Simplest Enterprise Continuous Integration Solutions

Saturday, May 26, 2012

Enterprise Linux: Subversion Edge + SSH + NIS

Steps to configure svn repositories access control for specified *NIX group

# existing Subversion Edge + SSH repositories

[root@linux64-svn-server ~]# ls -al /opt/csvn/data/repositories
total 28
drwxr-xr-x  7 csvn csvn  4096 Mar  5 20:17 .
drwxr-xr-x 10 csvn csvn  4096 Jul  3 23:15 ..
drwxr-xr-x  7 csvn root  4096 Feb  7 11:57 demo
drwxr-xr-x  6 csvn root  4096 Feb  7 11:56 demo1

# csvn doesn't exist on NIS server

[root@linux64-svn-server  ~]# ypcat group | grep csvn
[root@linux64-svn-server  ~]# grep csvn /etc/group
csvn:x:502:

# existing local groups: svn_demo, svn_demo2

[root@linux64-svn-server  ~]# ypcat group | grep svn_demo
[root@linux64-svn-server  ~]# grep svn_demo /etc/group
svn_demo:x:503:
svn_demo1:x:504:

# NIS accounts: svn_ssh_nis_user, svn_ssh_nis_user1 are 

[root@linux64-svn-server  ~]# ypcat passwd | grep svn_ssh_nis_user
svn_ssh_nis_user:$1$s6AfoGFg$oQCXLIE.C3SOUaGIo10hg1:505:505::/home/svn_ssh_nis_user:/bin/bash
svn_ssh_nis_user1:$1$d3SzDKH9$.ISbgoVz33FFMTcyGu2931:506:506::/home/svn_ssh_nis_user1:/bin/bash
[root@linux64-svn-server  ~]# grep svn_ssh_nis_user /etc/passwd

# enable supplementary groups

[root@linux64-svn-server  ~]# usermod -a -G svn_demo svn_ssh_nis_user
[root@linux64-svn-server  ~]# usermod -a -G svn_demo1 svn_ssh_nis_user1
[root@linux64-svn-server  ~]# id svn_ssh_nis_user
uid=505(svn_ssh_nis_user) gid=505(svn_ssh_nis_user) groups=505(svn_ssh_nis_user),503(svn_demo)
[root@linux64-svn-server  ~]# id svn_ssh_nis_user1
uid=505(svn_ssh_nis_user1) gid=505(svn_ssh_nis_user1) groups=505(svn_ssh_nis_user1),504(svn_demo1)

# enable Subversion Edge + SSH + NIS repositories

[root@linux64-svn-server ~]# chmod -R 775 /opt/csvn/data/repositories/demo
[root@linux64-svn-server ~]# chown -R :svn_demo /opt/csvn/data/repositories/demo
[root@linux64-svn-server ~]# chown -R :svn_demo1 /opt/csvn/data/repositories/demo1
[root@linux64-svn-server ~]# ls -al /opt/csvn/data/repositories
total 28
drwxr-xr-x  7 csvn csvn      4096 Mar  5 20:17 .
drwxr-xr-x 10 csvn csvn      4096 Jul  3 23:15 ..
drwxrwxr-x  7 csvn svn_demo  4096 Feb  7 11:57 demo
drwxrwxr-x  6 csvn svn_demo1 4096 Feb  7 11:56 demo1

# Access controls for Subversion Edge + SSH + NIS

1. csvn user (rwx) - Subversion Edge + HTTPS check in, check out
2. svn_demo (rwx) - Subversion Edge + SSH + NIS check in, check out for demo repository
3. svn_demo1 (rwx) - Subversion Edge + SSH + NIS check in, check out for demo1 repository
4. others (r-x) - Subversion Edge + SSH + NIS read-only for demo & demo1

