Fossil SCM

Moved the chroot and loadmgmt sections of www/server.wiki into separate documents. This change also adds info on /proc to the chroot doc, which was missing in its prior server.wiki form. Also reduced a few other "details" sections of server.wiki to bullet points in the new "Further Details" list at the end of the document.

wyoung 2019-08-16 12:53 server-docs

Commit 85eaffb6a59c0642ffad9c21d76ae21879b587d793b9b9422cdbb762b5b749f0

Parent 3c9f811b8728410…

5 files changed +2 +6 -153 +1 -1 +1 -1 +1 -1

+ www/loadmgmt.md ~ www/server.wiki ~ www/server/any/cgi.md ~ www/server/any/inetd.md ~ www/ssl.wiki

A www/loadmgmt.md

		--- a/www/loadmgmt.md
		+++ b/www/loadmgmt.md
		@@ -0,0 +1,2 @@
	1	+
	2	+

	--- a/www/loadmgmt.md
	+++ b/www/loadmgmt.md
	@@ -0,0 +1,2 @@

	--- a/www/loadmgmt.md
	+++ b/www/loadmgmt.md
	@@ -0,0 +1,2 @@
1
2

M www/server.wiki

+6 -153

		--- www/server.wiki
		+++ www/server.wiki
		@@ -139,158 +139,11 @@
139	139	\| contributions] to cover these as well. We also welcome contributions
140	140	to fill gaps (❌) in the table above.
141	141	</blockquote>
142	142
143	143
144		-<h2 id="ext">CGI Server Extensions</h2>
145		-
146		-<blockquote>
147		- In addition to serving Fossil repositories via CGI, Fossil can
148		- itself [./serverext.wiki \| launch other programs via CGI] to
149		- implement server extensions. Do not confuse these two concepts. This
150		- extension mechanism works regardless of the method above you choose
151		- to serve your Fossil repository.
152		-</blockquote>
153		-
154		-
155		-<h2 id="tls">Securing a repository with TLS</h2>
156		-
157		-<blockquote>
158		- Fossil's built-in HTTP server (e.g. "fossil server") does not support
159		- TLS, but there are multiple ways to protect your Fossil server with
160		- TLS. All of this is covered in a separate document, <a
161		- href="./ssl.wiki">Using TLS-Encrypted Communications with Fossil</a>.
162		-</blockquote>
163		-
164		-
165		-<h2 id="chroot">The Fossil Chroot Jail</h2>
166		-
167		-<blockquote>
168		-If you run Fossil as root in any mode that serves data on the
169		-network, and you're running it on Unix or a compatible OS, Fossil
170		-will drop itself into a [https://en.wikipedia.org/wiki/Chroot \|
171		-chroot jail] shortly after starting up, after
172		-it's done everything that requires root access. Most
173		-commonly, you run Fossil as root to allow it to bind to TCP port 80
174		-for HTTP service, since normal users are restricted to ports 1024
175		-and up on OSes where this behavior occurs.
176		-
177		-Fossil uses the owner of the Fossil repository file as its new user
178		-ID when dropping root privileges.
179		-
180		-When this happens, Fossil needs to have all of its dependencies
181		-inside the chroot jail. There are several things you typically need
182		-in order to make things work properly:
183		-
184		-<ul>
185		- <li>the repository file(s)
186		-
187		- <li><tt>/dev/null</tt> — create it with <tt>mknod(8)</tt> inside the
188		- jail directory ([https://fossil-scm.org/forum/forumpost/90caff30cb \|
189		- Linux example])
190		-
191		- <li><tt>/dev/urandom</tt> — ditto
192		-
193		- <li>any shared libraries your <tt>fossil</tt> binary is linked to,
194		- such as <tt>/lib/libssl.so</tt>; consider
195		- <tt>[https://www.fossil-scm.org/fossil/doc/trunk/www/build.wiki \|
196		- ./configure --static]</tt> to avoid the need for this
197		-</ul> </blockquote>
198		-
199		-<blockquote>
200		-Fossil does all of this in order to protect the host OS. You can make it
201		-bypass the jail part of this by passing <tt>--nojail</tt> to <tt>fossil server</tt>,
202		-but you cannot make it skip the dropping of root privileges, on purpose.
203		-</blockquote>
204		-
205		-
206		-<h2 id="loadmgmt">Managing Server Load</h2>
207		-
208		-<blockquote>
209		-A Fossil server is very efficient and normally presents a very light
210		-load on the server.
211		-The Fossil [./selfhost.wiki \| self-hosting server] is a 1/24th slice VM at
212		-[http://www.linode.com \| Linode.com] hosting 65 other repositories in
213		-addition to Fossil (and including some very high-traffic sites such
214		-as [http://www.sqlite.org] and [http://system.data.sqlite.org]) and
215		-it has a typical load of 0.05 to 0.1. A single HTTP request to Fossil
216		-normally takes less than 10 milliseconds of CPU time to complete, so
217		-requests can be arriving at a continuous rate of 20 or more per second,
218		-and the CPU can still be mostly idle.
219		-
220		-However, there are some Fossil web pages that can consume large
