Tuesday, March 1, 2011

FOSS@RIT Hosted Infrastructure

Inspired by Fedora Hosted, I decided it would be pretty neat if we had a similar setup for FOSS@RIT.

For those who are not familiar with Fedora Hosted, Fedora Hosted is a service run by Fedora that gives the foss community access to a trac instance, git repo, and mailing lists. It also provides a nice project management system that allows you to choose who is in your project group which allows commit access to your repository. Overall it is a really nice system.

I figured it would be pretty neat to have something similar to that at RIT. This would allow us to build our own branding and self image as a FOSS community, giving the FOSS projects of RIT a public repository.


  • The system should be easy to maintain on economy hardware.
  • Users should be able to easily request and gain access to the system
  • Users should be able to modify their own ssh key for git


I have used Trac in the past and it is an excellent bug tracker. It has a very large community base with a large set of community plugins available. It was a little tricky at first to figure out how to setup multiple instances on one Trac install.

I have Trac setup as a wsgi extension of the apache web server so that it could integrate smoothly with the running website.

The biggest problem with the current Trac setup is that its user management system is really lacking. Trac needs third party plugins to even provide a simple user management system. In the end, it needs to use some other authentication system to be truly powerful. I could have it use RIT's ldap, but that limits us to only RIT accounts which is unacceptable as once you become an Alumni your ldap account is deactivated. FOSS@RIT would need to run our own authentication server which would not necessarily be too bad, but it is not on my todo list at this time.

The current system uses a basic htpassword authentication scheme which I am not a very big fan of. People can too easily create accounts and spam the system. A few spam fighting plugins do help, but still don't quite cut it. A nice thing about this setup is it allows one account to access all of the Trac projects.

To spin up another Trac project I just need to login to the server and run a few commands through the trac-admin console.


To offer a Git repo, I wanted a system that allows easy control of creating repositories, adding users, and managing their ssh keys. The simplest way would be to give everyone an account on the server and let git run off their accounts. The problem with this is at this time I didn't want to give accounts to everyone. Our server is not very powerful and is running other tasks as well. So I needed a system that allowed us to manage everything over one user.

The solution I found is to use a system called Gitosis. Gitosis is a system that allows us the ability to manage the git server with an admin git repository. I thought that was pretty clever. What makes this a good solution is it allows creation and access control of the repositories in a fairly simple config file. It also controls access through one git account and user ssh keys.

To make this solution even better, I found a plugin for Trac that allows users to manage their ssh keys from Trac.

The biggest problem with this system is that while users can manage their ssh keys, they still don't have a way to manage access control on their repositories. I have been thinking about possibly modifying the plugin to allows repository control. The reason I haven't done so is that how Trac supports multiple instances doesn't give me very fine control over permissions. I have yet to figure out a nice way to get the plugin to be able to manage the individual repositories each project owns while still maintaining security. It currently seems to be an all or none solution.

Mailing Lists

I have not fully looked into this option yet. It would be nice to run our own mailing list server that could integrate with the rest of the services, but that is a bit more complicated then I would like to deal with at this point. It also has to deal with RIT network policies which I don't want to get into at this point.

RIT does have a mailman system setup that we may be able to use for our own mailings, but setting up one for all of our projects might be problematic.

Next Steps

I love Trac, but using it for many projects seems to be a bit difficult. This is mainly how to manage lots of projects and users in a timely manner. I don't like having to run upgrade commands on every project to add a plugin or having to carefully watch the user list for spam signups. I have started looking at other systems like Redmine. It looks promising as it supports many projects and subprojects. I even found a Gitosis plugin that claims to support the user key system as well as the ability to manage git repos. If this is true, that is a huge win! My only problem with Redmine is that it is a Ruby on Rails application which I am not too familiar with, especially as we are mainly a python shop here.

I hate to say it, but it might be more beneficial to use a third party as our infrastructure like Git Hub. But these are only initial thoughts, with some more research and time I am sure I can find or create a very cohesive system. I am still trying out some things with Drupal as well.

I will keep you updated in the future of my findings.

No comments:

Post a Comment