# examples for Subversion Edge + SSH + NIS

# check out/check in demo repository

[svn_ssh_nis_user@linux64-svn-client ~]$ svn co svn+ssh://svn_ssh_nis_user@linux64-svn-server/demo/trunk
A    trunk/foo.sh
Checked out revision 7.
[svn_ssh_nis_user@linux64-svn-client ~]$ cd trunk
[svn_ssh_nis_user@linux64-svn-client trunk]$ vi foo.c
[svn_ssh_nis_user@linux64-svn-client trunk]$ svn ci -m "added ..."
Sending        foo.c
Transmitting file data .
Committed revision 8.
[svn_ssh_nis_user@linux64-svn-client trunk]$ svn log -r 8
------------------------------------------------------------------------
r8 | svn_ssh_user | 2012-02-07 13:39:53 -0400 (Tue, 07 Feb 2012) | 1 line


added ...
------------------------------------------------------------------------

# check out/check in demo1 repository


[svn_ssh_nis_user@linux64-svn-client trunk]$ svn co svn+ssh://svn_ssh_user@linux64-svn-server/demo1/trunk
A    trunk/boo.java
Checked out revision 2.
[svn_ssh_nis_user@linux64-svn-client trunk]$ cd trunk/[svn_ssh_nis_user@linux64-svn-client trunk]$ vi boo.java[svn_ssh_nis_user@linux64-svn-client trunk]$ svn ci -m "modify readonly access demo1 repository ..."

Sending        boo.java
Transmitting file data .svn: E000013: Commit failed (details follow):
svn: E000013: Can't open file '/opt/csvn/data/repositories/demo1/db/txn-current-lock': Permission denied
[svn_ssh_nis_user@linux64-svn-client trunk]$
------------------------------------------------------------------------
r2 | admin | 2012-02-07 22:42:30 -0500 (Tue, 07 Feb 2012) | 1 line

initial commit
------------------------------------------------------------------------
 svn log -r 2

Saturday, May 19, 2012

Puppet Deployment: Parameterized Classes



# Parameterized Classes on puppet master

[root@linux64-puppet-server ~]# puppet module list
/etc/puppet/modules
+- pptdeploy(???)

[root@linux64-puppet-server ~]# puppet config print confdir
/etc/puppet
[root@linux64-puppet-server ~]# find /etc/puppet/manifests/
/etc/puppet/manifests/
/etc/puppet/manifests/site.pp
[root@linux64-puppet-server ~]# find /etc/puppet/modules/
/etc/puppet/modules/
/etc/puppet/modules/pptdeploy
/etc/puppet/modules/pptdeploy/manifests
/etc/puppet/modules/pptdeploy/manifests/init.pp
/etc/puppet/modules/pptdeploy/manifests/install.pp
/etc/puppet/modules/pptdeploy/manifests/lockforinstall.pp
/etc/puppet/modules/pptdeploy/manifests/uninstall.pp
/etc/puppet/modules/pptdeploy/manifests/unlockforinstall.pp

# Define Puppet Parameterized Classes

cat /etc/puppet/modules/pptdeploy/manifests/init.pp

class pptdeploy {
}

cat /etc/puppet/modules/pptdeploy/manifests/install.pp

class pptdeploy::install($pptdeploy_release, $pptdeploy_install_dir, $pptdeploy_product_shortname, $pptdeploy_product_name, $pptdeploy_response_file) {


 notify{ ">>> Starting to install ${pptdeploy_release} ${pptdeploy_product_name} ...":
         before => File [ installer ] }


 file { "installer":
        path => "${pptdeploy_install_dir}/${pptdeploy_product_shortname}/${pptdeploy_product_name}.bin",
        mode => '0755', }


 Exec { path => [ "/bin/", "/sbin/" , "/usr/bin/", "/usr/sbin/" ] }


 exec { "install ${pptdeploy_release} ${pptdeploy_product_name} ...":
        command => "${pptdeploy_install_dir}/${pptdeploy_product_shortname}/${pptdeploy_product_name}.bin -i silent -DMY_RESPONSE_FILE=${pptdeploy_install_dir}/${pptdeploy_product_shortname}/${pptdeploy_response_file}",
        timeout => 0,
        creates => "/etc/install_registry/${pptdeploy_release}_${pptdeploy_product_shortname}_installed",
        require => File [ installer ] }