221		-amounts of CPU time, especially on repositories with a large number
222		-of files or with long revision histories. High CPU usage pages include
223		-[/help?cmd=/zip \| /zip], [/help?cmd=/tarball \| /tarball],
224		-[/help?cmd=/annotate \| /annotate] and others. On very large repositories,
225		-these commands can take 15 seconds or more of CPU time.
226		-If these kinds of requests arrive too quickly, the load average on the
227		-server can grow dramatically, making the server unresponsive.
228		-
229		-Fossil provides two capabilities to help avoid server overload problems
230		-due to excessive requests to expensive pages:
231		-
232		-<ol>
233		- <li><p>An optional cache is available that remembers the 10 most recently
234		- requested /zip or /tarball pages and returns the precomputed answer
235		- if the same page is requested again.</p>
236		- <li><p>Page requests can be configured to fail with a
237		- [http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.5.4 \| "503 Server Overload"]
238		- HTTP error if an expensive request is received while the host load
239		- average is too high.</p>
240		-</ol>
241		-
242		-Both of these load-control mechanisms are turned off by default, but they
243		-are recommended for high-traffic sites.
244		-
245		-The webpage cache is activated using the [/help?cmd=cache\|fossil cache init]
246		-command-line on the server. Add a -R option to specify the specific repository
247		-for which to enable caching. If running this command as root, be sure to
248		-"chown" the cache database (which is a separate file in the same directory
249		-and with the same name as the repository but with the suffix changed to ".cache")
250		-to give it write permission for the userid of the web server.
251		-
252		-To activate the server load control feature
253		-visit the Admin → Access setup page in the administrative web
254		-interface; in the "<b>Server Load Average Limit</b>" box
255		-enter the load average threshold above which "503 Server
256		-Overload" replies will be issued for expensive requests. On the
257		-self-hosting Fossil server, that value is set to 1.5, but you could easily
258		-set it higher on a multi-core server.
259		-
260		-The maximum load average can also be set on the command line using
261		-commands like this:
262		-<blockquote><pre>
263		-fossil set max-loadavg 1.5
264		-fossil all set max-loadavg 1.5
265		-</pre></blockquote>
266		-
267		-The second form is especially useful for changing the maximum load average
268		-simultaneously on a large number of repositories.
269		-
270		-Note that this load-average limiting feature is only available on operating
271		-systems that support the "getloadavg()" API. Most modern Unix systems have
272		-this interface, but Windows does not, so the feature will not work on Windows.
273		-Note also that Linux implements "getloadavg()" by accessing the "/proc/loadavg"
274		-file in the "proc" virtual file system. If you are running a Fossil instance
275		-inside a chroot() jail on Linux, you will need to make the "/proc" file
276		-system available inside that jail in order for this feature to work. On
277		-the [./selfhost.wiki\|self-hosting Fossil repositories], this was accomplished
278		-by adding a line to the "/etc/fstab" file that looks like:
279		-
280		-<blockquote><pre>
281		-chroot_jail_proc /home/www/proc proc ro 0 0
282		-</pre></blockquote>
283		-
284		-The /home/www/proc pathname should be adjusted so that the "/proc" component is
285		-in the root of the chroot jail, of course.
286		-
287		-To see if the load-average limiter is functional, visit the [/test_env] page
288		-of the server to view the current load average. If the value for the load
289		-average is greater than zero, that means that it is possible to activate
290		-the load-average limiter on that repository. If the load average shows
291		-exactly "0.0", then that means that Fossil is unable to find the load average
292		-(either because it is in a chroot() jail without /proc access, or because
293		-it is running on a system that does not support "getloadavg()") and so the
294		-load-average limiter will not function.
295		-
296		-</blockquote>
	144	+<h2 id="more">Further Details</h2>
	145	+
	146	+ * <a name="chroot"></a>[./chroot.md \| The Server Chroot Jail]
	147	+ * <a name="loadmgmt"></a>[./loadmgmt.md \| Managing Server Load]
	148	+ * <a name="tls"></a>[./ssl.wiki \| Securing a Repository with TLS]
	149	+ * <a name="ext"></a>[./serverext.wiki \| CGI Server Extensions]
297	150

