Subversion for Configuration Managers - CollabNet 1.pdf · Basically version control – Repository...

1 Copyright ©2014 CollabNet, Inc. All Rights Reserved.

Click to edit Master title style

ENTERPRISE CLOUD DEVELOPMENT

Subversion for Configuration Managers Essential Concepts



What is software configuration management?

What will be covered in this course?

– Repository creation – Branch creation – Tag creation – Authorization – Hooks

Outline



• There are many different definitions of Software Configuration Management (SCM). Version control, Subversion in our case, forms the foundation of SCM, but it is larger than version control. Beyond version control, SCM solutions typically also include:

– Build management – Release management – Defect tracking – Configuration management and process automation

• The focus of this class is on just the aspects of software configuration management as they relate to version control alone.

What is Software Configuration Management?



Basically version control

– Repository layouts

– Branch and merge models

– Promotion models (i.e., tagging)

– Authorization

– Process automation through hooks

What will we cover in configuration management?



• Repository layouts – Access rules and ease of use are critical to successful use

• Branch and merge models – Isolation must be achieved when required and avoided when not required

• Promotion models (i.e., tagging) – Process improvement and auditability require tracking this data

• Authorization – Asset security is key when the asset is your company’s “crown jewels”

• Process automation through hooks – Automation brings consistency and ease of use, but there are trade-offs to consider

Why are these important?



Operational aspects of configuration management:

• How to create repositories, branches and tags

• How to implement authorization

• How to implement hooks

What will we cover in this deck?




Repository Creation



• This is an administrative operation not available to general users

• It must be executed on the repository server itself

• It requires write access to the location where the repository will be created

• The default filesystem backend is a flat file system (i.e., FSFS)

• All directories except for the final one in the repository path must exist prior to executing the create command

Repository creation

svnadmin create /repos/mydept/myrepo



svnadmin is a Subversion server utility used to/for:

– Create repositories – Load & dump – Hotcopy – Remove dead transactions – Modify commit log messages – Verify repository integrity – Change repositories unique identifiers (UUID)

svnadmin overview



• After you’ve: – Created your repository – Created any top level directories – Created branches, tags and trunk directories

• You may want to populate your repository with data you already have.

• Use import to copy an unversioned tree into your repository. – Note, this does not automatically convert the imported source tree into

a working copy – you still need to do a checkout or update.

• Use a migration tool (ex. cvs2svn.py) if data is coming from a legacy version control tool.

Importing data

$ svn import –m “Initial import” projectA https://repos/myrepo/trunk




Branch Creation



• A branch is an independent line of development, sharing a common history with other lines.

• A branch starts as a copy of another line and moves on from there, adding its own history.

• The trunk is a line of development, just like any branch.

• HEAD refers to the latest revision on the path being referenced.

What is a branch?



• Use copy to create a branch.

• Good version control hygiene is to keep the branches under a top-level directory.

Create a branch

$ svn copy http://example.com/svn/calc/trunk \ http://example.com/svn/calc/branches/my-calc \ -m "Create my-calc branch."




Tag Creation



• A tag is a snapshot of a particular version of a tree. – Human friendly name, e.g. “release-1.0”

• Common uses cases are. milestone builds, releases

– Commonly defined to be immutable (i.e., unchangeable); this can be enforced, but isn’t inherent

– Alternative to revisions for identifying a particular snapshot, e.g. “release-1.0” instead of r14298

• Tags can be: – Checked out, switched to, branched from

– Renamed, deleted, and restored

.

What is a tag?



Use copy to tag a revision

– Simple, common case: tagging a revision

– Complex case: tagging a mixed-revision, mixed-path working copy (e.g., to save state for bug reproduction)

Create a tag

$ svn copy http://example.com/svn/calc/trunk \ http://example.com/svn/calc/tags/release-1.0 \ -m "Create release-1.0 tag."

$ svn copy . http://example.com/svn/calc/tags/release-1.0 \ -m "Create release-1.0 tag."




Authorization


Click to edit Master title style The Two Aspects of Security

• Authentication – confirm who you are

• Authorization – confirm what you are allowed to do



• Authorization immediately and consistently follows authentication

• Authorization defines permissions or access rights on specific paths

• Logging into Subversion does not mean you have any permissions for what you want to do

Authorization = Permissions



Authorization implementation varies with the selection of the Subversion server:

• svnserve – Lightweight server custom to Subversion – Quick and easy to setup – Network protocol is stateful and noticeably faster (i.e., speed) – Password not passed over the network

• Apache – Heavyweight server in broad use for many purposes – More features (e.g., security, logging, built-in browsing, etc.) – Doesn’t require an additional port be opened – Repository can be mounted as a network drive (i.e., WebDAV)