 exec { "<<< verify ${pptdeploy_release} ${pptdeploy_product_name} installation ...":
        command => "cat /etc/install_registry/${pptdeploy_product_name}.properties",
        logoutput => true,
        creates => "/etc/install_registry/${pptdeploy_release}_${pptdeploy_product_shortname}_installed",
        require => Exec [ "install pptdeploy ${pptdeploy_release} ${pptdeploy_product_name} ..." ] }


 exec { "Lock installation for ${pptdeploy_product_name} ...":
        command => "/bin/touch /etc/install_registry/${pptdeploy_release}_${pptdeploy_product_shortname}_installed",
        creates => "/etc/install_registry/${pptdeploy_release}_${pptdeploy_product_shortname}_installed",
        require => Exec [ "<<< verify ${pptdeploy_release} ${pptdeploy_product_name} installation ..." ] }
}

cat /etc/puppet/modules/pptdeploy/manifests/lockforinstall.pp

class pptdeploy::lockforinstall($pptdeploy_release, $pptdeploy_install_dir, $pptdeploy_product_shortname, $pptdeploy_product_name, $pptdeploy_response_file) {


 Exec { path => [ "/bin/", "/sbin/" , "/usr/bin/", "/usr/sbin/" ] }


 exec { "Lock installation for ${pptdeploy_product_name} ...":
         command => "/bin/touch /etc/install_registry/${pptdeploy_release}_${pptdeploy_product_shortname}_installed",}
}

cat /etc/puppet/modules/pptdeploy/manifests/uninstall.pp

class pptdeploy::uninstall($pptdeploy_release, $pptdeploy_install_dir, $pptdeploy_product_shortname, $pptdeploy_product_name, $pptdeploy_response_file) {


 notify{ ">>> Starting to uninstall ${pptdeploy_product_name} ...": }


 Exec { path => [ "/bin/", "/sbin/" , "/usr/bin/", "/usr/sbin/" ] }


 exec { "uninstall ${pptdeploy_product_name} ...":
        command => "/opt/Uninstall_${pptdeploy_product_name} -i silent -uninstall",
        timeout => 0,
        require => Exec [ "Unlock installation for ${pptdeploy_product_name} ..." ] }


 exec { "Unlock installation for ${pptdeploy_product_name} ...":
        command => "rm -f /etc/install_registry/*_${pptdeploy_product_shortname}_installed",
        timeout => 0, }
}

cat /etc/puppet/modules/pptdeploy/manifests/unlockforinstall.pp

class pptdeploy::unlockforinstall($pptdeploy_release, $pptdeploy_install_dir, $pptdeploy_product_shortname, $pptdeploy_product_name, $pptdeploy_response_file) {


 Exec { path => [ "/bin/", "/sbin/" , "/usr/bin/", "/usr/sbin/" ] }


 exec { "Unlock installation for ${pptdeploy_product_name} ...":
         command => "rm -f /etc/install_registry/*_${pptdeploy_product_shortname}_installed",}
}

# Global namespace - declare a Parameterized Class

cat /etc/puppet/manifests/site.pp
node default {
}


################################################
$pptdeploy_release = "3.0"
$pptdeploy_install_dir = "/mnt/work/COTS_install_sources"
$pptdeploy_product_shortname = "COTS"
$pptdeploy_product_name = "COTS-3.0"
$pptdeploy_response_file = "cots.response"


#-----------------------
# pptdeploy installation
#-----------------------
  node /linux64-puppet.*\.domain\.com/ {
    class { 'pptdeploy::install': 
      pptdeploy_release => $pptdeploy_release, 
      pptdeploy_install_dir => $pptdeploy_install_dir, 
      pptdeploy_product_shortname => $pptdeploy_product_shortname, 
      pptdeploy_product_name => $pptdeploy_product_name, 
      pptdeploy_response_file => $pptdeploy_response_file,
    }
  }


