ant-ivy-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoff Clitheroe <g.clithe...@gmail.com>
Subject Re: Suggestions for publishing to Ivy repo from Hudson using ssh
Date Thu, 17 Jun 2010 20:21:56 GMT
Hi,

I'm afraid I don't strictly know the answers to those questions.  Here's
what we do:

I'm working on linux, setting up my agent looks like

ssh-agent | head -2 > ~/.agent            (there are flags for creating env
variables for diff shells).
source ~/.agent
ssh-add    (specify key file if needs be)
...enter passphrase...

The agent now holds you decrypted key and will answer authentication
challenges for you (for as long as the process is running).   Note: if you
find ideas on the internet about an agent group and sharing an agent amongst
accounts be cautious: ssh has become much stricter about permissions on the
process (file system node) and it is only really practical to have an agent
for each account now.

We then publish and install to the local file system and rsync over ssh to
the remote repo (hence I don't know if the ssh resolver will work with
agents).

The relevant bits of our build_base file are below.   Note we rsync to two
repoes.  This would run something like

ant ivy-rsync-module

with the option of  -Drsync.additional="-P --dry-run"

Cheers,
Geoff



  <macrodef name="rsync-macro">
        <attribute name="source"/>
        <attribute name="target"/>
        <attribute name="rsync-additional"/>

        <sequential>
            <exec executable="rsync">
                <arg line="-v @{rsync-additional}"/>
                <arg value="--rsh=ssh"/>
                <arg value="--archive"/>
                <arg value="--ignore-existing"/>
                <arg value="--chmod=Da+rx,ug+w,Fa+r,ug+w"/>
                <arg value="@{source}"/>
                <arg value="${repoadmin.ivy.geonet}@
@${repo.server.ivy.geonet}:@{target}/"/>
            </exec>
        </sequential>
    </macrodef>

   <target name="ivy-rsync-enterprise" depends="ivy-force-init"
description="Rsync the tmp repo to the enterprise repo.
    Existing files on the receiver are ignored (--ignore-existing).
    Use rsync.additional to pass any extra flags to rsync e.g.,
-Drsync.additional=--dry-run">
        <property name="rsync.additional" value=" "/>
        <rsync-macro source="${enterprise.repo.dir.enterprise.tmp}/"
target="${enterprise.repo.dir.enterprise}"
rsync-additional="${rsync.additional}"/>
    </target>

    <target name="ivy-rsync-publish" depends="ivy-force-init"
description="Rsync the tmp repo to the publish repo.
    Existing files on the receiver are ignored (--ignore-existing).
    Use rsync.additional to pass any extra flags to rsync e.g.,
-Drsync.additional=--dry-run">
        <property name="rsync.additional" value=" "/>
        <rsync-macro source="${enterprise.repo.dir.publish.tmp}/"
target="${enterprise.repo.dir.publish}"
rsync-additional="${rsync.additional}"/>
    </target>

    <target name="ivy-rsync-module" depends="ivy-rsync-enterprise,
ivy-rsync-publish" />



On Fri, Jun 18, 2010 at 7:51 AM, Steele, Richard <rich@steelezone.net>wrote:

> Yes: see above about the security group getting twitchy using unsigned
> keys,
> but I think we might actually be able to get a waiver in this case.
>
> I've never used an ssh-agent, though I see putty has pageant; is pageant
> compatible with jsch underlying the ssh resolver provided in Ivy?  What
> about in a non-Windows (Linux/Unix) environment.
>
> Thanks,
> Rich
>
> On Wed, Jun 16, 2010 at 6:28 PM, Geoff Clitheroe <g.clitheroe@gmail.com
> >wrote:
>
> > Hi Rich,
> >
> > Have you considered ssh key authentication?  Either with an unencrypted
> > private key (not so secure) or with an ssh-agent holding the unencrypted
> > key
> > (more secure but the agent has to be restarted on server boot)?
> >
> > Cheers,
> > Geoff
> >
> >
> > On Thu, Jun 17, 2010 at 7:06 AM, Steele, Richard <rich@steelezone.net
> > >wrote:
> >
> > > I'm trying to figure out the best way to handle publishing artifacts to
> > our
> > > Ivy repository using ssh.  We can't prompt the user for the username
> and
> > > password since the publication is usually done by Hudson.  We can't
> embed
> > > the username or password as a job configuration property because we
> can't
> > > have those in cleartext; similarly, we can't use a standard user with a
> > > well-known password in cleartext because of security concerns.
> > >
> > > I'm leaning towards using a keystore, but we'd need to use one without
> a
> > > password for the same reasons above (can't prompt, don't want to
> embed),
> > > but
> > > a keystore without a password makes the security group twitchy.
> > >
> > > I'm looking for any ideas or suggestions that might help; practical
> > > experience with real examples would be best, but I'll consider
> anything.
> > >
> > > Thanks,
> > > Rich
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message