Login | Register
My pages Projects Community openCollabNet

Discussions > users > Installing on CentOS5 (x86_64)

fsvs
Discussion topic

Hide all messages in topic

All messages in topic

Re: Installing on CentOS5 (x86_64)

Author Thomas Harold <tgh at tgharold dot com>
Full name Thomas Harold <tgh at tgharold dot com>
Date 2007-05-31 13:56:30 PDT
Message Philipp Marek wrote:
> On Donnerstag, 31. Mai 2007 Thomas Harold wrote:
>> Well, I'm getting closer to installing FSVS on CentOS5...
> ...
>> I'm still working on my blog entry describing the install steps from
>> A-Z. But a permanent URL will be:
>>
>> http://www.tgharold.​com/techblog/2007/05​/fsvs-for-sysadmins.​shtml
 >
> Thank you. May I link to that URL?

Sure :)

I'm still not finished with the document (as I've just gotten to the
point where FSVS is installed), but I got pulled off in other directions
today. Which tends to be why I blog this stuff, so I can remember where
I left off with something.

I still need to delve into initalizing the stuff under /var/spool/fsvs
and doing the initial import into SVN and doing some editing tasks.

Re: Installing on CentOS5 (x86_64)

Author Thomas Harold <tgh at tgharold dot com>
Full name Thomas Harold <tgh at tgharold dot com>
Date 2007-05-31 13:54:06 PDT
Message Philipp Marek wrote:
> ...
>>> http://www.tgharold.​com/techblog/2007/05​/fsvs-for-sysadmins.​shtml
> says:
>> Unfortunately, the documentation for FSVS is rather sparse at the moment
> Hey, that's not really nice !-) More documentation than code, if you count the
> lines. :-)

Hah, I've re-written that line about 3x in the past 2 days. (It was
worse.) I'm sure I'll re-write it again once I have things figured out
and can be more objective.

:)

> Another idea just crossed my mind: If you put
> netcat localhost <some_port>
> as command in your authorized_keys, then you can (should be able to) use a
> running svnserve instance *as a completely different user* as "server" - so
> that no remote access can get to the repository directly.
> It would have to authorize itself via svn_auth.conf ...

I have to think about the implications of that... I suspect my objection
to that would be the use of plain-text passwords (which using SSH
avoids). At least I think that would involve the storage of plain-text
passwords on the server... I have to think about this some more when I'm
more awake.

...

I've also been thinking about the pros/cons of using a single SSH
account (with multiple entries in authorized_keys where the command=
tells svnserve which username to pretend as) as opposed to using
individual SSH accounts.

The single-account method is less work (fewer accounts created, no need
to add users to the proper lines in /etc/group). And allows you to deal
cleanly with situations where 2 people use the same machine and the same
working copy folders. By having PuTTY cache the user-specific SSH key
in Pageant, you can use a generic svn+ssh URL on the working copy and
the SVN server does the hard work of figuring out which user to
authenticate as. (It's a not-the-best scenario, but it may be something
we do. Or we'll just issue a "svn switch" command on the working copy
when the user logs in.)

But if a SSH key gets cracked / stolen / or used to break into the SVN
server, it will be difficult to tell which of the authorized_keys was
responsible for the break-in. With separate user accounts, the attacker
is more likely to leave tracks telling us which user account was used
for the break-in. So I think it's worthwhile to have individual user
accounts that belong to the group that owns the SVN repository directory.

But my thinking might be flawed on that.

I notice that the SVN book at redbean talks down using SSH in tunneling
mode due to umask issues. But once we set the ownership of the
repository folder to a unix group and set the sticky bit on the
repository/db folder (chmod -R g+s repository/db), we haven't seen any
issues with file ownership. So using a single "server" account on the
SVN server doesn't appeal to us.

We may also have the advantage in that our SVN server is single-purpose
(running in a Xen DomU). All of the accounts on it are SVN-related and
it's not trying to do 20 other duties. So we don't really worry much
about having a few dozen user accounts for machines.

Re: Installing on CentOS5 (x86_64)

Author pmarek
Full name P.Marek
Date 2007-05-31 09:31:44 PDT
Message ...
> > http://www.tgharold.​com/techblog/2007/05​/fsvs-for-sysadmins.​shtml
says:
> Unfortunately, the documentation for FSVS is rather sparse at the moment
Hey, that's not really nice !-) More documentation than code, if you count the
lines. :-)


Another idea just crossed my mind: If you put
    netcat localhost <some_port>
as command in your authorized_keys, then you can (should be able to) use a
running svnserve instance *as a completely different user* as "server" - so
that no remote access can get to the repository directly.
It would have to authorize itself via svn_auth.conf ...




Regards,

Phil



--
Versioning your /etc, /home or even your whole installation?
             Try fsvs (fsvs.tigris.org)!

