumdownloader subversion mod_dav_svn subversion-tools subversion-python --resolve --enablerepo=WANdisco # installing from WANdisco
    rpm --import # installing from rpmforge
    yumdownloader subversion mod_dav_svn --resolve --enablerepo=rpmforge # installing from rpmforge
    yum localinstall mod_dav_svn-*.rpm subversion-*.rpm
    yum -y install python-setuptools mod_python

    Note: on RHEL4, (tested with version 1.4.4-0.1) install with:

    rpm -ivh subversion-*.el4*.rpm mod_dav_svn-*el4.*.rpm
    up2date -p

Create svn repository root

  • create svn virtual host DocumentRoot and copy XSLT stylesheet for repository web-browsing:

    mkdir /var/www/svn
    cp -p /usr/share/doc/subversion-*/tools/xslt/svnindex.* /var/www/svn
    cp -p /usr/lib/subversion/tools/xslt/svnindex.* /var/www/svn # WANdisco packages differently
    chown apache.apache -R /var/www/svn
    chmod 770 -R /var/www/svn
    chmod o=r /var/www/svn/svnindex.xsl /var/www/svn/svnindex.css
  • enable log:

    mkdir -p /var/log/svn
    chown -R apache.apache /var/log/svn
    chmod -R o-rwx /var/log/svn
    chcon -t httpd_sys_content_t /var/log/svn

    Note: /var/log/svn must exist, have right permissions, and it's a good idea to back it up regularly!

Configure apache for svn

  • create /etc/httpd/conf.d/subversion.conf, download subversion.conf (hint: change the IP address of your server. SSL certificate paths are for CentOS 5):

    cp subversion.conf /etc/httpd/conf.d/subversion.conf
    chown apache.apache /etc/httpd/conf.d/subversion.conf
    chmod o-rwx /etc/httpd/conf.d/subversion.conf

    You will find useful instructions here (Cached print.html).

  • create the /var/www/svn/robots.txt file:

    # You can define rules for nice robots here
    # See
    User-agent: *
    Disallow: /

    and set permissions:

    chown apache.apache /var/www/svn/robots.txt
    chmod o-rwx /var/www/svn/robots.txt

Create/add new users

  • edit the /etc/svn-access-file file to grant access per project/directory path-based authorization file, e.g.:

    calc-developers = harry, sally, joe
    paint-developers = frank, sally, jane
    everyone = @calc-developers, @paint-developers
    # read permission to all users at the root of the repository
    * = r
    # per-project permissions
    @calc-developers = rw
    # per-directory permissions
    @paint-developers = rw
    jane = r
  • for the first time only: create apache password file:

    htpasswd -cm /etc/svn-auth-file jensj
  • new users can be given access with this commmand:

    htpasswd -m /etc/svn-auth-file lhansen

    or the enrcypted password can be printed on the screen:

    htpasswd -nm lhansen

    Ask users who do not have physical access to your terminal to email you the result of one of the following commands (depending on which tool is available for them):

    htpasswd -nbm sally sallyspass
    python -c "import crypt; passwd='sallyspass'; print crypt.crypt(passwd, passwd)"
    perl -e '$passwd="sallyspass"; print crypt($passwd, $passwd)."\n"; undef $passwd'
  • set permissions:

    chown apache.apache /etc/svn-a*
    chmod o-rwx /etc/svn-a*

Create a new svn project

Configure (includes backup): outdated

Note: this section is outdated!

svn hook is a useful feature allowing, amongst others, sending automatically emails about svn checkins to a dedicated mailing list. This feature is set on a per-project basis.

To enable it perform the following steps:

  • copy the template file:

    cp /var/www/svn/CamposASE2/hooks/post-commit.tmpl /var/www/svn/CamposASE2/hooks/post-commit
  • edit /var/www/svn/CamposASE2/hooks/post-commit to contain the following lines:

    /var/www/svn/CamposASE2/hooks/ "$REPOS" "$REV" --from \
                                                  -s "[svn commit $REPOS]" \
    # Uncomment the next 4 lines if you have configured trac:
    #LOG=`/usr/bin/svnlook log -r $REV $REPOS`
    #AUTHOR=`/usr/bin/svnlook author -r $REV $REPOS`
    # Uncomment the next line if you have configured trac 0.11
    #/var/www/trac/trac-post-commit-hook -p "$TRAC_ENV" -r "$REV" -u "$AUTHOR" -m "$LOG" -s "$TRAC_URL" # removed in trac 0.12
    # For trac 0.12 see
    # 1. Enable ExplicitSync
    # 2. Enable tracopt.ticket.commit_updater.*
    # Uncomment the next line if you have configured trac 0.12
    #/usr/bin/trac-admin "$TRAC_ENV" changeset added "$REPOS" "$REV"
    # Comment out the next line if you do not want backup:
    # Apr 29 2014 RHEL6: - SELinux blocks this!
    # /var/www/svn/ --archive-type=bz2 ${REPOS} /var/log/svn
    # Note: /var/log/svn must exist and be writable by apache user!
  • copy the script (see Repository Backup):

    cp -p /usr/share/doc/subversion-*/tools/backup/ /var/www/svn/
    cp -p /usr/lib/subversion/tools/backup/ /var/www/svn/ # WANdisco packages differently
    chown apache.apache /var/www/svn/
    chmod 750 /var/www/svn/

    You can set the number of full backups stored to e.g. 5 by setting "num_backups = 5" in the script.

  • copy the script:

    cp /usr/share/doc/subversion-*/tools/hook-scripts/ /var/www/svn/CamposASE2/hooks/

    You may need to use:

    $sendmail = "/usr/sbin/sendmail";

    in the /var/www/svn/CamposASE2/hooks/ file.

    Note that in order to allow trac to sendmail you need to:

    setsebool -P httpd_can_sendmail 1

    and configure sendmail by e.g. enabling SMART_HOST in /etc/mail/ and:

    service sendmail restart

    Moreover, SELinux may block execute access to In this case:

    chcon -t httpd_unconfined_script_exec_t


  • set permissions:

    cd /var/www/svn/CamposASE2/hooks
    chown apache.apache post-commit
    chmod 770 post-commit
  • create a dedicated mailing list

  • you can test your setup by running on svn server:

    env - /var/www/svn/CamposASE2/hooks/post-commit /var/www/svn/CamposASE2 1

    and the final test will be to perform an svn checkin from a client.

Create a new project in an existing repository

Assuming you have a freshly created repository (/var/www/svn/CamposASE2):

  • as regular user, create CAMd.skeleton directory:

    mkdir ~/CAMd.skeleton
  • create the following subdirectories (at least the "trunk" subdirectory):

    mkdir ~/CAMd.skeleton/trunk ~/CAMd.skeleton/tags ~/CAMd.skeleton/branches
  • import the project:

    cd&& svn import CAMd.skeleton -m "initial import"

cvs2svn: cvs to svn converion tool

cvs2svn allows one to convert a cvs repository into svn.

  • download the lastest version the server running cvs, and unpack it, e.g. to /tmp, then run e.g.:

    python /tmp/cvs2svn-2.0.1/cvs2svn --dumpfile /tmp/CamposASE2 /home/camp/CVSROOT/CamposASE2
  • transfer /tmp/CamposASE2 file to the svn server (e.g. to /root/cvs2svn) and run:

    svnadmin create /var/www/svn/CamposASE2
    svnadmin load /var/www/svn/CamposASE2 < /root/cvs2svn/CamposASE2
    chown apache:apache -R /var/www/svn/CamposASE2
    chmod 770 -R /var/www/svn/CamposASE2

viewvc: outdated

Note: this section is outdated!

viewvc is a tool for pretty browsing of svn repositories. At the moment it does not support path-based authorization file (see It's totally optional, and if you have private repositories consider using websvn.

