Difference between revisions of "DEV/Chaining Git Over SSH"
From fd.io
Dwallacelf (Talk | contribs) (Remove reference to cisco internal VM service.) |
|||
(5 intermediate revisions by one other user not shown) | |||
Line 5: | Line 5: | ||
'''Problem:''' | '''Problem:''' | ||
− | : Your development machine is a lab machine in DMZ. However you need to access some git | + | : Your development machine is a lab machine in DMZ. However, you need to access some git repo (gerrit.fd.io) that you cannot directly clone onto a lab-development machine. How to achieve it ? |
'''Rudimentary Solution:''' | '''Rudimentary Solution:''' | ||
− | : Clone the | + | : Clone the repo onto a machine (say laptop) that can access ''gerrit.fd.io'' and ''scp'' it to the lab-development machine. |
'''Issues:''' | '''Issues:''' | ||
Line 15: | Line 15: | ||
# Many other ''git'' commands cannot be used and I do not go over them here. | # Many other ''git'' commands cannot be used and I do not go over them here. | ||
− | '''Solution:''' | + | '''Solution:''' SSH Chaining. |
: The following solution description takes ''gerrit.fd.io'' as an example. One can extend this solution to any other code repo or even for multi-hop ssh. | : The following solution description takes ''gerrit.fd.io'' as an example. One can extend this solution to any other code repo or even for multi-hop ssh. | ||
− | * First you need a system from where you have access to ''gerrit.fd.io'' | + | * First you need a system from where you have access to ''gerrit.fd.io'' . For our documentation here, lets call hostname as ''mystery'' and username as ''arcane''. |
− | * Create a ssh-key pair using ''ssh-keygen''. For details 'man ssh-keygen'. The below command generates two files multihop.rsa and multihop.rsa.pub in ~/.ssh directory. multihop.rsa.pub is a public key and multihop.rsa is a private key. Details: [https://en.wikipedia.org/wiki/Public-key_cryptography Public Key Cryptography]. | + | * Create a ssh-key pair using ''ssh-keygen'' to enable password-less ssh login. For details 'man ssh-keygen'. The below command generates two files multihop.rsa and multihop.rsa.pub in ~/.ssh directory. multihop.rsa.pub is a public key and multihop.rsa is a private key. Details: [https://en.wikipedia.org/wiki/Public-key_cryptography Public Key Cryptography]. <u>'''NOTE:'''</u> This step is optional if you already have a pair of keys, which you would like to use. |
ssh-keygen -C "SSH key for multi-hop for arcane" -f ~/.ssh/multihop.rsa -N "" | ssh-keygen -C "SSH key for multi-hop for arcane" -f ~/.ssh/multihop.rsa -N "" | ||
Line 42: | Line 42: | ||
How to get access to gerrit ? [https://wiki.fd.io/view/VPP/Setting_Up_Your_Dev_Environment#Obtain_The_VPP_Source_Code Obtain VPP Source Code] | How to get access to gerrit ? [https://wiki.fd.io/view/VPP/Setting_Up_Your_Dev_Environment#Obtain_The_VPP_Source_Code Obtain VPP Source Code] | ||
− | Now you should be able to perform your favorite git operations. | + | '''Now you should be able to perform your favorite git operations.''' |
git clone ssh://gerrit.fd.io/vpp.git | git clone ssh://gerrit.fd.io/vpp.git |
Latest revision as of 22:29, 13 May 2016
Accessing public repo from within DMZ machine
Problem:
- Your development machine is a lab machine in DMZ. However, you need to access some git repo (gerrit.fd.io) that you cannot directly clone onto a lab-development machine. How to achieve it ?
Rudimentary Solution:
- Clone the repo onto a machine (say laptop) that can access gerrit.fd.io and scp it to the lab-development machine.
Issues:
- For any change you wish to send out for review, you need to create a patch and patch the repo on your laptop.
- In the mean time, if remote-repo is modified, you need to do a git pull. Unfortunately, you cannot as your lab-development machine is in DMZ.
- Many other git commands cannot be used and I do not go over them here.
Solution: SSH Chaining.
- The following solution description takes gerrit.fd.io as an example. One can extend this solution to any other code repo or even for multi-hop ssh.
- First you need a system from where you have access to gerrit.fd.io . For our documentation here, lets call hostname as mystery and username as arcane.
- Create a ssh-key pair using ssh-keygen to enable password-less ssh login. For details 'man ssh-keygen'. The below command generates two files multihop.rsa and multihop.rsa.pub in ~/.ssh directory. multihop.rsa.pub is a public key and multihop.rsa is a private key. Details: Public Key Cryptography. NOTE: This step is optional if you already have a pair of keys, which you would like to use.
ssh-keygen -C "SSH key for multi-hop for arcane" -f ~/.ssh/multihop.rsa -N "" -C: Comment -f: ouput filename -N: passphrase; using "" is fine.
- Login to mystery as arcane and append contents of multihop.rsa.pub to ~/.ssh/authorized_keys. By doing so, mystery will allow password-less ssh login when corresponding private key is used, which you will specify in the next step on the lab-development machine from where you login.
- Edit ~/.ssh/config on the lab-development machine and add the following:
Host mystery User arcane IdentityFile ~/.ssh/multihop.rsa # Should have port on the first line Host gerrit.fd.io ProxyCommand ssh -q mystery nc gerrit.fd.io 29418 User <gerrit username> IdentityFile <path to gerrit identity private key on lab-development machine>
How to get access to gerrit ? Obtain VPP Source Code
Now you should be able to perform your favorite git operations.
git clone ssh://gerrit.fd.io/vpp.git Cloning into 'vpp'... remote: Counting objects: 986, done remote: Finding sources: 100% (41/41) remote: Total 1655 (delta 0), reused 1626 (delta 0) Receiving objects: 100% (1655/1655), 2.66 MiB | 1.42 MiB/s, done. Resolving deltas: 100% (651/651), done. Checking connectivity... done.
There was no need to specify username and port on the command line as you have added them in ~/.ssh/config.