Re: Installing on CentOS5 (x86_64)

Author pmarek
Full name P.Marek
Date 2007-05-31 09:26:33 PDT
Message On Donnerstag, 31. Mai 2007 Thomas Harold wrote:
> Well, I'm getting closer to installing FSVS on CentOS5...
...
> I'm still working on my blog entry describing the install steps from
> A-Z. But a permanent URL will be:
>
> http://www.tgharold.​com/techblog/2007/05​/fsvs-for-sysadmins.​shtml
Thank you. May I link to that URL?

> ...
>
> Other things that I've run across:
>
> Maybe the Makefile should check for the existence of those header files
> and spit out a less technical error message? I don't even know if that
> is possible, but for the less technically adept users, the output of
> "cc" can be a bit daunting.
Well, normally configure should check for those. Maybe the warning/error is
not big enough.

> (Alternately, I should try to write a RPM package for FSVS, which would
> define what the dependencies are. But don't hold your breath, I've just
> switched over to CentOS5 in the past month so I haven't learned those
> tricks yet.)
>
> Also, on the index page in the SVN repository at tigris.org, it does not
> list "gdbm" as a system requirement.
Yes, I forgot that one.


Thank you!



Regards,

Phil


--
Versioning your /etc, /home or even your whole installation?
             Try fsvs (fsvs.tigris.org)!

Installing on CentOS5 (x86_64)

Author Thomas Harold <tgh at tgharold dot com>
Full name Thomas Harold <tgh at tgharold dot com>
Date 2007-05-31 07:17:59 PDT
Message Well, I'm getting closer to installing FSVS on CentOS5...

...

********************​********************​***************
*** The Makefile has been updated. ***
*** Please run make again, to build the binary. ***
*** Now stopping execution. ***
********************​********************​***************
make: *** [Makefile] Error 1
[root@fw1-hosho src]# make
ctags ac_list.c actions.c add_unvers.c build.c checksum.c commit.c
diff.c direnum.c est_ops.c export.c fsvs.c helper.c ignore.c info.c
props.c pwcache.c racallback.c remote.c revert.c status.c sync.c
update.c url.c waa.c warnings.c actions.h add_unvers.h build.h
checksum.h commit.h config.h diff.h direnum.h est_ops.h export.h
global.h helper.h ignore.h info.h interface.h props.h pwcache.h
racallback.h remote.h revert.h status.h sync.h update.h url.h waa.h
warnings.h
cc -Wall -funsigned-char -D_GNU_SOURCE=1 -D_FILE_OFFSET_BITS=64
-idirafter /usr/local/include -idirafter /usr/include -idirafter
/openpkg/include -idirafter /usr/include/apr-1 -Os
-DFSVS_VERSION='"fsv​s-1.1.4:835"' -c -o ac_list.o ac_list.c
In file included from ac_list.c:9:
global.h:16:18: error: gdbm.h: No such file or directory
global.h:23:18: error: pcre.h: No such file or directory
In file included from ac_list.c:9:
global.h:90: error: expected specifier-qualifier-list before ‘pcre’
In file included from ac_list.c:13:
update.h:27: error: expected declaration specifiers or ‘...’ before
‘GDBM_FILE’
In file included from ac_list.c:20:
props.h:29: error: expected declaration specifiers or ‘...’ before
‘GDBM_FILE’
props.h:31: error: expected declaration specifiers or ‘...’ before
‘GDBM_FILE’
props.h:35: error: expected ‘)’ before ‘db’
props.h:37: error: expected ‘)’ before ‘db’
props.h:49: error: expected ‘)’ before ‘db’
props.h:50: error: expected ‘)’ before ‘db’
props.h:51: error: expected ‘)’ before ‘db’
props.h:52: error: expected ‘)’ before ‘db’
props.h:56: error: expected ‘)’ before ‘db’
make: *** [ac_list.o] Error 1

I'm guessing that I need to also install the "gdbm" and "gdbm-devel"
packages. Oh, and "pcre" and "pcre-devel".

...

Okay, once I added those (4) packages to the "yum install" line, FSVS
seems to have compiled correctly. It looks like the complete line
required to install all prerequisites for CentOS5 (and probably RHEL5) is:

# yum install subversion subversion-devel ctags apr apr-devel gcc gdbm
gdbm-devel pcre pcre-devel

That line could probably be trimmed down a bit (for instance, I think
installing subversion infers installing the apr package). When I do
FSVS on the other CentOS5 box, I'll check and see.

I'm still working on my blog entry describing the install steps from
A-Z. But a permanent URL will be:

http://www.tgharold.​com/techblog/2007/05​/fsvs-for-sysadmins.​shtml

...

Other things that I've run across:

Maybe the Makefile should check for the existence of those header files
and spit out a less technical error message? I don't even know if that
is possible, but for the less technically adept users, the output of
"cc" can be a bit daunting.

(Alternately, I should try to write a RPM package for FSVS, which would
define what the dependencies are. But don't hold your breath, I've just
switched over to CentOS5 in the past month so I haven't learned those
tricks yet.)

Also, on the index page in the SVN repository at tigris.org, it does not
list "gdbm" as a system requirement.
Messages per page: