Set up CVS access

From ATLAS-TRIUMF

Jump to: navigation, search

[edit] Running Athena Outside CERN: Setting up CVS Access

[edit] SSH Method (works without AFS):

(this page originally stolen from this one)

For more information, see the Official CERN page

Setting Up SSH Keys

Note that CVS at CERN is now using Protocol 2. If you followed the old Protocol 1 procedure, you should pay particular attention to the steps in italics, and re-do them...

Introduction To checkout from the cern atlas software repository you need to have ssh keys configured so that you don't need to enter the password every time you checkout a package. Basically the procedure you are going to follow involves setting up public/private RSA key combinations to do an authentication when you checkout from the Atlas cvs repository. Luckily you don't need to understand anything about how it all works to set it up.

The Procedure The following procedure is adapted directly from the CERN IT Department webpage for our machines at TRIUMF.

  • Log on to the computer you want to check out atlas software from (i.e. your SL3 desktop)
  • If you already have your RSA key (formerly RSA1) generated (most probably ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub, formerly ~/.ssh/identity and ~/.ssh/identity.pub files), skip the next two commands. Otherwise, generate the key, saving it in the default location with no passphrase:
    • mkdir -p ~/.ssh
    • ssh-keygen -t rsa (formerly ssh-keygen -t rsa1)
  • Copy the public key (~/.ssh/id_rsa.pub, formerly ~/.ssh/identity.pub) to your AFS home directory at CERN
    • scp ~/.ssh/id_rsa.pub USERNAME@lxplus.cern.ch:~
    • Log on to LXPLUS and run the following (Note you must do this because you need to have links from ~/.ssh to ~/public/ for the public portion of your keys): 
 '''/afs/cern.ch/project/cvs/dist/bin/set_ssh'''

(do it again if you are switching from rsa1 to rsa!) Note that the very first time you do this, you may get a lot of messages which look like errors, saying that directories do not exist. These are actually just warnings. You can ignore them as long as you can do the next step without difficulty.

  • Add the PUBLIC key you copied in 3. in your ~/.ssh/authorized_keys file with the following command:do
    • $ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys (do this for upgrade to RSA as well)
  • As you probably realized, when you login on LXPLUS without providing your password, you don't have AFS and Kerberos tokens. In order to be asked for the password while connecting to LXPLUS and not to be asked for it for CVS connections, create ~/.ssh/config file on your your Linux/Unix machine, and put the following contents in it: 
Host lxplus.cern.ch lxplus
Protocol 2
PubkeyAuthentication no
PasswordAuthentication yes

#Host atlas-sw.cern.ch atlas
#Protocol 1
#IdentityFile ~/.ssh/identity
Host isscvs.cern.ch isscvs
Protocol 2
IdentityFile ~/.ssh/id_rsa
PubkeyAuthentication yes
PasswordAuthentication no
ForwardX11 no
  • You can skip the comment lines ("#") if you are setting up fresh, they are left as a guide to people upgrading from RSA1.
  • Set permissions with
    • chmod 644 ~/.ssh/config
  • Now try the two commands:
    • ssh USERNAME@lxplus.cern.ch
    • ssh USERNAME@isscvs.cern.ch (was ssh USERNAME@atlas-sw.cern.ch)
  • The first call to ssh will prompt for a password, while the second one won't (which was the purpose).
  • Setup your CVSROOT environment to point at the Atlas cvs server
    • export CVSROOT=':ext:USERNAME@isscvs.cern.ch:/atlascvs' (note that this was "export CVSROOT=':ext:USERNAME@atlas-sw.cern.ch:/atlascvs'" and if you try to mix the two repositories, i.e. check out a package from the new one on top of one you have already checked out from the old one, it won't work. On the other hand, the old one will still work with the new credentials, at least for now, so you may want to leave this line the way it was if you are working with an old TestArea...)
    • export CVS_RSH='ssh'
  • Note that if you already had CVSROOT set for something else that you will be changing it.

(Thank you to Louis Poncet (IT/GD) for the idea of the config file.)

[edit] Klog Method (only if you run AFS locally)

(this method stolen from here with help from Asoka)

  • First you have to edit /etc/krb.conf and /etc/krb.realms to make sure they know about CERN.CH:

I stole this part from here. /etc/krb.conf needs these lines added: 

CERN.CH
CERN.CH afsdb1.cern.ch
CERN.CH afsdb3.cern.ch
CERN.CH afsdb2.cern.ch

and /etc/krb.realms needs 

.cern.ch CERN.CH
.wgs.cern.ch CERN.CH
.plus.cern.ch CERN.CH

and for some reason even though you will use Kerberos 4, you should add to the realms section of /etc/krb5.conf: 

 CERN.CH = {
  default_domain = cern.ch
  kpasswd_server = afskrb5m.cern.ch
  admin_server = afskrb5m.cern.ch
  kdc = afsdb1.cern.ch
  kdc = afsdb2.cern.ch
  kdc = afsdb3.cern.ch

  v4_name_convert = {
     host = {
         rcmd = host
     }
  }
 }

and to the domain_realm section you must add: 

 .cern.ch = CERN.CH
  • [prompt]$ /usr/kerberos/bin/kinit -4 your_CERN_ID@CERN.CH 
 Password for itrigger@CERN.CH:
  • [prompt]$ /usr/kerberos/bin/klist
  • Update the value of CVSROOT to include your CERN USERID (and it seems to be still atlas-sw.cern.ch, not isscvs.cern.ch as for ssh):

export CVSROOT=':kserver:USERNAME@atlas-sw.cern.ch:/atlascvs'

  • now I can check out packages

--Isabel 14:18, 21 September 2007 (PDT) (update)

--Isabel 11:17, 25 Aug 2005 (PDT)

--Isabel 14:47, 1 March 2007 (PST) (update)

--Isabel 11:13, 10 May 2007 (PDT)

Retrieved from "http://www.triumf.info/wiki/atlas-triumf/index.php/Set_up_CVS_access"
Personal tools