  • install:

    yum install viewvc

    On RHEL4, download it from and install:

    rpm -ivh viewvc-*.el4.*.rpm
    up2date -p
  • modify /etc/httpd/conf.d/viewvc.conf file:

    ScriptAlias /viewvc /var/www/cgi-bin/viewvc.cgi
    ScriptAlias /query /var/www/cgi-bin/query.cgi
    Alias /viewvc-static /var/www/viewvc
  • set permissions:

    chmod go+r /etc/httpd/conf.d/viewvc.conf
  • modify /etc/viewvc/viewvc.conf:

    chmod go+r /etc/viewvc/viewvc.conf

    Here are some hints about minimal changes in /etc/viewvc/viewvc.conf:

    # this has to be the root of the repository
    # i.e. where project repositories are created
    root_parents = /var/www/svn : svn
    # email address shown when browsing svn using viewvc
    address = <a href="">CAMd svn administrator</a>
  • restart apache and check results (the Admin bar appears for authenticated users with "TRAC_ADMIN" permission) at

    service httpd restart


Install trac packages

Configure rpmforge-release as described at

Create trac repository root

  • create trac virtual host DocumentRoot:

    mkdir -p /var/www/trac
    chown apache.apache -R /var/www/trac

Create apache for trac

  • allow httpd scripts to connect out to the network (see

    setsebool -P httpd_can_network_connect=1
  • for trac version 0.11: install trac-post-commit-hook - download the version corresponding to trac version:

    mkdir /var/www/trac
    chown apache.apache /var/www/trac
    cp trac-post-commit-hook /var/www/trac
    chown apache.apache /var/www/trac/trac-post-commit-hook
    chmod ug=rwx /var/www/trac/trac-post-commit-hook
    chmod o-rwx /var/www/trac/trac-post-commit-hook
  • create /etc/httpd/conf.d/trac.conf, download trac.conf (hint: change the IP address of your server. SSL settings are for CentOS 5):

    cp trac.conf /etc/httpd/conf.d/trac.conf
    chown apache.apache /etc/httpd/conf.d/trac.conf
    chmod o-rwx /etc/httpd/conf.d/trac.conf
  • create the /var/www/svn/robots.txt file:

    # You can define rules for nice robots here
    # See
    User-agent: *
    Disallow: /

    and set permissions:

    chown apache.apache /var/www/svn/robots.txt
    chmod o-rwx /var/www/svn/robots.txt

Create a new trac project

Note: trac is set to share /etc/svn-access-file with svn. /etc/svn-access-file is used to restrict display of the code from svn when browsing with track.

Warning additional setting of permissions with trac-admin is necessary per-project! (next four steps).

  • create a new trac project:

    trac-admin /var/www/trac/CamposASE2 initenv
    chown apache.apache -R /var/www/trac/CamposASE2
  • remove (per-project) write privileges for anonymous visitors (see

    trac-admin /var/www/trac/CamposASE2 permission remove anonymous \

    For a private project remove all other priviledges but WIKI_VIEW. List the permissions with trac-admin /var/www/trac/CamposASE2 permission list.

  • grant TRAC_ADMIN to administrators (per-project):

    trac-admin /var/www/trac/CamposASE2 permission add $n TRAC_ADMIN
  • grant permissions to authenticated users (per-project):

    trac-admin /var/www/trac/CamposASE2 permission add authenticated \

    Note: with trac 0.12 the following error appears (see

    IntegrityError: columns username, action are not unique

    Until the bug is fixed (it may take a long time) use:

    trac-admin /var/www/trac/CamposASE2 permission list

    and add the required permissions one-by-one.

  • edit the following lines in /var/www/trac/CamposASE2/conf/trac.ini:

    # trac 0.12: tracopt.ticket.commit_updater.*
    tracopt.ticket.commit_updater.* = enabled
    link =
    always_notify_owner =  true
    always_notify_reporter =  true
    # if you provide a mailing list for svn checkins
    smtp_always_cc =
    smtp_enabled = true
    smtp_from =
    smtp_replyto =
    smtp_server =
    smtp_subject_prefix = [ase2-tickets]
    descr = CamposASE2
    name = CamposASE2
    url =
    authz_file = /etc/svn-access-file
    authz_module_name = CamposASE2
    base_url =
    repository_dir = /var/www/svn/CamposASE2
    # trac 0.12: repository_sync_per_request
    repository_sync_per_request =

Administer trac with webadmin

WebAdmin is trac plugin which allows one to perform some administrative task using web interface instead of trac-admin command line.

To enable it perform the following steps:

  • install python-setuptools:

    yum -y install python-setuptools

    On RHEL4, download python-setuptools from and install:

    rpm -ivh python-setuptools-*
    up2date -p
  • get the latest version of WebAdmin, and install it (as root):

    svn co
    easy_install webadmin
  • enable WebAdmin in /var/www/trac/CamposASE2/conf/trac.ini (per-project):

    webadmin.* = enabled

Migration of svn and trac

This section describes migration of svn and trac from the old server to the new server (EL4 -> EL5).

Migration of svn (see

  1. reduce the DNS time-to-live for the old server in the Zone File:

    ; Our svn server:
    svn             3600 IN      CNAME
    ; Our Trac server:
    trac            3600 IN      CNAME
  2. install svn and trac RPMS on the new server.
  3. transfer the configuration files to the new server:

    scp -p /etc/svn-a* /etc/httpd/conf.d/{subversion,trac}.conf new:/etc

Change the IP number and SSL certificate locations in the conf files on the new server, and set permisions:

chown apache.apache /etc/svn-a*
chmod o-rwx /etc/svn-a*
  1. disable access to svn/trac on the old server:

    mv /etc/httpd/conf.d/subversion.conf /etc/httpd/conf.d/subversion.conf.MIGRATED
    mv /etc/httpd/conf.d/trac.conf /etc/httpd/conf.d/trac.conf.MIGRATED
    service httpd restart

    Note: in order to disable svn/trac write access without stopping httpd it is sufficient to revoke apache permissions on /etc/svn-auth-file:

    chown root.root /etc/svn-auth-file
  2. create svn dumps on the old server and transfer them (together with hooks files and other configuration files) to the new server:

    cd /var/www/svn
    svnadmin dump CamposASE2 > CamposASE2.dumpfile
    mkdir -p hooks/CamposASE2/hooks
    cp -p CamposASE2/hooks/{,post-commit} hooks/CamposASE2/hooks
    scp -rp *.dumpfile hooks svnindex.* robots.txt new:/var/www/svn/
  3. install the dumps and hooks on the new server, and set the permissions:

    svnadmin create /var/www/svn/CamposASE2
    svnadmin load CamposASE2 < CamposASE2.dumpfile
    cp -rpf hooks/* .
    chown -R apache.apache /var/www/svn
    chmod -R o-rwx /var/www/svn
    rm -rf hooks

    Note you may need to edit the post-commit script if you update your trac installation

  4. enable log:

    mkdir -p /var/log/svn
    chown -R apache.apache /var/log/svn
    chmod -R o-rwx /var/log/svn
    chcon -t httpd_sys_content_t /var/log/svn

Warning service httpd restart on the new server only after updating trac (if relevant).

Migration of trac (see

  1. perform relevant steps 1. - 3. from migration of svn described above
  2. create a backup of the trac repository on the old server:

    cd /var/www/trac/
    mkdir conf
    trac-admin CamposASE2 hotcopy /tmp/CamposASE2
    chown -R apache.apache /tmp/CamposASE2
    tar -cf CamposASE2.trac.el4.tar /tmp/CamposASE2
    mkdir -p conf/CamposASE2/conf
    cp -p CamposASE2/conf/trac.ini conf/CamposASE2/conf
  3. transfer trac backup, conf and other configuration files to the new server:

    scp -p *.trac.el4.tar new:/var/www/trac/
    scp -rp conf trac-post-commit-hook robots.txt new:/var/www/trac/
  4. install sqlite2 package on a EL5 machine to be used to convert trac databases into the sqlite3 format (see - here it's assumed that conversion takes place on the new server.
  5. perform sqlite2->sqlite3 conversion (on the machine used for conversion), and deploy files on the new server:

    cd /var/www/trac
    tar --strip-components 1 -xf CamposASE2.trac.el4.tar
    cd CamposASE2/db
    mv trac.db trac2.db
    sqlite trac2.db .dump | sqlite3 trac.db
    cp -rpf conf/CamposASE2 .
    rm -rf conf

    Note you may need to edit the trac.ini script if you update your trac installation

  6. upgrade the Trac Environment and Documentation:

    trac-admin /var/www/trac/CamposASE2 upgrade
    trac-admin /var/www/trac/CamposASE2 wiki upgrade
  7. after testing of svn/trac, update the DNS information in the Zone File:

    ; Our svn server:
    svn              IN      CNAME
    ; Our Trac server:
    trac             IN      CNAME

IT-wiki: SvnTrac_Wiki (last edited 2015-05-08 10:15:52 by OleHolmNielsen)