In Setting up a Development Project Gate, I showed you the steps I took to setup a shared development gate. The only thing I left out was the automatic push to a Mercurial repository on OpenSolaris. I'll take you through these steps now.
By the way, thanks to Dave Marker for sharing how ONNV does this and writing some Python tools to automate the majority of the push.
Get a repository
First you need to get a project leader for your project to create a workspace for you on hg.opensolaris.org. They can do this by logging to OpenSolaris and going to the project page.
Then they select 'SCM Management'. Next 'Add Repository' and remember to click the Mercurial radio button on the next screen. The page is pretty explanatory and the only thing to remember is that it might spew up
a message about the project already existing. It also seems to take 5-10 minutes for the project space to show up.
Which if you know about it is okay. You can take this time to configure who has commit rights.
(You'll need one account for sure, more on that later.)
As evidenced in Setting up a NFS41 gate, I had a hard time figuring out where the gate was located. It can be reached as:
hg clone ssh://firstname.lastname@example.org/hg/<PROJECT>/<GATE-NAME>
Note you need to configure anonymous access on the repository page for this to work. I'm not sure,
but I believe this also implies anyone can write back to the gate. Tie this in with a lack of tools to
maintain the gate out there (including deletion) and you can see this might be a problem.
Configure a SSH public key
This part is the scary part - scary in that you have to decide if you want automatic pushes or
If you want manual pushes, then you need to make sure you have a SSH public key setup
as described in opensolaris.org SSH key help. Then whenever you want to push a change, you would do:
hg push -R <your gate> -e "ssh -q -F ssh://<YOUR OSOL USERNAME>@hg.opensolaris.org/hg/<PROJECT>/<GATE-NAME>"
You don't have to read much more of the rest of this entry, except perhaps to make sure your proxy host is correct.
If you want automatic pushes, then you need to configure a special key pair without a passphrase. Note that this is a risk you need to manage yourself. It needs to be blank because you don't want to even store the passphrase anywhere. I've done this type of thing in the past for production systems and the trick is that you want to lock down the box you have stored the private version of the key
Follow the directions as described in opensolaris.org SSH key help to publish this key. Note that no-one will know that this passphrase is empty for this key. They still need the private copy of the key. We have to make sure that is locked down tight!
- Use a system with a non-standard root password.
- Strictly control admin access to the system
- Don't hand out the root password.
- Don't make sudo too permissive.
- Pick a non-global account to store the data in.
- Make sure the permissions are 700 on the directory where the key is stored.
- If you share that homedir, make sure to read The myth of security with AUTH_SYS, which means:
- Do not accept the default access list ooptions.
- Set root= or use anon=-1.
- Set the rw= and/or ro= hosts appropriately.
- Strongly consider kerberizing the share.
There is probably more you can do, so the first thing is to accept responsibility for this setup.
Okay, having scared you, it is now time to configure this special ssh configuration:
[nfs4hg@aus1500-home ~/tmp]> mkdir opensolaris
[nfs4hg@aus1500-home ~/tmp]> chmod 700 opensolaris/
[nfs4hg@aus1500-home ~/tmp]> cp ~/opensolaris/\* .
[nfs4hg@aus1500-home ~/tmp]> more config
ProxyCommand /usr/lib/ssh/ssh-socks5-proxy-connect -h 188.8.131.52 %h %p
User <YOUR OSOL USERNAME>
You'll have to figure out whether or not you need the proxy configuration or not. And you will
need to fix-up the paths for the GlobalKnownHostsFile and IdentityFile.
Also note that I've got this account already setup with a ~/.ssh directory to allow
integrations to the gate. It doen't have DS keys, but I like to keep these apart. And note that id_dsa and id_dsa.txt are the keypair that you generated with the empty passphrase.
In the copy of hook/updateoso.py I got from ssh://email@example.com/hg/scm-migration/onnv-gk-tools, I had the following minor diffs:
[nfs4hg@aus1500-home ~]> diff /pool/onnv-gk-tools/hook/updateoso.py onnv-gk-tools/hook/updateoso.py
< OSOREPO = "ssh://hg.opensolaris.org/hg/nfsv41/nfs41-gate"
> OSOREPO = "ssh://hg.opensolaris.org/hg/onnv/onnv-gate"
< This script must be run as user "nfs4hg".
> This script must be run as user "onhg".
< home = pwd.getpwnam("nfs4hg")
> home = pwd.getpwnam("onhg")
< if utility.check_user("nfs4hg", m) is False:
> if utility.check_user("onhg", m) is False:
< m.write('''Can't update OpenSolaris. User != "nfs4hg"\\n''')
> m.write('''Can't update OpenSolaris. User != "onhg"\\n''')
Note that I grabbed this script right after Dave Marker put it back, so I got a cutting
edge version of it. I know he is about to change it such that the user and osol path
are configurable variables outside of this file. I.e., you would make changes in a project
specific configuration file.
Anyway, once those changes are made, go a head and make sure this line is enabled in
your official clone's hgrc:
# These hooks are run from bghook() in the background
bg-changegroup.0 = python:hook.updateoso.updateoso
I'm assuming you have modeled your development gate ala onnv (and as I described in Setting up a Development Project Gate). If you haven't, then I think all you need to do is add this as the last bg.changeroup
entry in your gate's hgrc.
And now you are good to go!
You might want to do the manual push I described above to seed the gate.