|
|
The MINOS Software Repository |
The MINOS code lives in a CVS repository on minoscvs.fnal.gov. There are two ways to access the code:
Instructions (based on these), for setting up ssh and cvs follow.
Setting Up SSH
Setting Up CVS
Read Only vs. Read Write access
Notification of Updates
Code Sharing
For Developers
Create a Module
Trouble Shooting
Common Failure Modes
prompt> which ssh /usr/bin/ssh prompt> ssh -V OpenSSH_3.4p1 Debian 1:3.4p1-2, SSH protocols 1.5/2.0, OpenSSL 0x0090603f prompt> which ssh-agent /usr/bin/ssh-agent prompt> which ssh-add /usr/bin/ssh-addIf your version of SSH does not support SSH protocol 2.0 it will not work. (Note: SSH v1 has major known security problems which may not have been patched in your version. If you are running v1, you should upgrade to the latest OpenSSH for your own sake.)
If you can't find ssh, ssh-agent, and ssh-add, bug your system administrator. The instructions that follow have been tested for OpenSSH supporting v2 of the protocol..
The following discussion of ssh key pairs and agents is irrelevant if you have a kerberos ticket. Just remeber to kinit. If you can ssh to the Minos Cluster, you can access CVS. Your kerberos principal does need to be registered with the server, Send mail to kreymer@fnal.gov if your kerberized access fails.
We are considering dropping support for ssh-key access to CVS, perhaps by the end of 2008, for security reasons, and for ease of management.
prompt> ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/bviren/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/bviren/.ssh/id_rsa. Your public key has been saved in /home/bviren/.ssh/id_rsa.pub. The key fingerprint is: f2:b5:27:f4:ea:cb:48:00:29:1a:72:00:b2:60:89:21 bviren@minos
It is best to pick a long but easy to remember and type pass phrase. For example some sentence. Do not use a blank pass phrase, nor your regular account password.
The result is a private and a public key file placed in $HOME/.ssh/. The file names will be based on what type of key you specified. To access the MINOS repository you must use an SSH2 key type ("-t rsa" or "-t dsa")
-t flag Private key file Public key file Protocol, Type rsa1 identity identity.pub SSH1, RSA rsa id_rsa id_rsa.pub SSH2, RSA dsa id_dsa id_dsa.pub SSH2, DSA
( Note: you currently need an SSH1 key as
well as an SSH2 key. This is due to a feature limitation on the
server-side and may eventually be fixed. In the mean time,
besides generating one or more SSH2 keys as above, you should
generate an
SSH1 key via:
prompt> ssh-keygen -t rsa1
...
That is, generate a key of type "rsa1" instead of just "rsa". The
default
file name is ~/.ssh/identity.
Although both SSH1 and SSH2 keys must be forwarded via the ssh-agent (see below) the actual connection is via the SSH2 protocol. )
# For tcsh this goes in $HOME/.login if ( ! $?SSH_AUTH_SOCK ) then eval `ssh-agent -c` ssh-add endif # For bash this goes in HOME/.bash_profile (or similar) # $HOME/.profile if [ -z "$SSH_AUTH_SOCK" ] ; then eval `ssh-agent -s` ssh-add fiThis will start the ssh-agent.
To kill the ssh-agent when you're done put this in your shells logout file ($HOME/.logout for tcsh, $HOME/.bash_logout for bash):
ssh-agent -k
#!/bin/sh # (can use /bin/sh even if your interactive shell is tcsh) # Start the SSH agent which can hold your keys in memory eval `ssh-agent -s` # Call ssh-add to add some keys. Redirecting /dev/null should trigger # the use of a graphical password asker (ssh-askpass). See the man # page for ssh-add for more details. Instead of putting this here, # you can instead add this in your Desktop (eg, GNOME/KDE) session # startup area. ssh-add < /dev/null # Here add any other X initialization, like starting some X clients # or window manager or desktop. The below is an example for GNOME. gnome-session # when reaching here, the desktop/windowmanager has shutdown, so kill # off the agent. Doing the "eval" clears out the environment # variables created when the agent was first started. eval `ssh-agent -k`
Try to transmit the public key in a way that does not line-wrap as it must be a single (very long) line where ever it is installed.
prompt> which cvs /usr/bin/cvs
# For csh and derivatives setenv CVS_RSH ssh setenv CVSROOT minoscvs@minoscvs.fnal.gov:/cvs/minoscvs/rep1 # For sh and derivatives CVS_RSH=ssh CVSROOT=minoscvs@minoscvs.fnal.gov:/cvs/minoscvs/rep1 export CVS_RSH CVSROOTSee this section for more info on how to access the repository.