#-----------------------
# pptdeploy uninstallation
#-----------------------
#   node /linux64-puppet.*\.domain\.com/ {
#     class { 'pptdeploy::uninstall': 
#       pptdeploy_release => '3.0', 
#       pptdeploy_install_dir => '/mnt/work/COTS_install_sources', 
#       pptdeploy_product_shortname => 'COTS', 
#       pptdeploy_product_name => 'COTS-3.0', 
#       pptdeploy_response_file => 'cots.response,
#     }
#   }
################################################

# deploy on puppet agent

[root@linux64-puppet-agent ~]# puppet agent -t --noop
info: Caching catalog for linux64-puppet-agent
info: Applying configuration version '1340827332'
notice: >>> Starting to install 3.0 COTS-3.0 ...
notice: /Stage[main]/pptdeploy::install/Notify[>>> Starting to install  3.0 COTS-3.0 ...]/message: defined 'message' as '>>> Starting to install 3.0 COTS-3.0 ...'
notice: Finished catalog run in 0.08 seconds

Saturday, May 12, 2012

Enterprise Linux: Subversion Edge + SSH

Subversion Edge does not have plans to ever support svnserve. 
In order to enable CollabNet Subversion Edge implementation working for svn+ssh, a compatible svnserve from http://www.open.collab.net/downloads/subversion (i.e.  CollabNetSubversion-server-1.7.5-1.x86_64.rpm) is required.

# get a compatible svnserve from CollabNetSubversion-server-1.7.5-1.x86_64.rpm

[root@linux64-svn-server ~]# rpm -Uvh CollabNetSubversion-client-1.7.5-1.x86_64.rpm
warning: CollabNetSubversion-client-1.7.5-1.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 35bcca43
Preparing...                ########################################### [100%]
   1:CollabNetSubversion-cli########################################### [100%]
[root@linux64-svn-server ~]# rpm -Uvh CollabNetSubversion-server-1.7.5-1.x86_64.rpm
warning: CollabNetSubversion-server-1.7.5-1.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 35bcca43
Preparing...                ########################################### [100%]
   1:CollabNetSubversion-ser########################################### [100%]
[root@linux64-svn-server ~]# echo $PATH
/opt/csvn/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
[root@linux64-svn-server ~]# mv /opt/CollabNet_Subversion/bin /opt/CollabNet_Subversion/bin_orig
[root@linux64-svn-server ~]# mkdir /opt/CollabNet_Subversion/bin
[root@linux64-svn-server ~]# cp /opt/CollabNet_Subversion/bin_orig/svnserve /opt/CollabNet_Subversion/bin/

# make sure get right path

[root@linux64-svn-server ~]# which svn
/opt/csvn/bin/svn
[root@linux64-svn-server ~]# which svnadmin
/opt/csvn/bin/svnadmin
[root@linux64-svn-server ~]# which svnserve
/usr/bin/which: no svnserve in (/opt/csvn/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin) 

# create a wrapper for svnserve

[root@linux64-svn-server ~]# vi /opt/csvn/bin/svnserve
#!/bin/sh
# set the umask so files are group-writable
umask 002
# call the 'real' svnserve, also passing in the default repo location
exec /opt/CollabNet_Subversion/bin/svnserve -r /opt/csvn/data/repositories "$@"
[root@linux64-svn-server ~]# ln -s /opt/csvn/bin/svnserve /usr/local/bin/svnserve
[root@linux64-svn-server ~]# chmod a+x /opt/csvn/bin/svnserve
[root@linux64-svn-server ~]# which svnserve
/opt/csvn/bin/svnserve

# add csvn group as supplementary group for svn_user

[root@linux64-svn-server ~]# useradd svn_user
[root@linux64-svn-server ~]# usermod -a -G csvn svn_user

# generate SSH public/private key pair

[root@linux64-svn-server ~]# su - svn_user
[svn_user@linux64-svn-server ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/svn_user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/svn_user/.ssh/id_rsa.
Your public key has been saved in /home/svn_user/.ssh/id_rsa.pub.
The key fingerprint is:
3f:d2:80:d9:60:e6:18:b6:2e:55:2d:e1:b5:8a:f8:b9 svn_user@linux64-svn-server
[svn_user@linux64-svn-server ~]$ cd /home/svn_user/.ssh/
[svn_user@linux64-svn-server .ssh]$ cat id_rsa.pub >> authorized_keys
[svn_user@linux64-svn-server .ssh]$ chmod 600 authorized_keys

