subversion issue

Morning all,

Last Friday I was decided to set up a personal svn repository to give me a central place to store some documents and other projects. I found a good howto at http://queens.db.toronto.edu/~nilesh/linux/subversion-howto/ and followed the directions (it's incredibly easy). After getting everything set up, I was able to use svn+ssh to checkout the document I wanted to checkout. I was actually able to do it successfully as I continued to test.

Fast forward to last night. I needed one of the documents stored there and was eager to use my svn repo to check it out and edit it. However, when I ran the command:

svn co svn+ssh://pils.netcom.duke.edu/afs/acpub/users14/mbjohn/svn/repo

I get

svn: Can't open file '/afs/acpub/users14/mbjohn/svn/repo/format': Permission denied

The server I'm trying this on is set up to use our AFS space as our home directories and the repo is set up in there (as ~mbjohn/svn/repo). As mentioned, I created the repo and it was working fine 2 weeks ago.

The permissions on the repo:

</afs/acpub/users14/mbjohn/svn/repo>% ls -ld repo
drwxr-xr-x  8 mbjohn wheel 2048 Jul 17 04:36 repo/

and the permissions of everything inside the repo:

</afs/acpub/users14/mbjohn/svn/repo>% ls -lhrt
total 18K
drwxr-xr-x  3 mbjohn wheel 2.0K Jul 17 04:24 ../
drwxr-xr-x  2 mbjohn wheel 2.0K Jul 17 04:24 hooks/
drwxr-xr-x  2 mbjohn wheel 2.0K Jul 17 04:24 locks/
-r--r--r--  1 mbjohn wheel    2 Jul 17 04:24 format
-rw-r--r--  1 mbjohn wheel  229 Jul 17 04:24 README.txt
drwxr-xr-x  2 mbjohn wheel 2.0K Jul 17 04:24 dav/
drwxr-xr-x  2 mbjohn wheel 2.0K Jul 17 04:25 conf/
drwxr-xr-x  2 mbjohn wheel 2.0K Jul 17 04:36 test/
drwxr-xr-x  8 mbjohn wheel 2.0K Jul 17 04:36 ./
drwxr-xr-x  5 mbjohn wheel 2.0K Jul 17 04:57 db/

Here's the ps output for svnserve:

</afs/acpub/users14/mbjohn/svn/repo>% ps -ef | grep svn
mbjohn   26337     1  0 06:59 ?        00:00:00 svnserve -d --threads --root /afs/acpub/users14/mbjohn/svn/repo

I've tried running it as root, but I still get the same thing. Heck, I get the same thing when I don't have svnserve running.

Any thoughts from those who have more SVN experience than I?

Brain

--
Brian Johnson
"And I will be even more undignified than this, and will be humble in my own sight." (2 Samuel 6:22)

_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

On 7/29/2009 8:39 AM, Brian Johnson wrote:

The first thing that springs to my mind is AFS tokens.  Are you using a
private key to connect to pils.netcom.duke.edu?  If so, then you might
need to connect using your password once, do a klog, and then do the
checkout again.  You'd need to klog once every 10 hours, or not use a
key to connect (which is a hassle, since Subversion makes 3 or 4
connections each time you try to do something).  Another possibility
would be granting system:anyuser read rights to ~mbjohn/svn/, but that's
probably also not what you want.

Hope that helps,
Jeff

_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

On 7/29/09 8:39 AM, Brian Johnson wrote:
Hey Brian - looks like you don't have an AFS token.

> The permissions on the repo:

...don't really matter; you'll need to examine those directories using
something like 'fs listacl /afs/acpub/users14/mbjohn/svn/repo'.  IIRC,
the default acl for directories in your home dir other than ~/public
includes 'system:anyuser l', which restricts even authenticated users
from listing the contents of a dir.  When you connect via ssh, you don't
have any Kerb creds, and almost certainly no AFS token, which you would
need in order to even read files in that directory.

You should be able to configure your ssh client to use and delegate your
GSSAPI creds - what I can't recall offhand (or test, since I no longer
use AFS) is if you can also get a token as well.  There is an
'KerberosGetAFSToken' option in recent sshd_config, which defaults to no
- you might try setting that...

Cheers,

-tt

_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

Jeff,

Thanks for the response. I thought it might have had something to do with AFS tokens, as I do use a key to log in (due to the very reason you stated....I had done it after using the svn repo on community.oit and constantly being asked for my password).

I have an alias set up on my machine, 'nksh' that actually runs 'ssh -o PubkeyAuthentication=no -o GSSAPIAuthentication=no'. I assumed that this would take care of the AFS token, as if I run ssh without it, I have no access to anything in my home dir).

I did take Jeff's advice and ran my nksh alias into pils, then ran klog. I then tried to do a checkout via svn+ssh and got the same thing :-/

That being said, for giggles I just tried it again after doing that (some time after...), and it appears to be working!

So, assuming that this did work, a few questions:

1) is there a reason it wouldn't have happened immediately?
2) does "ssh -o PubkeyAuthentication=no -o GSSAPIAuthentication=no" eliminate the need for klog? I'd ssh'd in several times before that and it didn't work. It appears that only after running klog did it work.

(ok, so that's 2,versus "a few"....)

Thanks very much for your help!

Brian




--
Brian Johnson
"And I will be even more undignified than this, and will be humble in my own sight." (2 Samuel 6:22)

_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

On Wed, 29 Jul 2009, Tom Throckmorton wrote:

> You should be able to configure your ssh client to use and delegate your
> GSSAPI creds - what I can't recall offhand (or test, since I no longer
> use AFS) is if you can also get a token as well.  There is an
> 'KerberosGetAFSToken' option in recent sshd_config, which defaults to no
> - you might try setting that...

Or you could use a server with a non AFS filesystem that doesn't time
you out after a certain amount of time.  I'm guessing that you have
root access to other servers (or even workstations) with hard-mounted
disk space and ssh -- one of the nice things about ssh+svn is that it
doesn't take much to set up a remote repo.

Oh, and one final possibility is google's free svn devel repo.  You can
set up a svn repo there for you and your project for nothing and control
it in a pretty fine grained way.  The only trouble is that I think it
has to be a GPL project or the like -- something that other people can
(in principle) see or get a copy of.

    rgb

Robert G. Brown                       http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567  Fax: 919-660-2525     email:rgb@...


_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

Thank you, Dr. Brown, as well as Tom and Jeff. It seems that the consensus is the combination of ssh keys and having the repo in AFS space.

I took Tom's advice and tried to enable KerberosGetAFSToken in the sshd_config of the remote machine and see if that worked, but it errored when I restarted sshd saying that it was an unknown option. After doing some searching using Google, apparently that binary had not been configured with AFS support.

I decided that instead of making it work with AFS that I'd just set up a repo on a disk local to the server as Dr. Brown suggested. Did some testing last night, no problem. Did testing this morning and it worked as well. So I've got something working for the time being, though it's owned by me and running as me. I'm not sure that's how I want to leave it, but as I'm the only one who will probably ever use it, I'll take it.

Thanks again everyone for the thoughts and suggestions!

Brian




--
Brian Johnson
"And I will be even more undignified than this, and will be humble in my own sight." (2 Samuel 6:22)

_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug