You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Nathaniel Irons <nd...@bumppo.net> on 2006/09/21 21:20:55 UTC
svnserve and launchd in OS X
We're moving away from SSH tunnels for svnserve, because we're adding
svn users who don't have SSH access to the server. I thought using
svnserve's own authentication would be superior to managing SSH keys
and a dedicated subversion user. We also appreciate having check-ins
tagged with a user name, which I don't think is possible with a
single-SSH-user scheme.
However, I'm having trouble launching svnserve 1.4.0 under Mac OS X
Server 10.4. When I run svnserve manually with the subversion user and
the --daemon argument, it runs fine. When I load my svn launchd plist to
bring it up in inetd mode, svn clients issuing commands to the server
hang indefinitely. Here's what I see in the process list when that
happens:
$ ps waxu | grep svnserve
subversi 11211 0.0 0.1 32564 992 ?? S 12:40PM 0:00.01 /usr/local/bin/svnserve --inetd
subversi 12394 0.0 0.0 27252 492 ?? Ss 1:24PM 0:00.01 /usr/libexec/launchproxy /usr/local/bin/svnserve --inetd
I'm reasonably comfortable with launchd, but I'm not sure how to
troubleshoot an inetd service, and launchd doesn't like to handle things
that call daemonize, as svnserve does with its --daemon argument.
I found Jim Correia's example svn.plist for launchd in the archives from
last year, and it produces behavior identical to what I'm seeing with my
version.
I've run my plist through Launchd Editor, which didn't complain about
the syntax. I'll include the current version, and any suggestions
would be appreciated.
Thanks,
-nat
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>svn</string>
<key>SessionCreate</key>
<true/>
<key>Program</key>
<string>/usr/local/bin/svnserve</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/svnserve</string>
<string>--inetd</string>
</array>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>SockFamily</key>
<string>IPv4</string>
<key>SockServiceName</key>
<string>svn</string>
</dict>
</dict>
<key>StandardErrorPath</key>
<string>/var/tmp/launchd-err</string>
<key>StandardOutPath</key>
<string>/var/tmp/launchd-out</string>
<key>UserName</key>
<string>subversion</string>
<key>inetdCompatibility</key>
<dict>
<key>Wait</key>
<false/>
</dict>
</dict>
</plist>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve and launchd in OS X
Posted by Nathaniel Irons <nd...@bumppo.net>.
On Fri, Sep 22, 2006 at 09:11:34AM +0200, Alan Barrett wrote:
> On Thu, 21 Sep 2006, Nathaniel Irons wrote:
> > We're moving away from SSH tunnels for svnserve, because we're adding
> > svn users who don't have SSH access to the server. I thought using
> > svnserve's own authentication would be superior to managing SSH keys
> > and a dedicated subversion user.
>
> I would make the opposite decision.
Thanks. I'd somehow glossed over --tunnel-user. Paired with something
to manage ssh-agent for desktop users, this approach works quite well.
I'm still curious about why launchd fails in this particular
configuration, but I can leave that for another day.
-nat
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve and launchd in OS X
Posted by Alan Barrett <ap...@cequrux.com>.
On Thu, 21 Sep 2006, Nathaniel Irons wrote:
> We're moving away from SSH tunnels for svnserve, because we're adding
> svn users who don't have SSH access to the server. I thought using
> svnserve's own authentication would be superior to managing SSH keys
> and a dedicated subversion user.
I would make the opposite decision.
> We also appreciate having check-ins tagged with a user name, which I
> don't think is possible with a single-SSH-user scheme.
It's easy, but for some reason this doesn't seem to be well known.
Just add --tunnel-user=USERNAME to the arguments that sshd passes to
svnserve, as defined in the "command=" part of the line in the dedicated
subversion user's .ssh/authorized_keys file.
Assuming you use openssh on unix, or something with a similar
configuration file:
1. Create a dedicated user to own the repository or multiple
repositories. For example, user "svn", group "svn", home directory
/home/svn.
2. In the user's home directory, create a directory to contain
the repositories. For example, {mkdir /home/svn/repos}. Each
repository will be contained in a subdirectory of this directory.
3. Create a repository using svnadmin. For example, {svnadmin create
/home/svn/repos/reponame}.
4. Create a .ssh directory, for example {mkdir /home/svn/.ssh}.
5. In the .ssh directory, create an authorized_keys file. In the
file, put one line per authorised user. Each line will contain an
ssh public key, preceded by several additional parameters. The
line will end up looking like this (broken onto several lines for
readability here, but in reality it must be all on one one very
long line):
command="/path/to/svnserve -t --tunnel-user=EXAMPLEUSER -r
/home/svn/repos",no-port-forwarding,no-agent-forwarding,no-pty
ssh-dss AAAABBBBexamplesshkeyEXAMPLESSHKEY== examplecomment
6. The authorised users should now be able to access the repository
using URLs like "svn+ssh://svn@server.example.org/reponame".
However, a bug in the subversion client or libraries sometimes
causes the "@" in the URL to gets misinterpreted as marking a
peg revision instead of marking a user name. If that happens,
then configure the ssh client so that you can use URLs like
"svn+ssh://example-org-svn/reponame". If you use the openssh
client, add an entry like this to $HOME/.ssh/config for each user:
Host example-org-svn
Hostname server.example.org
User svn
--apb (Alan Barrett)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve and launchd in OS X
Posted by Alan Barrett <ap...@cequrux.com>.
On Thu, 21 Sep 2006, Nathaniel Irons wrote:
> I'm reasonably comfortable with launchd, but I'm not sure how to
> troubleshoot an inetd service, and launchd doesn't like to handle
> things that call daemonize, as svnserve does with its --daemon
> argument.
I know nothing about launchd, but if it is like inetd (listens for
incoming network connections and launches one process for each
connection), then you probably want svnserve --inetd, not --daemon.
--apb (Alan Barrett)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org