	--- www/server.wiki
	+++ www/server.wiki
	@@ -139,158 +139,11 @@
139	\| contributions] to cover these as well. We also welcome contributions
140	to fill gaps (❌) in the table above.
141	</blockquote>
142
143
144	<h2 id="ext">CGI Server Extensions</h2>
145
146	<blockquote>
147	In addition to serving Fossil repositories via CGI, Fossil can
148	itself [./serverext.wiki \| launch other programs via CGI] to
149	implement server extensions. Do not confuse these two concepts. This
150	extension mechanism works regardless of the method above you choose
151	to serve your Fossil repository.
152	</blockquote>
153
154
155	<h2 id="tls">Securing a repository with TLS</h2>
156
157	<blockquote>
158	Fossil's built-in HTTP server (e.g. "fossil server") does not support
159	TLS, but there are multiple ways to protect your Fossil server with
160	TLS. All of this is covered in a separate document, <a
161	href="./ssl.wiki">Using TLS-Encrypted Communications with Fossil</a>.
162	</blockquote>
163
164
165	<h2 id="chroot">The Fossil Chroot Jail</h2>
166
167	<blockquote>
168	If you run Fossil as root in any mode that serves data on the
169	network, and you're running it on Unix or a compatible OS, Fossil
170	will drop itself into a [https://en.wikipedia.org/wiki/Chroot \|
171	chroot jail] shortly after starting up, after
172	it's done everything that requires root access. Most
173	commonly, you run Fossil as root to allow it to bind to TCP port 80
174	for HTTP service, since normal users are restricted to ports 1024
175	and up on OSes where this behavior occurs.
176
177	Fossil uses the owner of the Fossil repository file as its new user
178	ID when dropping root privileges.
179
180	When this happens, Fossil needs to have all of its dependencies
181	inside the chroot jail. There are several things you typically need
182	in order to make things work properly:
183
184	<ul>
185	<li>the repository file(s)
186
187	<li><tt>/dev/null</tt> — create it with <tt>mknod(8)</tt> inside the
188	jail directory ([https://fossil-scm.org/forum/forumpost/90caff30cb \|
189	Linux example])
190
191	<li><tt>/dev/urandom</tt> — ditto
192
193	<li>any shared libraries your <tt>fossil</tt> binary is linked to,
194	such as <tt>/lib/libssl.so</tt>; consider
195	<tt>[https://www.fossil-scm.org/fossil/doc/trunk/www/build.wiki \|
196	./configure --static]</tt> to avoid the need for this
197	</ul> </blockquote>
198
199	<blockquote>
200	Fossil does all of this in order to protect the host OS. You can make it
201	bypass the jail part of this by passing <tt>--nojail</tt> to <tt>fossil server</tt>,
202	but you cannot make it skip the dropping of root privileges, on purpose.
203	</blockquote>
204
205
206	<h2 id="loadmgmt">Managing Server Load</h2>
207
208	<blockquote>
209	A Fossil server is very efficient and normally presents a very light
210	load on the server.
211	The Fossil [./selfhost.wiki \| self-hosting server] is a 1/24th slice VM at
212	[http://www.linode.com \| Linode.com] hosting 65 other repositories in
213	addition to Fossil (and including some very high-traffic sites such
214	as [http://www.sqlite.org] and [http://system.data.sqlite.org]) and
215	it has a typical load of 0.05 to 0.1. A single HTTP request to Fossil
216	normally takes less than 10 milliseconds of CPU time to complete, so
217	requests can be arriving at a continuous rate of 20 or more per second,
218	and the CPU can still be mostly idle.
219
220	However, there are some Fossil web pages that can consume large
221	amounts of CPU time, especially on repositories with a large number
222	of files or with long revision histories. High CPU usage pages include
223	[/help?cmd=/zip \| /zip], [/help?cmd=/tarball \| /tarball],
224	[/help?cmd=/annotate \| /annotate] and others. On very large repositories,
225	these commands can take 15 seconds or more of CPU time.
226	If these kinds of requests arrive too quickly, the load average on the
227	server can grow dramatically, making the server unresponsive.
228
229	Fossil provides two capabilities to help avoid server overload problems
230	due to excessive requests to expensive pages:
231
232	<ol>
233	<li><p>An optional cache is available that remembers the 10 most recently
234	requested /zip or /tarball pages and returns the precomputed answer
235	if the same page is requested again.</p>
236	<li><p>Page requests can be configured to fail with a
237	[http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.5.4 \| "503 Server Overload"]
238	HTTP error if an expensive request is received while the host load
239	average is too high.</p>
240	</ol>
241
242	Both of these load-control mechanisms are turned off by default, but they
243	are recommended for high-traffic sites.
244
245	The webpage cache is activated using the [/help?cmd=cache\|fossil cache init]
246	command-line on the server. Add a -R option to specify the specific repository
247	for which to enable caching. If running this command as root, be sure to
248	"chown" the cache database (which is a separate file in the same directory
249	and with the same name as the repository but with the suffix changed to ".cache")
250	to give it write permission for the userid of the web server.
251
252	To activate the server load control feature
253	visit the Admin → Access setup page in the administrative web
254	interface; in the "<b>Server Load Average Limit</b>" box
255	enter the load average threshold above which "503 Server
256	Overload" replies will be issued for expensive requests. On the
257	self-hosting Fossil server, that value is set to 1.5, but you could easily
258	set it higher on a multi-core server.
259
260	The maximum load average can also be set on the command line using
261	commands like this:
262	<blockquote><pre>
263	fossil set max-loadavg 1.5
264	fossil all set max-loadavg 1.5
265	</pre></blockquote>
266
267	The second form is especially useful for changing the maximum load average
268	simultaneously on a large number of repositories.
269
270	Note that this load-average limiting feature is only available on operating
271	systems that support the "getloadavg()" API. Most modern Unix systems have
272	this interface, but Windows does not, so the feature will not work on Windows.
273	Note also that Linux implements "getloadavg()" by accessing the "/proc/loadavg"
274	file in the "proc" virtual file system. If you are running a Fossil instance
275	inside a chroot() jail on Linux, you will need to make the "/proc" file
276	system available inside that jail in order for this feature to work. On
277	the [./selfhost.wiki\|self-hosting Fossil repositories], this was accomplished
278	by adding a line to the "/etc/fstab" file that looks like:
279
280	<blockquote><pre>
281	chroot_jail_proc /home/www/proc proc ro 0 0
282	</pre></blockquote>
283
284	The /home/www/proc pathname should be adjusted so that the "/proc" component is
285	in the root of the chroot jail, of course.
286
287	To see if the load-average limiter is functional, visit the [/test_env] page
288	of the server to view the current load average. If the value for the load
289	average is greater than zero, that means that it is possible to activate
290	the load-average limiter on that repository. If the load average shows
291	exactly "0.0", then that means that Fossil is unable to find the load average
292	(either because it is in a chroot() jail without /proc access, or because
293	it is running on a system that does not support "getloadavg()") and so the
294	load-average limiter will not function.
295
296	</blockquote>
297

