Fossil SCM
Folded info from forum thread https://www.fossil-scm.org/forum/forumpost/b770d8edc4 into the Debian/nginx service docs.
Commit
4b98322350c39ff62e62fc021956333bd2cfd677d0c5f5d5bcb03e2c7e56bc4a
Parent
6c04e42f7614ee2…
2 files changed
+5
-9
+38
-6
+5
-9
| --- www/server/debian/nginx.md | ||
| +++ www/server/debian/nginx.md | ||
| @@ -109,19 +109,15 @@ | ||
| 109 | 109 | |
| 110 | 110 | ## <a name="scgi"></a>Running Fossil in SCGI Mode |
| 111 | 111 | |
| 112 | 112 | For the following nginx configuration to work, it needs to contact a |
| 113 | 113 | Fossil instance speaking the SCGI protocol. There are [many ways](../) |
| 114 | -to set that up. For Debian type systems, we primarily recommend | |
| 115 | -following [our systemd user service guide](service.md). | |
| 116 | - | |
| 117 | -Another option would be to customize [the `fslsrv` shell | |
| 118 | -script](/file/tools/fslsrv) that ships with Fossil as an example of | |
| 119 | -launching multiple Fossil instances in the background to serve multiple | |
| 120 | -URLs. | |
| 121 | - | |
| 122 | -However you do it, you need to match up the TCP port numbers between it | |
| 114 | +to set that up. For Debian type systems, we recommend | |
| 115 | +following [our systemd system service guide](service.md). | |
| 116 | + | |
| 117 | +There are other ways to arrange for Fossil to run as a service backing | |
| 118 | +nginx, but however you do it, you need to match up the TCP port numbers between it | |
| 123 | 119 | and those in the nginx configuration below. |
| 124 | 120 | |
| 125 | 121 | |
| 126 | 122 | ## <a name="config"></a>Configuration |
| 127 | 123 | |
| 128 | 124 |
| --- www/server/debian/nginx.md | |
| +++ www/server/debian/nginx.md | |
| @@ -109,19 +109,15 @@ | |
| 109 | |
| 110 | ## <a name="scgi"></a>Running Fossil in SCGI Mode |
| 111 | |
| 112 | For the following nginx configuration to work, it needs to contact a |
| 113 | Fossil instance speaking the SCGI protocol. There are [many ways](../) |
| 114 | to set that up. For Debian type systems, we primarily recommend |
| 115 | following [our systemd user service guide](service.md). |
| 116 | |
| 117 | Another option would be to customize [the `fslsrv` shell |
| 118 | script](/file/tools/fslsrv) that ships with Fossil as an example of |
| 119 | launching multiple Fossil instances in the background to serve multiple |
| 120 | URLs. |
| 121 | |
| 122 | However you do it, you need to match up the TCP port numbers between it |
| 123 | and those in the nginx configuration below. |
| 124 | |
| 125 | |
| 126 | ## <a name="config"></a>Configuration |
| 127 | |
| 128 |
| --- www/server/debian/nginx.md | |
| +++ www/server/debian/nginx.md | |
| @@ -109,19 +109,15 @@ | |
| 109 | |
| 110 | ## <a name="scgi"></a>Running Fossil in SCGI Mode |
| 111 | |
| 112 | For the following nginx configuration to work, it needs to contact a |
| 113 | Fossil instance speaking the SCGI protocol. There are [many ways](../) |
| 114 | to set that up. For Debian type systems, we recommend |
| 115 | following [our systemd system service guide](service.md). |
| 116 | |
| 117 | There are other ways to arrange for Fossil to run as a service backing |
| 118 | nginx, but however you do it, you need to match up the TCP port numbers between it |
| 119 | and those in the nginx configuration below. |
| 120 | |
| 121 | |
| 122 | ## <a name="config"></a>Configuration |
| 123 | |
| 124 |
+38
-6
| --- www/server/debian/service.md | ||
| +++ www/server/debian/service.md | ||
| @@ -43,17 +43,23 @@ | ||
| 43 | 43 | WantedBy=sockets.target |
| 44 | 44 | WantedBy=multi-user.target |
| 45 | 45 | ``` |
| 46 | 46 | |
| 47 | 47 | Unlike with `inetd` and `xinetd`, we don’t need to tell `systemd` which |
| 48 | -user and group to run this service as, because we’ve installed it as a | |
| 49 | -user service under the account we’re logged into. | |
| 48 | +user and group to run this service as, because we’ve installed it | |
| 49 | +under the account we’re logged into, which `systemd` will use as the | |
| 50 | +service’s owner. | |
| 50 | 51 | |
| 51 | 52 | We’ve told `systemd` that we want automatic service restarts with |
| 52 | 53 | back-off logic, making this much more robust than the by-hand launches |
| 53 | 54 | of `fossil` in the platform-independent Fossil server instructions. The |
| 54 | 55 | service will stay up until we explicitly tell it to shut down. |
| 56 | + | |
| 57 | +A simple and useful modification to the above scheme is to add the | |
| 58 | +`--scgi` and `--localhost` flags to the `ExecStart` line to replace the | |
| 59 | +use of `fslsrv` in [the generic SCGI instructions](../any/scgi.md), | |
| 60 | +giving a much more robust configuration. | |
| 55 | 61 | |
| 56 | 62 | Because we’ve set this up as a user service, the commands you give to |
| 57 | 63 | manipulate the service vary somewhat from the sort you’re more likely to |
| 58 | 64 | find online: |
| 59 | 65 | |
| @@ -69,14 +75,40 @@ | ||
| 69 | 75 | |
| 70 | 76 | This scheme isolates the permissions needed by the Fossil server, which |
| 71 | 77 | reduces the amount of damage it can do if there is ever a |
| 72 | 78 | remotely-triggerable security flaw found in Fossil. |
| 73 | 79 | |
| 74 | -A simple and useful modification to the above scheme is to add the | |
| 75 | -`--scgi` and `--localhost` flags to the `ExecStart` line to replace the | |
| 76 | -use of `fslsrv` in [the generic SCGI instructions](../any/scgi.md), | |
| 77 | -giving a much more robust configuration. | |
| 80 | +On some `systemd` based OSes, user services only run while that user is | |
| 81 | +logged in interactively. This is common on systems aiming to provide | |
| 82 | +desktop environments, where this is the behavior you often want. To | |
| 83 | +allow background services to continue to run after logout, say: | |
| 84 | + | |
| 85 | + $ sudo loginctl enable-linger $USER | |
| 86 | + | |
| 87 | +You can paste the command just like that into your terminal, since | |
| 88 | +`$USER` will expand to your login name. | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | +### System Service Alternative | |
| 93 | + | |
| 94 | +Another workaround for the problem with user services above is to | |
| 95 | +install the service as a system service instead. This is a better path | |
| 96 | +when you are proxying Fossil with a system-level service, such as | |
| 97 | +[nginx](./nginx.md). | |
| 98 | + | |
| 99 | +There are just a small set of changes required: | |
| 100 | + | |
| 101 | +1. Install the unit file to one of the persistent system-level unit | |
| 102 | + file directories. Typically, these are: | |
| 103 | + | |
| 104 | + /etc/systemd/system | |
| 105 | + /lib/systemd/system | |
| 106 | + | |
| 107 | +2. Add `User` and `Group` directives to the `[Service]` section so | |
| 108 | + Fossil runs as a normal user, preferrably one with access only to | |
| 109 | + the Fossil repo files, rather than running as `root`. | |
| 78 | 110 | |
| 79 | 111 | |
| 80 | 112 | ## Socket Activation |
| 81 | 113 | |
| 82 | 114 | Another useful method to serve a Fossil repo via `systemd` is via a |
| 83 | 115 |
| --- www/server/debian/service.md | |
| +++ www/server/debian/service.md | |
| @@ -43,17 +43,23 @@ | |
| 43 | WantedBy=sockets.target |
| 44 | WantedBy=multi-user.target |
| 45 | ``` |
| 46 | |
| 47 | Unlike with `inetd` and `xinetd`, we don’t need to tell `systemd` which |
| 48 | user and group to run this service as, because we’ve installed it as a |
| 49 | user service under the account we’re logged into. |
| 50 | |
| 51 | We’ve told `systemd` that we want automatic service restarts with |
| 52 | back-off logic, making this much more robust than the by-hand launches |
| 53 | of `fossil` in the platform-independent Fossil server instructions. The |
| 54 | service will stay up until we explicitly tell it to shut down. |
| 55 | |
| 56 | Because we’ve set this up as a user service, the commands you give to |
| 57 | manipulate the service vary somewhat from the sort you’re more likely to |
| 58 | find online: |
| 59 | |
| @@ -69,14 +75,40 @@ | |
| 69 | |
| 70 | This scheme isolates the permissions needed by the Fossil server, which |
| 71 | reduces the amount of damage it can do if there is ever a |
| 72 | remotely-triggerable security flaw found in Fossil. |
| 73 | |
| 74 | A simple and useful modification to the above scheme is to add the |
| 75 | `--scgi` and `--localhost` flags to the `ExecStart` line to replace the |
| 76 | use of `fslsrv` in [the generic SCGI instructions](../any/scgi.md), |
| 77 | giving a much more robust configuration. |
| 78 | |
| 79 | |
| 80 | ## Socket Activation |
| 81 | |
| 82 | Another useful method to serve a Fossil repo via `systemd` is via a |
| 83 |
| --- www/server/debian/service.md | |
| +++ www/server/debian/service.md | |
| @@ -43,17 +43,23 @@ | |
| 43 | WantedBy=sockets.target |
| 44 | WantedBy=multi-user.target |
| 45 | ``` |
| 46 | |
| 47 | Unlike with `inetd` and `xinetd`, we don’t need to tell `systemd` which |
| 48 | user and group to run this service as, because we’ve installed it |
| 49 | under the account we’re logged into, which `systemd` will use as the |
| 50 | service’s owner. |
| 51 | |
| 52 | We’ve told `systemd` that we want automatic service restarts with |
| 53 | back-off logic, making this much more robust than the by-hand launches |
| 54 | of `fossil` in the platform-independent Fossil server instructions. The |
| 55 | service will stay up until we explicitly tell it to shut down. |
| 56 | |
| 57 | A simple and useful modification to the above scheme is to add the |
| 58 | `--scgi` and `--localhost` flags to the `ExecStart` line to replace the |
| 59 | use of `fslsrv` in [the generic SCGI instructions](../any/scgi.md), |
| 60 | giving a much more robust configuration. |
| 61 | |
| 62 | Because we’ve set this up as a user service, the commands you give to |
| 63 | manipulate the service vary somewhat from the sort you’re more likely to |
| 64 | find online: |
| 65 | |
| @@ -69,14 +75,40 @@ | |
| 75 | |
| 76 | This scheme isolates the permissions needed by the Fossil server, which |
| 77 | reduces the amount of damage it can do if there is ever a |
| 78 | remotely-triggerable security flaw found in Fossil. |
| 79 | |
| 80 | On some `systemd` based OSes, user services only run while that user is |
| 81 | logged in interactively. This is common on systems aiming to provide |
| 82 | desktop environments, where this is the behavior you often want. To |
| 83 | allow background services to continue to run after logout, say: |
| 84 | |
| 85 | $ sudo loginctl enable-linger $USER |
| 86 | |
| 87 | You can paste the command just like that into your terminal, since |
| 88 | `$USER` will expand to your login name. |
| 89 | |
| 90 | |
| 91 | |
| 92 | ### System Service Alternative |
| 93 | |
| 94 | Another workaround for the problem with user services above is to |
| 95 | install the service as a system service instead. This is a better path |
| 96 | when you are proxying Fossil with a system-level service, such as |
| 97 | [nginx](./nginx.md). |
| 98 | |
| 99 | There are just a small set of changes required: |
| 100 | |
| 101 | 1. Install the unit file to one of the persistent system-level unit |
| 102 | file directories. Typically, these are: |
| 103 | |
| 104 | /etc/systemd/system |
| 105 | /lib/systemd/system |
| 106 | |
| 107 | 2. Add `User` and `Group` directives to the `[Service]` section so |
| 108 | Fossil runs as a normal user, preferrably one with access only to |
| 109 | the Fossil repo files, rather than running as `root`. |
| 110 | |
| 111 | |
| 112 | ## Socket Activation |
| 113 | |
| 114 | Another useful method to serve a Fossil repo via `systemd` is via a |
| 115 |