# svn+ssh check out source codes no password

[svn_user@linux64-svn-server ~]$ svn co svn+ssh://svn_user@linux64-svn-server/my_test/branches/devs/rel_2_1




Saturday, May 5, 2012

Enterprise Linux: Subversion Edge + HTTPS


# Subversion Edge https with store-plaintext-passwords=no

[svn_user@linux64-svn-server ~]$ svn co https://linux64-svn-server/svn/my_test/branches/devs/rel_2_1
Authentication realm: <https://linux64-svn-server:443> CollabNet Subversion Repository
Password for 'svn_user':
-----------------------------------------------------------------------
ATTENTION!  Your password for authentication realm:
   <https://linux64-svn-server:443> CollabNet Subversion Repository
can only be stored to disk unencrypted!  You are advised to configure
your system so that Subversion can store passwords encrypted, if
possible.  See the documentation for details.
You can avoid future appearances of this warning by setting the value
of the 'store-plaintext-passwords' option to either 'yes' or 'no' in
'/home/svn_user/.subversion/servers'.
-----------------------------------------------------------------------
Store password unencrypted (yes/no)?

# if say yes

[svn_user@linux64-svn-server ~]$ find /home/svn_user/.subversion
/home/svn_user/.subversion
/home/svn_user/.subversion/config
/home/svn_user/.subversion/servers
/home/svn_user/.subversion/auth
/home/svn_user/.subversion/auth/svn.ssl.client-passphrase
/home/svn_user/.subversion/auth/svn.ssl.server
/home/svn_user/.subversion/auth/svn.ssl.server/3cd723e65222898d9adf719b6a36b0de
/home/svn_user/.subversion/auth/svn.username
/home/svn_user/.subversion/auth/svn.simple
/home/svn_user/.subversion/auth/svn.simple/8d5ed2a064a46be1d04c644c7b392be7
/home/svn_user/.subversion/README.txt
[svn_user@linux64-svn-server ~]$ cat /home/svn_user/.subversion/auth/svn.simple/8d5ed2a064a46be1d04c644c7b392be7
K 8
passtype
V 6
simple
K 8
password
V 8
svn_user_password
K 15
svn:realmstring
V 61
<https://linux64-svn-server:443> CollabNet Subversion Repository
K 8
username
V 4
svn_user
END

# uncomment store-plaintext-passwords=no within /home/svn_user/.subversion/servers

[svn_user@linux64-svn-server ~]$ vi /home/svn_user/.subversion/servers
[svn_user@linux64-svn-server ~]$ cat /home/svn_user/.subversion/servers | grep ^store-plaintext-passwords
store-plaintext-passwords = no
[svn_user@linux64-svn-server ~]$ find /home/svn_user/.subversion
/home/svn_user/.subversion
/home/svn_user/.subversion/config
/home/svn_user/.subversion/servers
/home/svn_user/.subversion/auth
/home/svn_user/.subversion/auth/svn.ssl.client-passphrase
/home/svn_user/.subversion/auth/svn.ssl.server
/home/svn_user/.subversion/auth/svn.ssl.server/3cd723e65222898d9adf719b6a36b0de
/home/svn_user/.subversion/auth/svn.username
/home/svn_user/.subversion/auth/svn.simple
/home/svn_user/.subversion/auth/svn.simple/8d5ed2a064a46be1d04c644c7b392be7
/home/svn_user/.subversion/README.txt
/home/svn_user/.subversion/.nfs000000000042f11e00000001
[svn_user@linux64-svn-server ~]$ cat /home/svn_user/.subversion/auth/svn.simple/8d5ed2a064a46be1d04c644c7b392be7
K 15
svn:realmstring
V 61
<https://linux64-svn-server:443> CollabNet Subversion Repository
K 8
username
V 4
svn_user
END