	--- www/server.wiki
	+++ www/server.wiki
	@@ -139,158 +139,11 @@
139	\| contributions] to cover these as well. We also welcome contributions
140	to fill gaps (❌) in the table above.
141	</blockquote>
142
143
144	<h2 id="more">Further Details</h2>
145
146	* <a name="chroot"></a>[./chroot.md \| The Server Chroot Jail]
147	* <a name="loadmgmt"></a>[./loadmgmt.md \| Managing Server Load]
148	* <a name="tls"></a>[./ssl.wiki \| Securing a Repository with TLS]
149	* <a name="ext"></a>[./serverext.wiki \| CGI Server Extensions]



















































































































































150

M www/server/any/cgi.md

+1 -1

		--- www/server/any/cgi.md
		+++ www/server/any/cgi.md
		@@ -37,11 +37,11 @@
37	37	under.) The directory holding the repository file(s) needs to be
38	38	writable so that SQLite can write its journal files.
39	39
40	40	* Fossil must be able to create temporary files in a
41	41	[directory that varies by host OS](../../env-opts.md#temp). When the
42		- CGI process is operating [within a chroot](../../server.wiki#chroot),
	42	+ CGI process is operating [within a chroot](../../chroot.md),
43	43	ensure that this directory exists and is readable/writeable by the
44	44	user who executes the Fossil binary.
45	45
46	46	Once the CGI script is set up correctly, and assuming your server is
47	47	also set correctly, you should be able to access your repository with a
48	48

