Difference between revisions of "DEV/Chaining Git Over SSH"

From fd.io
Jump to: navigation, search
(Remove reference to cisco internal VM service.)
 
(5 intermediate revisions by one other user not shown)
Line 5: Line 5:
  
 
'''Problem:'''
 
'''Problem:'''
: Your development machine is a lab machine in DMZ. However you need to access some git code (gerrit.fd.io) that you cannot directly clone onto a lab-development machine. How to achieve it ?
+
: Your development machine is a lab machine in DMZ. However, you need to access some git repo (gerrit.fd.io) that you cannot directly clone onto a lab-development machine. How to achieve it ?
  
 
'''Rudimentary Solution:'''  
 
'''Rudimentary Solution:'''  
: Clone the code onto a machine (say laptop) that can access ''gerrit.fd.io'' and ''scp'' it to the lab-development machine.
+
: Clone the repo onto a machine (say laptop) that can access ''gerrit.fd.io'' and ''scp'' it to the lab-development machine.
  
 
'''Issues:'''
 
'''Issues:'''
Line 15: Line 15:
 
# Many other ''git'' commands cannot be used and I do not go over them here.
 
# Many other ''git'' commands cannot be used and I do not go over them here.
  
'''Solution:'''
+
'''Solution:''' SSH Chaining.
 
: The following solution description takes ''gerrit.fd.io'' as an example. One can extend this solution to any other code repo or even for multi-hop ssh.
 
: The following solution description takes ''gerrit.fd.io'' as an example. One can extend this solution to any other code repo or even for multi-hop ssh.
  
* First you need a system from where you have access to ''gerrit.fd.io'' . If you do not already have a system with that property, you can create a VM on [https://labtools.cisco.com/virtualization Aurora]. For our documentation here, lets call hostname as ''mystery'' and username as ''arcane''.
+
* First you need a system from where you have access to ''gerrit.fd.io'' . For our documentation here, lets call hostname as ''mystery'' and username as ''arcane''.
* Create a ssh-key pair using ''ssh-keygen''. For details 'man ssh-keygen'. The below command generates two files multihop.rsa and multihop.rsa.pub in ~/.ssh directory. multihop.rsa.pub is a public key and multihop.rsa is a private key. Details: [https://en.wikipedia.org/wiki/Public-key_cryptography Public Key Cryptography].
+
* Create a ssh-key pair using ''ssh-keygen'' to enable password-less ssh login. For details 'man ssh-keygen'. The below command generates two files multihop.rsa and multihop.rsa.pub in ~/.ssh directory. multihop.rsa.pub is a public key and multihop.rsa is a private key. Details: [https://en.wikipedia.org/wiki/Public-key_cryptography Public Key Cryptography]. <u>'''NOTE:'''</u> This step is optional if you already have a pair of keys, which you would like to use.
  
 
   ssh-keygen -C "SSH key for multi-hop for arcane" -f ~/.ssh/multihop.rsa -N ""
 
   ssh-keygen -C "SSH key for multi-hop for arcane" -f ~/.ssh/multihop.rsa -N ""
Line 42: Line 42:
 
How to get access to gerrit ? [https://wiki.fd.io/view/VPP/Setting_Up_Your_Dev_Environment#Obtain_The_VPP_Source_Code Obtain VPP Source Code]
 
How to get access to gerrit ? [https://wiki.fd.io/view/VPP/Setting_Up_Your_Dev_Environment#Obtain_The_VPP_Source_Code Obtain VPP Source Code]
  
Now you should be able to perform your favorite git operations.
+
'''Now you should be able to perform your favorite git operations.'''
  
 
   git clone ssh://gerrit.fd.io/vpp.git
 
   git clone ssh://gerrit.fd.io/vpp.git

Latest revision as of 22:29, 13 May 2016


Accessing public repo from within DMZ machine

Problem:

Your development machine is a lab machine in DMZ. However, you need to access some git repo (gerrit.fd.io) that you cannot directly clone onto a lab-development machine. How to achieve it ?

Rudimentary Solution:

Clone the repo onto a machine (say laptop) that can access gerrit.fd.io and scp it to the lab-development machine.

Issues:

  1. For any change you wish to send out for review, you need to create a patch and patch the repo on your laptop.
  2. In the mean time, if remote-repo is modified, you need to do a git pull. Unfortunately, you cannot as your lab-development machine is in DMZ.
  3. Many other git commands cannot be used and I do not go over them here.

Solution: SSH Chaining.

The following solution description takes gerrit.fd.io as an example. One can extend this solution to any other code repo or even for multi-hop ssh.
  • First you need a system from where you have access to gerrit.fd.io . For our documentation here, lets call hostname as mystery and username as arcane.
  • Create a ssh-key pair using ssh-keygen to enable password-less ssh login. For details 'man ssh-keygen'. The below command generates two files multihop.rsa and multihop.rsa.pub in ~/.ssh directory. multihop.rsa.pub is a public key and multihop.rsa is a private key. Details: Public Key Cryptography. NOTE: This step is optional if you already have a pair of keys, which you would like to use.
 ssh-keygen -C "SSH key for multi-hop for arcane" -f ~/.ssh/multihop.rsa -N ""
 
 -C: Comment
 -f: ouput filename
 -N: passphrase; using "" is fine.
  • Login to mystery as arcane and append contents of multihop.rsa.pub to ~/.ssh/authorized_keys. By doing so, mystery will allow password-less ssh login when corresponding private key is used, which you will specify in the next step on the lab-development machine from where you login.
  • Edit ~/.ssh/config on the lab-development machine and add the following:
 Host mystery
   User arcane
   IdentityFile ~/.ssh/multihop.rsa
 
 # Should have port on the first line
 Host gerrit.fd.io
   ProxyCommand ssh -q mystery nc gerrit.fd.io 29418
   User <gerrit username>
   IdentityFile <path to gerrit identity private key on lab-development machine>

How to get access to gerrit ? Obtain VPP Source Code

Now you should be able to perform your favorite git operations.

 git clone ssh://gerrit.fd.io/vpp.git
 Cloning into 'vpp'...
 remote: Counting objects: 986, done
 remote: Finding sources: 100% (41/41)
 remote: Total 1655 (delta 0), reused 1626 (delta 0)
 Receiving objects: 100% (1655/1655), 2.66 MiB | 1.42 MiB/s, done.
 Resolving deltas: 100% (651/651), done.
 Checking connectivity... done.

There was no need to specify username and port on the command line as you have added them in ~/.ssh/config.