Apple Event: May 7th at 7 am PT

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Subversion on Lion OS X 10.7.3

I set up Subversion on my home Mac Pro OS X 10.7.3 (Lion) and wrote down the steps for my reference.

Posting it here may help someone. Feedback is appreciated.

Lion already ships with Subversion 1.6.17, OpenSSH_5.6p1 and OpenSSL 0.9.8r. So we just need to use them.

First, let's create a group that will be given permissions to access the repositories, and anything else you may add in the future.

There is no groupadd and usermod in Mac so we'll use dscl to create a group (coders) and dseditgroup to add users to this group.

1. sudo dscl . create /groups/coders gid 1000

2. sudo dseditgroup -o edit -a <your_username> -t user coders

You can use the groups command to verify your account is a member of the coders group.

Create the directory structure for your repositories.

3. sudo mkdir /usr/local/svn

4. sudo mkdir /usr/local/svn/repos

And set the access permissions.

5. sudo chgrp coders /usr/local/svn/repos

6. sudo chmod g+w /usr/local/svn/repos

7. sudo chmod g+s /usr/local/svn/repos

We can now create our project repository, in the repos directory.

Set the file mode creation mask to give the group write permissions to the repository we are about to create.

8. umask 002

Create the repository for your project.

9. svnadmin create /usr/local/svn/repos/<project_name>

And set the user mask to the default value.

10. umask 022

You now have an empty repository, so let's create a working copy by checking out the current version to your home directory.

11. cd ~

12. svn co file:///usr/local/svn/repos/<project_name>

Create the basic structure and commit your changes to the repository.

13. cd <project_name>

14. svn mkdir branches tags trunk

15. svn ci -m "initial structures"

Now, let's enable remote access to the repository.

First, let's set up svnserve, the Subversion server program, so we can access the repository using the svn protocol.

(We're only going to access the repository securely, using svn+ssh, but it's nice to know svnserve is there if we ever need it.)

Create a passwords file that will be used across repositories.

16. sudo vi /usr/local/svn/passwd-coders

The structure of the file should be as follows:

[users]

<user_1> = <password_1>

<user_2> = <password_2>

<user_3> = <password_3>

Save the file and change its permissions, so it's only readable by the owner (root).

17. sudo chmod 600 /usr/local/svn/passwd-coders

Each Subversion repository has a configuration file that controls how it can be accessed by svnserve.

Edit this configuration file for the repository we created earlier.

18. vi /usr/local/svn/repos/<project_name>/conf/svnserve.conf

Paste the following after [general] (line 8):

anon-access = none

password-db = /usr/local/svn/passwd-coders

realm = coders

And save the file.

Stuff you might want to know (from the man pages):

The realm setting sets the authentication realm of the repository. If two repositories have the same password database, they should have the same realm, and vice versa; this association allows clients to use a single cached password for several repositories.

Let's launch svnserve as a foreground process (--foreground) so we can kill it after the test with Ctrl+C.

19. sudo svnserve -d --foreground -r /usr/local/svn/repos

You should be in your home directory (use pwd to check). If so, delete the working copy that was checked out previously or cd to another directory.

Now, checkout the pristine version using the svn protocol.

20. svn checkout svn://<server_ip>/<project_name> --username <user>

Replace <server_ip> with the IP address of your server or 127.0.0.1 if you are testing on the same machine.

You can go ahead and kill the svnserve process; we won't need it for svn+ssh.

We’re most of the way there, I promise. We just need to start our SSH server.

The only setup this requires, on a Mac, is to enable Remote Login from System Preferences > Sharing and add the coders group to the list of allowed users.

This will start sshd, the OpenSSH daemon, and set it to launch at startup.

Now you can checkout using svn+ssh and your login password.

21. svn checkout svn+ssh://<server_ip>/usr/local/svn/repos/<project_name> --username <user>

That's it!

Mac Pro, Mac OS X (10.7.3)

Posted on Apr 13, 2012 10:26 AM

33 replies

May 9, 2012 9:04 AM in response to Bidit Mazumder

I made two typos in my previous post.

Step 1.

LoadModule php5_module libexec/apache2/libphp5.so is line 111.

Step 5.

I should have made it clear that you add $config->parentPath('/usr/local/svn/repos'); to config.php.

May 9, 2012 9:37 AM in response to Bidit Mazumder

I actuall have the WebSVN pages working fine (the php and parentPaths were all set correctly) Issue was everyone had full access...

Are you saying I should use a seperate httpd-websvn.conf file instead of the one I'm using in: .../apache2/users/myhome.conf ?

mine looks like this:

DAV svn

SVNParentPath /usr/local/svn/repos

# SVNParentPath /Library/WebServer/Documents/Websvn

AuthType Basic

AuthName "Restricted Files"

AuthUserFile /etc/apache2/passwd/passwords

Require valid-user

</Location>

and I'm now getting :

Forbidden

You don't have permission to access /websvn/ on this server.

a little progress from before, but still no access... I do however now get a u/p prompt each time, and appear to get authenticated...

May 9, 2012 11:34 AM in response to jeff barclay

Hi Jeff,

I decided to place WebSVN specific directives in a separate include file. You can include these directives in httpd.conf if you wish.

Also, there is no need for the SVNParentPath directive. Define this in WebSVN's config.php using $config->parentPath(...). DAV svn is also not required.

I think you're mixing a lot of stuff and it's hard to tell where things are going wrong. You may want to restore the default httpd.conf and follow the guide from scratch.

