You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Marc Girod <mg...@iona.com> on 2007/08/27 10:41:33 UTC
Running svnsync from post-commit hook
Hello,
I searched the mail archive but couldn't find a suitable thread...
I am trying to implement the recommendations in:
http://svnbook.red-bean.com/nightly/en/svn.reposadmin.maint.html#svn.reposadmin.maint.replication
In particular, I try to invoke 'svnsync synchronize' in the
post-commit (and post-revprop-change) hook(s), and get into access
right issues:
- the hooks are run under the account of the committer: good for
sending mail, but bad for running svnsync synchronize...
- I understand (now) that this is the reason for the '--username'
option.
- However, I'd like to avoid having to give the '--password' one
- In any case, with or without these options, I get the following
error:
$ svnsync synchronize svn+ssh://stengers/x1/svnroot/foo --username vobadm
svnsync: 'pre-revprop-change' hook failed with error output:
Only the vobadm user may change revision properties
Note however that this works:
$ sudo -u vobadm svnsync synchronize svn+ssh://stengers/x1/svnroot/foo
Committed revision 13.
Copied properties for revision 13.
I have tried to 'chown vobadm' and to 'chmod u+s' the svnsync binary,
but without success.
Can somebody point me to what I am doing wrong?
Thanks,
Marc
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Running svnsync from post-commit hook
Posted by Marc Girod <mg...@iona.com>.
Hi,
I am still trying to get mirror synchronization to work from the
post-commit hook.
I have now:
- decided to use http:// and --username x --password y --non-interactive
instead of svn+ssh:// which would have required to setup keys under
the users home directories.
- created a new account for that, and used it on both sides (as I
couldn't get it to work only on the mirror as I first tried)
I get however:
bar> svn -m 'start again' ci
Adding aa.txt
Transmitting file data .
Committed revision 4.
Warning: 'post-commit' hook failed with error output:
svnsync: DAV request failed; it's possible that the repository's pre-revprop-change hook either failed or is non-existent
svnsync: At least one property change failed; repository is unchanged
and on the mirror server:
svnroot> sudo tail -1 /var/log/httpd/error_log
[Tue Sep 04 16:47:42 2007] [error] [client 10.5.2.144] PAM: user 'svnsync' - not authenticated: Authentication failure
I check that my hooks are in place, executable:
svnroot> cat /x1/svntools/mirror/pre-revprop-change
#!/bin/sh
USER="$3"
if [ "$USER" = "svnsync" ]; then exit 0; fi
echo "Only the 'svnsync' user may change revision properties on the mirror" >&2
exit 1
svnroot> cat /x1/svntools/mirror/start-commit
#!/bin/sh
USER="$2"
if [ "$USER" = "svnsync" ]; then exit 0; fi
echo "Only the svnsync user may commit new revisions" >&2
exit 1
and match my post-commit on the source:
bar> tail -1 /x1/svnroot/bar/hooks/post-commit
svnsync synchronize http://stengers/repos/bar --username svnsync --password n0b0dykn0ws --non-interactive
Note that '/repos' should be OK:
svnroot> grep -A2 /repos /etc/httpd/conf/httpd.conf
<Location /repos>
DAV svn
SVNParentPath /x1/svnroot
I try to understand the httpd pam error...
I do have:
svnroot> grep pam /etc/httpd/conf/httpd.conf
LoadModule auth_pam_module modules/mod_auth_pam.so
svnroot> locate modules/mod_auth_pam.so
/usr/lib64/httpd/modules/mod_auth_pam.so
svnroot> strings /usr/lib64/httpd/modules/mod_auth_pam.so | grep mod_auth_pam/
PAM: mod_auth_pam/2.0-1.1
My user account is local (not a nis one) on both hosts, with the same
uid:
svnroot> grep svnsync /etc/passwd
svnsync:x:50009:20:Local for svn synchronization testing:/local/home/svnsync:/bin/bash
It was added with useradd and is properly shadowed.
What am I still missing?
Thanks.
Marc
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Running svnsync from post-commit hook
Posted by Marc Girod <mg...@iona.com>.
Thanks again Joshua,
"Joshua Oreman" <or...@gmail.com> writes:
> Sorry if I wasn't clear on that - I meant you need to give them
> access from their account on the svn server to the replication
> machine.
