Difference between revisions of "DEV/Chaining Git Over SSH"
From fd.io
(Accessing public repo from within DMZ machine) |
m |
||
Line 5: | Line 5: | ||
'''Problem:''' | '''Problem:''' | ||
− | + | : Your development machine is a lab machine in DMZ. However you need to access some git code (gerrit.fd.io) that you cannot directly clone onto a lab-development machine. How to achieve it ? | |
− | : Your development machine is a lab machine in DMZ. However you need to | + | |
'''A rudimentary solution:''' | '''A rudimentary solution:''' | ||
− | : Clone the code onto a machine (say laptop) that can access gerrit.fd.io and | + | : Clone the code onto a machine (say laptop) that can access ''gerrit.fd.io'' and ''scp'' it to the lab-development machine. |
'''Issues:''' | '''Issues:''' | ||
− | + | # For any change you wish to send out for review, you need to create a patch and patch the repo on your laptop. | |
− | + | # In the mean time, if remote-repo is modified, you need to do a ''git pull''. Unfortunately, you cannot as your lab-development machine is in DMZ. | |
+ | # Many other ''git'' commands cannot be used and I do not go over them here. | ||
'''Solution:''' | '''Solution:''' | ||
− | : The following solution description takes gerrit.fd.io as an example. One can extend | + | : The following solution description takes ''gerrit.fd.io'' as an example. One can extend this solution to any other code repo or even for multi-hop ssh. |
− | * First you need a system from where you have access to gerrit.fd.io . If you do not already have a system with that property, you can create a VM on [https://labtools.cisco.com/virtualization Aurora]. For our documentation here, lets call | + | * First you need a system from where you have access to ''gerrit.fd.io'' . If you do not already have a system with that property, you can create a VM on [https://labtools.cisco.com/virtualization Aurora]. For our documentation here, lets call hostname as ''mystery'' and username as ''arcane''. |
− | * Create a ssh-key pair using ssh-keygen. For details 'man ssh-keygen'. The below command generates two files multihop.rsa and multihop.rsa.pub. multihop.rsa.pub is public key and multihop.rsa is a private key | + | * Create a ssh-key pair using ''ssh-keygen''. For details 'man ssh-keygen'. The below command generates two files multihop.rsa and multihop.rsa.pub in ~/.ssh directory. multihop.rsa.pub is a public key and multihop.rsa is a private key. Details: [https://en.wikipedia.org/wiki/Public-key_cryptography Public Key Cryptography]. |
ssh-keygen -C "SSH key for multi-hop for arcane" -f ~/.ssh/multihop.rsa -N "" | ssh-keygen -C "SSH key for multi-hop for arcane" -f ~/.ssh/multihop.rsa -N "" | ||
Line 26: | Line 26: | ||
-f: ouput filename | -f: ouput filename | ||
-N: passphrase; using "" is fine. | -N: passphrase; using "" is fine. | ||
− | + | * Login to ''mystery'' as ''arcane'' and append contents of multihop.rsa.pub to ~/.ssh/authorized_keys. By doing so, ''mystery'' will allow password-less ssh login when corresponding private key is used, which you will specify in the next step on the lab-development machine from where you login. | |
− | * Login to ''mystery'' as ''arcane'' and append contents of multihop.rsa.pub to ~/.ssh/authorized_keys. By doing so, ''mystery'' will allow password less ssh login when corresponding private key is used, which you will specify in the next step on the lab-development machine from where you login. | + | |
* Edit ~/.ssh/config on the lab-development machine and add the following: | * Edit ~/.ssh/config on the lab-development machine and add the following: | ||
Line 39: | Line 38: | ||
ProxyCommand ssh -q mystery nc gerrit.fd.io 29418 | ProxyCommand ssh -q mystery nc gerrit.fd.io 29418 | ||
User <gerrit username> | User <gerrit username> | ||
− | IdentityFile <gerrit identity private key> | + | IdentityFile <path to gerrit identity private key on lab-development machine> |
− | How to get access to gerrit ? | + | How to get access to gerrit ? [https://wiki.fd.io/view/VPP/Setting_Up_Your_Dev_Environment#Obtain_The_VPP_Source_Code Obtain VPP Source Code] |
Now you should be able to perform your favorite git operations. | Now you should be able to perform your favorite git operations. | ||
Line 54: | Line 53: | ||
Checking connectivity... done. | Checking connectivity... done. | ||
− | There was no need to specify username and port on the command line as you have | + | There was no need to specify ''username'' and ''port'' on the command line as you have added them in ~/.ssh/config. |
Revision as of 19:58, 20 January 2016
Accessing public repo from within DMZ machine
Problem:
- Your development machine is a lab machine in DMZ. However you need to access some git code (gerrit.fd.io) that you cannot directly clone onto a lab-development machine. How to achieve it ?
A rudimentary solution:
- Clone the code onto a machine (say laptop) that can access gerrit.fd.io and scp it to the lab-development machine.
Issues:
- For any change you wish to send out for review, you need to create a patch and patch the repo on your laptop.
- In the mean time, if remote-repo is modified, you need to do a git pull. Unfortunately, you cannot as your lab-development machine is in DMZ.
- Many other git commands cannot be used and I do not go over them here.
Solution:
- The following solution description takes gerrit.fd.io as an example. One can extend this solution to any other code repo or even for multi-hop ssh.
- First you need a system from where you have access to gerrit.fd.io . If you do not already have a system with that property, you can create a VM on Aurora. For our documentation here, lets call hostname as mystery and username as arcane.
- Create a ssh-key pair using ssh-keygen. For details 'man ssh-keygen'. The below command generates two files multihop.rsa and multihop.rsa.pub in ~/.ssh directory. multihop.rsa.pub is a public key and multihop.rsa is a private key. Details: Public Key Cryptography.
ssh-keygen -C "SSH key for multi-hop for arcane" -f ~/.ssh/multihop.rsa -N "" -C: Comment -f: ouput filename -N: passphrase; using "" is fine.
- Login to mystery as arcane and append contents of multihop.rsa.pub to ~/.ssh/authorized_keys. By doing so, mystery will allow password-less ssh login when corresponding private key is used, which you will specify in the next step on the lab-development machine from where you login.
- Edit ~/.ssh/config on the lab-development machine and add the following:
Host mystery User arcane IdentityFile ~/.ssh/multihop.rsa # Should have port on the first line Host gerrit.fd.io ProxyCommand ssh -q mystery nc gerrit.fd.io 29418 User <gerrit username> IdentityFile <path to gerrit identity private key on lab-development machine>
How to get access to gerrit ? Obtain VPP Source Code
Now you should be able to perform your favorite git operations.
git clone ssh://gerrit.fd.io/vpp.git Cloning into 'vpp'... remote: Counting objects: 986, done remote: Finding sources: 100% (41/41) remote: Total 1655 (delta 0), reused 1626 (delta 0) Receiving objects: 100% (1655/1655), 2.66 MiB | 1.42 MiB/s, done. Resolving deltas: 100% (651/651), done. Checking connectivity... done.
There was no need to specify username and port on the command line as you have added them in ~/.ssh/config.