~Bidit

May 9, 2012 12:40 PM in response to Bidit Mazumder

actually I think that did it, I just removed SVNParentPath and DAV svn from myname.conf

That must have been the conflict... I now get access after u/p prompt.. Thanks

I'll follow up after I confirm check outs and check in's

May 9, 2012 12:44 PM in response to jeff barclay

You're welcome 🙂.

May 10, 2012 5:47 AM in response to Bidit Mazumder

seems that everything is working great, thanks again!

I have one more question... (I'm a noob to mac and permissions, so bare with me)

In your post you indicated:

-We are now ready to create our project repository, in the repos directory.

-Set the file mode creation mask to give the group write permissions to the repository we are about to create.

-4. umask 002

-Create the repository for your project.

-5. svnadmin create /usr/local/svn/repos/<project_name>

-And set the user mask to the default value.

-6. umask 022

Does the umask 002 and umask 022 need to be done for every new <project_name> and is this done from the root dir?

I'm not sure how or where I was to add users to the _developer group, or even if that was necessary?

Sorry for all the basic questions... I'm just making sure I have it setup right!

May 10, 2012 12:49 PM in response to jeff barclay

Hi Jeff,

Does the umask 002 and umask 022 need to be done for every new <project_name> and is this done from the root dir?

You can set the user mask from anywhere and yes, you need to do this when creating a new repository. I'll tell you why.

sudo chgrp _developer /usr/local/svn/repos

This changes the group ownership of the repos directory to _developer.

sudo chmod g+w+s /usr/local/svn/repos

+w gives write permission to the group and +s sets the group-ID bit on the repos directory so any files created inside it will have the same group ownership as the directory itself.

umask subtracts the three parts of its numeric value from the default permission value. The default permissions when you create a file is rw-rw-rw- (666), and with a default umask of 022, any file created will have its final permissions set to 6-0, 6-2, 6-2 (644) which is rw-r--r--. This is no good for us because the repository will not be group writable. If we change the umask to 002, the final permissions value will be 6-0, 6-0, 6-2 (664) which is rw-rw-r--, which is exactly what we need.

I'm not sure how or where I was to add users to the _developer group, or even if that was necessary?

You should already be a member of the _developer group. Use the groups (or more correctly, id -Gn <your_username>) command to list your group memberships.

You can add users to the _developer group using sudo dseditgroup -o edit -a <user> -t user _developer.

This -a(dds) <user>, which is an object of -t(ype) user, to the group _developer.

Similarly, to delete an user form the _developer group, use sudo dseditgroup -o edit -d <user> -t user _developer.

If you are using Xcode, you are better off using the _developer group.

~Bidit

May 12, 2012 6:39 AM in response to Bidit Mazumder

Fantastic examples!!! your a huge help for my learning curve. Several great anwsers deserves another question... I can't access my sites via the standard apache http://myDomain/repos/<myRepo> ? It prompts for U/P but doesn't allow access? Is it that I need to set the apache group _www to the repo dir?

Actually... after changeing port from 80 to 81 now localhost no longer allows access either?

Message was edited by: jeff barclay

May 12, 2012 7:25 AM in response to jeff barclay

Seems the problem is in the httpd.conf file - not sure why it will only allow "single_user" and not "valid-user"?

DAV svn

SVNParentPath /usr/local/svn/repos

AuthType Basic

AuthName "Restricted Files"

# (FOLLOWING LINE OPTIONAL)

# AuthBasicProvider file

AuthUserFile /etc/apache2/passwd/passwords

Require vaild-user

# Require user single_user

</Location>

May 12, 2012 2:32 PM in response to jeff barclay

Hi Jeff,

Have a look at /private/var/log/apache2/error_log.

~Bidit

May 13, 2012 2:47 AM in response to Bidit Mazumder

Thanks, I narrowed it down to the "Require valid-user" line and it turned out the fix was to move that line to the top before AuthType Basic

I'm guessing it wants to read that before the password file is read.

May 20, 2012 2:53 PM in response to Bidit Mazumder

How do I make the Subversion server launch at startup?

May 21, 2012 6:56 AM in response to Drachenfels

You can create a launchd job for svnserve.

sudo vi /Library/LaunchDaemons/org.tigris.subversion.svnserve.plist

Paste the following.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>org.apache.subversion.svnserve</string>

<key>ProgramArguments</key>

<array>

<string>/usr/bin/svnserve</string>

<string>--inetd</string>

<string>--root=/usr/local/svn/repos</string>

</array>

<key>inetdCompatibility</key>

<dict>

</dict>

<key>Sockets</key>

<dict>

<key>Listeners</key>

<array>

<dict>

<key>SockServiceName</key>

<key>Bonjour</key>

<true/>

</dict>

</array>

</dict>

</plist>

Now launch the Subversion server.

sudo launchctl load -w /Library/LaunchDaemons/org.tigris.subversion.svnserve.plist

BTW, I love your handle--Drachenfels--the Dragon's Rock. Actually a nice place for a picnic. 🙂

May 21, 2012 10:03 AM in response to Bidit Mazumder

That works. Thanks!

Nov 3, 2012 5:24 PM in response to Bidit Mazumder

Hello,

I have taken a break from my SVN setup, and in the interum, upgraded to Mountain Lion... That seems to have broken this configuration of SVN and WebSVN. Someone posted that 10.8 replaces httpd.conf in apache2 but that didn't seem to be the only issue. Any post you could direct me too?

Subversion on Lion OS X 10.7.3