You were quite clear: I was not, but I had understood.
I'd like to avoid that.
Or I'd have to create a really dedicated account, which I didn't do
(reused one which is used for other things...).
Also, we do have problems with Tortoise users on Windows, relating to
svn+ssh, and the settings for PuTTY...
> Just thought of something you could use to make this more secure,
> too: add a command= field to the line in authorized_keys, so the
> user can only run svnserve -t.
Thanks. I didn't know of this trick either.
Amazing that one cannot find it in the ssh man pages... 'lesser known
fact' huh... That's an other phrase for 'undocumented feature', isn't
it? OK... it is in
http://www.oreilly.com/catalog/sshtdg/chapter/ch11.html
....
> There's documentation about how to do that in the svn book.
Found it:
http://svnbook.red-bean.com/nightly/en/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sshauth
> There are four access methods to a Subversion repository. file://
> won't work for your case, because the developers aren't all on the
> same machine. svn+ssh:// (tunneled svnserve) is what you're using
> now. It's also possible to set up subversion to go through http://
> or https:// (which involves configuring Apache appropriately) or to
> use the custom svn:// protocol, which involves running an svnserve
> process as daemon on your repository server. Documentation about
> the specifics of all of these is in the svn book.
I thought I knew all of this, but the devil is in the details.
Besides, I have a good memory: I forget fast.
But for http, I'd have to spell the password in clear, and I want to
avoid that.
I have to re-examine the svnserve options.
> Since you already have significant infrastructure set up, an access
> method switch might not be the best idea - each user would have to
> run svn switch --relocate whatever://repo.server/new/path in all
> their working copies.
If they'd have to do it once, this would even be acceptable.
Anyway, I don't think this should be needed.
One more question: at what point did I depart from the most basic main
stream setup for mirroring, or how to explain that these instructions
are not found (easily) in the documentation?
I mean now, in or from:
http://svnbook.red-bean.com/nightly/en/svn.reposadmin.maint.html#svn.reposadmin.maint.replication
Or wouldn't you agree it is missing there?
Thanks again,
Marc
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Running svnsync from post-commit hook
Posted by Joshua Oreman <or...@gmail.com>.
On 27 Aug 2007 17:52:28 +0100, Marc Girod <mg...@iona.com> wrote:
> Hello Joshua,
>
> Thanks for your suggestion...
> [ . . . ]
> There's the trust level issue--no, indeed, I cannot give such an
> access to everybody, and it doesn't only depend on me-- but I thought
> even more of the manageability issue: there are many committers, over
> different continents, with whom synchronization is not easy.
Sorry if I wasn't clear on that - I meant you need to give them access
from their account on the svn server to the replication machine.
> Now, your setup suggestion may alleviate that...
>
> > If you do trust them with that, the easiest way is probably to make
> > a wholly new keypair, and store it in the repository somewhere:
>
> > $ ssh-keygen -t rsa -f /your/repository/conf/id_rsa.mirror
> > Add /your/repository/conf/id_rsa.mirror.pub to
> > stengers:/home/vobadm/.ssh/authorized_keys, and add the following to
> > each committer's ~/.subversion/config:
> >
> > [tunnels]
> > sync = ssh -i /your/repository/conf/id_rsa.mirror
> >
> > Then use 'svn+sync://vobadm@stengers' instead of 'svn+ssh://vobadm@stengers'.
>
> Very interesting.
Just thought of something you could use to make this more secure, too:
add a command= field to the line in authorized_keys, so the user can
only run svnserve -t. There's documentation about how to do that in
the svn book.
> > But a better solution might be to switch to using svnserve or Apache.
>
> Sorry?
> We are supporting http as well as ssh, with an apache server.
>
> How can this help us?
> Idem, I didn't consider svnserve... Not mentioned in the page about
> replication either.
There are four access methods to a Subversion repository. file://
won't work for your case, because the developers aren't all on the
same machine. svn+ssh:// (tunneled svnserve) is what you're using
now. It's also possible to set up subversion to go through http:// or
https:// (which involves configuring Apache appropriately) or to use
the custom svn:// protocol, which involves running an svnserve process
as daemon on your repository server. Documentation about the
specifics of all of these is in the svn book.
Since you already have significant infrastructure set up, an access
method switch might not be the best idea - each user would have to run
svn switch --relocate whatever://repo.server/new/path in all their
working copies.
-- Josh
>
> Still puzzled...
> Marc
>
> ----------------------------
> IONA Technologies PLC (registered in Ireland)
> Registered Number: 171387
> Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Running svnsync from post-commit hook
Posted by Marc Girod <mg...@iona.com>.
Hello Joshua,
Thanks for your suggestion...
"Joshua Oreman" <or...@gmail.com> writes:
> Have you tried this?
> $ svnsync synchronize svn+ssh://vobadm@stengers/x1/svnroot/foo
> You'll need to give each committer non-passworded (publickey) access
> from the main repository machine to vobadm@stengers, which may or
> may not suit the trust level you have in your committers.
There's the trust level issue--no, indeed, I cannot give such an
access to everybody, and it doesn't only depend on me-- but I thought
even more of the manageability issue: there are many committers, over
different continents, with whom synchronization is not easy.
Now, your setup suggestion may alleviate that...
> If you do trust them with that, the easiest way is probably to make
> a wholly new keypair, and store it in the repository somewhere:
> $ ssh-keygen -t rsa -f /your/repository/conf/id_rsa.mirror
> Add /your/repository/conf/id_rsa.mirror.pub to
> stengers:/home/vobadm/.ssh/authorized_keys, and add the following to
> each committer's ~/.subversion/config:
>
> [tunnels]
> sync = ssh -i /your/repository/conf/id_rsa.mirror
>
> Then use 'svn+sync://vobadm@stengers' instead of 'svn+ssh://vobadm@stengers'.
Very interesting.
> But a better solution might be to switch to using svnserve or Apache.
Sorry?
We are supporting http as well as ssh, with an apache server.
How can this help us?
Idem, I didn't consider svnserve... Not mentioned in the page about
replication either.
Still puzzled...
Marc
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Running svnsync from post-commit hook
Posted by Joshua Oreman <or...@gmail.com>.
[forgot to cc: the list...]
On 27 Aug 2007 11:41:33 +0100, Marc Girod <mg...@iona.com> wrote:
> Hello,
>
> [ . . . ]
> In particular, I try to invoke 'svnsync synchronize' in the
> post-commit (and post-revprop-change) hook(s), and get into access
> right issues:
>
> - the hooks are run under the account of the committer: good for
> sending mail, but bad for running svnsync synchronize...
> - I understand (now) that this is the reason for the '--username'
> option.
> - However, I'd like to avoid having to give the '--password' one
> - In any case, with or without these options, I get the following
> error:
>
> $ svnsync synchronize svn+ssh://stengers/x1/svnroot/foo --username vobadm
> svnsync: 'pre-revprop-change' hook failed with error output:
> Only the vobadm user may change revision properties
>
> Note however that this works:
>
> $ sudo -u vobadm svnsync synchronize svn+ssh://stengers/x1/svnroot/foo
> Committed revision 13.
> Copied properties for revision 13.
>
> I have tried to 'chown vobadm' and to 'chmod u+s' the svnsync binary,
> but without success.
>
> Can somebody point me to what I am doing wrong?
Have you tried this?
$ svnsync synchronize svn+ssh://vobadm@stengers/x1/svnroot/foo
You'll need to give each committer non-passworded (publickey) access
from the main repository machine to vobadm@stengers, which may or may
not suit the trust level you have in your committers. If you do trust
them with that, the easiest way is probably to make a wholly new
keypair, and store it in the repository somewhere:
$ ssh-keygen -t rsa -f /your/repository/conf/id_rsa.mirror
Add /your/repository/conf/id_rsa.mirror.pub to
stengers:/home/vobadm/.ssh/authorized_keys, and add the following to
each committer's ~/.subversion/config:
[tunnels]
sync = ssh -i /your/repository/conf/id_rsa.mirror
Then use 'svn+sync://vobadm@stengers' instead of 'svn+ssh://vobadm@stengers'.
But a better solution might be to switch to using svnserve or Apache.
HTH
-- Josh
> Thanks,
> Marc
>
> ----------------------------
> IONA Technologies PLC (registered in Ireland)
> Registered Number: 171387
> Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org