Note you should not set the CVS_SERVER environment variable. Commands sent to the minoscvs account must match a strict pattern to be accepted and the value of this variable may result in commands being rejected.
prompt> cvs get CVSROOTOn the off chance you want to get the entire OO repository (with not SRT mechanism in place) you can do:
prompt> cvs get minossoftThat should be it. If you have problems, please see the "Trouble Shooting" section at the end of this note.
:pserver:anonymous@minoscvs.fnal.gov:/cvs/minoscvs/rep1
minoscvs@minoscvs.fnal.gov:/cvs/minoscvs/rep1
To change the CVS root of existing checked out code use SRT's cvsmigrate command. Its usage is shown via:
prompt> cvsmigrate --helpFor example to change from read-only to read/write cd to the base directory and type:
prompt> cvsmigrate -o :pserver:anonymous@minoscvs.fnal.gov:/cvs/minoscvs/rep1 \ -d :ext:minoscvs@minoscvs.fnal.gov:/cvs/minoscvs/rep1
One should also be aware that when an SRT "test" release is created or when packages are added it inherits the access method of the associated base release.
ssh-add -l|grep RSA1|awk -- '{print $3}'
The core group member should follow these steps:
prompt> mkdir /path/to/some/place/PackageName prompt> cd /path/to/some/place/PackageName prompt> touch .cvsignore prompt> cvs import minossoft/<PackageName> <vendor tag> <release tag>Notes:
YourPackageName minossoft/YourPackageNameAlthough not necessary for operation, please try to preserve the ordering and sectioning.
# # List other writers here # "minossoft/BField", "costas", "minossoft/BubbleSpeak", "psm", "minossoft/DeMux", "brebel mufson",The format is "minossoft/Package" and "user1 user2 ... ". The users names are as listed in the .ssh/authorized_keys (see above). Note: a common error is to forget the delimiting commas. If this happens no one can commit until someone logs into the server and first fixes it by hand, then commits the fixed version (it is regenerated upon each commit).
ssh -h
setenv CVS_SSH 'ssh -A'Another would be to specify whether to use forwarding on a per host basis in your .ssh/config file:
Host minoscvs.fnal.gov ForwardAgent yes
cvs server: Up-to-date check failed for `the-file' cvs [server aborted]: correct above errors first!This means that sometime after you checked out "the-file" in question someone else has committed a change. This means that the file in your directory diverges from the one in the repository.
To correct this do the following:
cvs update the-fileYou will see something like:
X the-fileWhere "X" is one of:
<<<<<<< the-file // your modified code is here ======= // the modified code which is at the same lines in the repository // will show up here. >>>>>>> 1.7Now, you must go in by hand and resolve this conflict. Typically this means just choosing either your code or the code in the repository and deleting the other (as well as the delimiting lines).
After this hand done merge, you should be able to do another cvs update and see the Modified tag.
If you don't initially see the Conflict tag, then just commit
your changes.
bviren@minos:bviren> env|grep SSH SSH_AGENT_PID=16463 SSH_AUTH_SOCK=/tmp/ssh-nouUS16462/agent.16462 bviren@minos:bviren> ps auxww|grep $SSH_AGENT_PID bviren 16463 0.0 0.0 2976 924 ? S Dec01 0:00 ssh-agent -s
bviren@minos:bviren> ssh-add -l 1024 b6:e0:60:38:f8:fa:39:ed:b4:a4:eb:b3:15:d7:ad:4d bv@bnl.gov (RSA1) 1024 44:2c:94:c9:33:5d:af:97:50:f7:b4:a5:cf:08:6b:dd /home/bviren/.ssh/id_rsa (RSA) 1024 6c:6a:ef:51:c4:bf:e1:cd:17:b7:51:89:4b:c0:7b:2f /home/bviren/.ssh/id_dsa (DSA)You must have an RSA or a DSA (or both) key in order to connect to the server and an RSA1 key so the CVS script (check_access) can identify you.
Host minoscvs.fnal.gov ForwardAgent yes
Security, Privacy, Legal |
|