	--- www/server/any/cgi.md
	+++ www/server/any/cgi.md
	@@ -37,11 +37,11 @@
37	under.) The directory holding the repository file(s) needs to be
38	writable so that SQLite can write its journal files.
39
40	* Fossil must be able to create temporary files in a
41	[directory that varies by host OS](../../env-opts.md#temp). When the
42	CGI process is operating [within a chroot](../../server.wiki#chroot),
43	ensure that this directory exists and is readable/writeable by the
44	user who executes the Fossil binary.
45
46	Once the CGI script is set up correctly, and assuming your server is
47	also set correctly, you should be able to access your repository with a
48

	--- www/server/any/cgi.md
	+++ www/server/any/cgi.md
	@@ -37,11 +37,11 @@
37	under.) The directory holding the repository file(s) needs to be
38	writable so that SQLite can write its journal files.
39
40	* Fossil must be able to create temporary files in a
41	[directory that varies by host OS](../../env-opts.md#temp). When the
42	CGI process is operating [within a chroot](../../chroot.md),
43	ensure that this directory exists and is readable/writeable by the
44	user who executes the Fossil binary.
45
46	Once the CGI script is set up correctly, and assuming your server is
47	also set correctly, you should be able to access your repository with a
48

M www/server/any/inetd.md

+1 -1

		--- www/server/any/inetd.md
		+++ www/server/any/inetd.md
		@@ -24,11 +24,11 @@
24	24	and use the symbolic name “`fossil`” instead of the numeric TCP port
25	25	number (“12345” in the above example) in `inetd.conf`.
26	26
27	27	Notice that we configured `inetd` to launch Fossil as root. See the
28	28	top-level section on “[The Fossil Chroot
29		-Jail](../../server.wiki#chroot)” for the consequences of this and
	29	+Jail](../../chroot.md)” for the consequences of this and
30	30	alternatives to it.
31	31
32	32	You can instead configure `inetd` to bind to a higher-numbered TCP port,
33	33	allowing Fossil to be run as a normal user. In that case, Fossil will
34	34	not put itself into a chroot jail, because it assumes you have set up
35	35

	--- www/server/any/inetd.md
	+++ www/server/any/inetd.md
	@@ -24,11 +24,11 @@
24	and use the symbolic name “`fossil`” instead of the numeric TCP port
25	number (“12345” in the above example) in `inetd.conf`.
26
27	Notice that we configured `inetd` to launch Fossil as root. See the
28	top-level section on “[The Fossil Chroot
29	Jail](../../server.wiki#chroot)” for the consequences of this and
30	alternatives to it.
31
32	You can instead configure `inetd` to bind to a higher-numbered TCP port,
33	allowing Fossil to be run as a normal user. In that case, Fossil will
34	not put itself into a chroot jail, because it assumes you have set up
35

	--- www/server/any/inetd.md
	+++ www/server/any/inetd.md
	@@ -24,11 +24,11 @@
24	and use the symbolic name “`fossil`” instead of the numeric TCP port
25	number (“12345” in the above example) in `inetd.conf`.
26
27	Notice that we configured `inetd` to launch Fossil as root. See the
28	top-level section on “[The Fossil Chroot
29	Jail](../../chroot.md)” for the consequences of this and
30	alternatives to it.
31
32	You can instead configure `inetd` to bind to a higher-numbered TCP port,
33	allowing Fossil to be run as a normal user. In that case, Fossil will
34	not put itself into a chroot jail, because it assumes you have set up
35

M www/ssl.wiki

+1 -1

		--- www/ssl.wiki
		+++ www/ssl.wiki
		@@ -1,6 +1,6 @@
1		-<title>TLS and Fossil</title>
	1	+<title>Securing a Repository with TLS</title>
2	2
3	3	<h2>Using TLS-Encrypted Communications with Fossil</h2>
4	4
5	5	If you are storing sensitive information in a repository accessible over
6	6	a network whose integrity you do not fully trust, you should use TLS to
7	7

	--- www/ssl.wiki
	+++ www/ssl.wiki
	@@ -1,6 +1,6 @@
1	<title>TLS and Fossil</title>
2
3	<h2>Using TLS-Encrypted Communications with Fossil</h2>
4
5	If you are storing sensitive information in a repository accessible over
6	a network whose integrity you do not fully trust, you should use TLS to
7

	--- www/ssl.wiki
	+++ www/ssl.wiki
	@@ -1,6 +1,6 @@
1	<title>Securing a Repository with TLS</title>
2
3	<h2>Using TLS-Encrypted Communications with Fossil</h2>
4
5	If you are storing sensitive information in a repository accessible over
6	a network whose integrity you do not fully trust, you should use TLS to
7

Fossil SCM

Keyboard Shortcuts