Two choices for Subversion servers



Example to: – Allow read access for authenticated users, – No access for anonymous users, – Use a passwd database in the same directory and – Define a realm name

• repository-path/conf/svnserve.conf:

• repository-path/conf/passwd:

svnserve – Authentication and Authorization: ex. CRAM-MD5

[general] anon-access = none auth-access = read password-db = passwd realm = My First Repository authz-db = authzfile

[users] joeuser = joepassword jayrandom = randomjay



• httpd.conf:

• Example: mixed authenticated & anonymous access – Configure location in httpd.conf

Apache authorization

LoadModule dav_module modules/mod_dav.so LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so

<Location /repos> DAV svn SVNParentPath /usr/local/svn AuthzSVNAccessFile /path/to/access/file Satisfy Any # Try anonymous access, resort to Require valid-user # real authentication if necessary. AuthType Basic AuthName "Subversion repository" AuthUserFile /path/to/users/file

</Location>



Standard authorization approach using two files: – AuthzSVNAccessFile /path/to/access/file:

– AuthzUserFile /path/to/users/file:

Apache – path based authorization

[calc:/projects/calc] @calc-developers = rw [calc:/branches/calc/bug-142] harry = rw sally = r

[groups] calc-developers = harry, sally, joe paint-developers = frank, sally, jane everyone = @calc-developers, @paint-developers


Click to edit Master title style svnserve & Apache – single file path based authorization

[groups] admin = john, kate devteam1 = john, rachel, sally devteam2 = kate, peter, mark docs = bob, jane, mike training = zak # Default access rule for ALL repositories # Everyone can read, admins can write, Dan is excluded. [/] * = r @admin = rw dan = # Allow developers complete access to their project repos [proj1:/] @devteam1 = rw [proj2:/] @devteam2 = rw [bigproj:/] @devteam1 = rw @devteam2 = rw trevor = rw # Give the doc people write access to all the docs folders [/trunk/doc] @docs = rw # Give trainees write access in the training repository only [TrainingRepos:/] @training = rw




Hooks


Click to edit Master title style Repository hooks - overview

What is a hook script? – Depending on the operating system, a hook can be any executable script

or program.

– It is a script or program triggered by a repository event: • Commits • Lock (and unlock) changes • Revision property changes

– Depending on the hook's output or return status, the hook program may continue the action, stop it, or suspend it in some way.


Click to edit Master title style Repository hooks – overview, cont’d

How do you create a hook script? – Write a program or script and name it the same as a provided template.

– Put this program or script into the REPO_HOME/hooks.

– Make sure it is executable.

Examples: – Commit mailing list.

– Checks, e.g. code beautifier, EOL styles, MIME types, whether commit message contains defect report ID.

– Allow/disallow modifying log messages, author, date.



Hooks currently supported:

– start-commit

– pre-commit

– post-commit

– pre-revprop-change

– post-revprop-change

– pre-lock

– post-lock

– pre-unlock

– post-unlock

Supported hook scripts


Click to edit Master title style Start-commit vs. pre-commit hooks

• Start-commit hook: – If the hook program exits with success, the commit process continues. – If it exits with failure (non-zero), the commit is stopped immediately

after a Subversion transaction is created and STDERR is returned to the client.

– At this point the transaction properties (not Subversion versioned or revision properties) are available to determine client system settings (e.g., the Subversion version of the client).

• Pre-commit hook: – If the hook program exits with success, the transaction may be

committed. – If it exits with failure (non-zero), the commit is stopped right before the

Subversion transaction is executed and STDERR is returned to the client.



• Pre-commit hook

• Post-commit hook

Hook script templates

REPOS="$1" TXN="$2" # Make sure that the log message contains some text. SVNLOOK=/usr/local/bin/svnlook $SVNLOOK log -t "$TXN" "$REPOS" | \ grep "[a-zA-Z0-9]" > /dev/null || exit 1 # Check that the author of this commit has the rights to perform # the commit on the files and directories being modified. commit-access-control.pl "$REPOS" "$TXN" commit-access-control.cfg || exit 1 # All

REPOS="$1" REV="$2" mailer.py commit "$REPOS" "$REV" /path/to/mailer.conf


Click to edit Master title style Hook considerations

• You should not attempt to modify transactions with a hook script.

– For example, trying to automatically set ‘svn: eol-style’ property using a hook script. The main problem is that there is no way to tell the originating client that it is out of date. Instead, run a pre-commit hook script to check for the property/setting and reject if needed. Better yet, use the svn:auto-props inherited property to assign the initial property and setting based on file pattern.

• The Subversion users do NOT have any visibility on hooks being executed.

• Errors generated in a hook are not logged in the typical Subversion or Apache logs.

• One needs to consider redirecting hook output to an existing log file or a special hook log file.

• A hook should check status each time a logic block is processed within a hook.


Click to edit Master title style Hook considerations, cont’d

• Consider using a start-commit hook to validate system functionality.

• Consider using dos to Unix scrubbers to remove any \m or unwanted control characters.

• Consider emailing the user when an error occurs in a hook, to aid in trouble-shooting.

• Consider standardizing all hooks if using multiple repositories.

• Use svnlook in conjunction with hooks to evaluate logic blocks.



svnlook

– Examines revisions and transactions.

– Read-only, does not modify the repository.

– Typically used:

• By hooks to report what is about to be committed or just committed.

• By administrators for diagnostics.

svnlook overview


Click to edit Master title style • Synopsis

– svnlook SUBCOMMAND REPOS_PATH [ARGS & OPTIONS ...]

• Subcommands: – Author – Cat – Changed – Date – Diff – dirs-changed – History – Info – Lock – Log – propget (pget, pg) – proplist (plist, pl) – Tree – Uuid – youngest:

svnlook command

$ svnlook youngest /var/svn/repos/calc 19



• Integrate svnlook into hooks to evaluate Subversion logic blocks

• Example from the pre-lock hook:

Hook scripts – integrate svnlook

SVNLOOK=/usr/local/bin/svnlook GREP=/bin/grep SED=/bin/sed LOCK_OWNER=`$SVNLOOK lock "$REPOS" "$PATH" | $GREP '^Owner: ' | $SED 's/Owner: //'` # If we get no result from svnlook, there's no lock, allow the lock to # happen: if [ "$LOCK_OWNER" = "" ]; then exit 0 fi # If the person locking matches the lock's owner, allow the lock to # happen: if [ "$LOCK_OWNER" = "$USER" ]; then exit 0 fi # Otherwise, we've got an owner mismatch, so return failure: echo "Error: $PATH already locked by ${LOCK_OWNER}." 1>&2 exit 1



• The following are locations where you can find some prewritten hook scripts: – http://svn.apache.org/repos/asf/subversion/trunk/tools/hook-scripts/ – http://svn.apache.org/repos/asf/subversion/trunk/contrib/hook-scripts/

• In your hooks directory you will find a .tmpl file with each of the event names, if you want to enable one of the hooks, copy the template file (without the .tmpl extension) and make it executable.

• On Windows you need to rename the .tmpl file with an extension that is executable by windows such as an exe or bat file.

Hook scripts – hook tips

http://svn.apache.org/repos/asf/subversion/trunk/tools/hook-scripts/




http://svn.apache.org/repos/asf/subversion/trunk/contrib/hook-scripts/





• For security reasons, the Subversion executes hook programs with an empty environment, that is, no environment variables are set at all, not even $PATH.

– If hooks will use a common environment, Subversion allows for a server-side configuration file to define the common variables with options to allow mod_dav_svn and svnserve to point to that file.

– If a hook has unique environment needs, be sure to explicitly set any necessary environment variables in your hook program and/or use absolute paths to programs.

• If you are on Windows, you may have limited permissions and none of the network drives mapped for your script’s user.

• Hooks don't execute from the hooks folder.

Hook scripts – hook tips, Cont’d




Thank You




About CollabNet CollabNet is a leading provider of Enterprise Cloud Development and Agile ALM products and services for software-driven organizations. With more than 10,000 global customers, the company provides a suite of platforms and services to address three major trends disrupting the software industry: Agile, DevOps and hybrid cloud development. Its CloudForge™ development-Platform-as-a-Service (dPaaS) enables cloud development through a flexible platform that is team friendly, enterprise ready and integrated to support leading third party tools. The CollabNet TeamForge® ALM, ScrumWorks® Pro project management and SubversionEdge source code management platforms can be deployed separately or together, in the cloud or on-premise. CollabNet complements its technical offerings with industry leading consulting and training services for Agile and cloud development transformations. Many CollabNet customers improve productivity by as much as 70 percent, while reducing costs by 80 percent.

For more information, please visit www.collab.net.

http://www.collab.net/




© 2014 CollabNet, Inc., All rights reserved. CollabNet is a trademark or registered trademark of CollabNet Inc., in the US and other countries. All other trademarks, brand names, or product names belong to their respective holders.

CollabNet, Inc. 4000 Shoreline Court Suite 300 South San Francisco, CA 94080 USA www.collab.net +1-650-228-2500 +1-888-778-9793 blogs.collab.net twitter.com/collabnet www.facebook.com/collabnet www.linkedin.com/company/collabnet-inc

http://www.collab.net/

http://www.facebook.com/collabnet

http://www.linkedin.com/company/collabnet-inc



http://www.facebook.com/collabnet


Subversion for Configuration Managers - CollabNet 1.pdf · Basically version control – Repository...

Documents

Transcript of Subversion for Configuration Managers - CollabNet 1.pdf · Basically version control – Repository...