Category Archives: Conary

Managing SSH keys with Conary

Since we “eat your own dogfood” here at rPath, we do have IT using a Platform-as-a-Service model.

They maintain their own platform that contains all the bits required on all the systems, like a baseline. As a consumer of the platform, all I have to do is add my own software.

In this case, I was basing my Jira product on IT’s custom platform.

IT wants their standard SSH keys (for their own access, as well as for automated backups) on all their machines. But I also want SSH access (and my SSH key) on my appliance. Since one cannot share /root/.ssh/authorized_keys among multiple packages, Conary’s tag handlers to the rescue!

Foresight’s development branch now has an ssh-keys package that allows you to manage multiple sources for your ssh keys.

To manage your keys with Conary, all you need to do is drop your SSH public keys in /etc/ssh/keys.d/<username>/<somename>.pub within a Conary package that has a build requirement on ssh-keys:runtime (so that the file is properly tagged).

When the file gets installed, ssh-keys’ tag handler will append the file to the user’s authorized_keys file, thus granting you access.

Key removal is not yet done, although it would not be hard at all to implement.

The wonderful world of PGP

In case you’re wondering what I’ve been up to lately, here’s a quick overview.

Aside from the weekly Conary releases and  the regular bug fixes, I’ve been busy trying to make Conary no longer depend on gnupg. As dumb (to re-implement gnupg) as this sounds, it gives us several advantages, one of them being the ability to customize the trust model to our liking. The lack of a good way to tie into gnupg (other than invoking gpg) is another good reason.

Look for the new code in Conary 2.0.

The long road to Conary 1.2

Conary 1.2 is finally out!

We are very excited, I think this is a great achievement for Conary. It packs three months of work behind the scenes on several new features and a ton of bug fixes, while we were maintaining the former stable Conary 1.1 branch. The release announcement is pretty long, as a result.

Many thanks to the Foresight community, who agreed to try some early releases and provided valuable feedback (not to mention uncovering those minor things that we like to call undiscovered features, for lack of a better term :-) ).

Adventures with SCons

I’ve been playing with SCons for the past couple of days. It’s intended to be a replacement for Make, and probably sounds similar enough with Ant or Maven, for those familiar with these tools from the Java world.

It’s pretty powerful in that it lets you use the boilerplate builders or you can build your own builders (and nodes!) too. It also allows you to write custom “freshness checks”. make usually verifies if a node is out of date by comparing the timestamps for the source and target nodes. This can get you in trouble when using CVS, for instance, because clocks are not synchronized. It’s also not very useful when what you build doesn’t live on the filesystem.

I will post some examples  shortly. I am currently creating nodes for Mercurial checkouts and they work pretty well. CVC (Conary) nodes will follow shortly.

And yes,  it’s written in Python…

What I’ve been up to

It’s been a while since my last post, so here’s what’s been going on.

  •  Very busy working on Conary (though still not making progress fast enough through my issues list).
  • Speaking of that, I’ve reached the respectable 6 months with rPath.
  • Moved over the weekend.
  • Packaged gnucash 2.1.0 – and hit some guile issues in the process. Hopefully will finish tomorrow.
  • Does “April 17th” tell you something?
  • Before moving, a bunch of repairs made – that was all my spare time went.
  • Ran an orienteering event at the Schenck forest (and I missed a bunch of controls). Got to cross a 20-ish-ft river over a rotten log 3 times before the heavy rain started. I was completely soaked when I finished. But it was fun.
  • Did not run as much lately because of my evenings being “a different workout”.

The Mercurial Plugin for Jira (or Read the Code, Luke)

As Matt (the author of the Mercurial plugin for Jira) pointed out in his comment, there was an issue with the permissions for the plugin. Seemingly random people were able to see the Mercurial Commits tab, and all along I thought I messed something up when I ported the plugin from Jira 3.6.2 to Jira 3.6.5 and then to Jira 3.7. (Yes, I know Jira 3.8 is out, we didn’t schedule the migration yet).

Lately I’ve been busy closing bugs in Conary land, and haven’t got the time to go back and investigate what’s going on. Last week I finally decided I should look at the code – and it became very obvious. There is a View Version Control permission that controls who can see what, and it turned out only several groups were granted that permission. We’ve only allowed access to commits to internal users for now, but that may change in the future.

Also, yesterday I noticed that Jira was not indexing the Mercurial repositories anymore. As usual, catalina.out is full of useless messages, so reading the code again pointed out that I got the configuration wrong. Funny it did work at all. Turns out hg.clonedir.idx is indeed supposed to be the top directory where your Mercurial clones are, and not the directory where you cloned the repository. That is derived from the URL. Doh!

Simplicity at its best

In the process of fixing a bug in Conary, I got to play with derived packages. Erik Troan posted a description of derived packages in his blog. If you longed for the ability to change just one file in a shipped piece of software without going through the process of recompiling everything, this is a very nice answer. The feature is still experimental, but by all means try it and report back any problems you see.

Random bits

Apparently I didn’t get in the habit of blogging short entries often.

Today liferea notified me there is a new release of WordPress that I should upgrade, so I figured I might as well post something.

First off, liferea is slowly becoming a habit. I use it to track announcements about new software (see paragraph above), keep in touch with my friends, read news from ./ and some other news sites. To the point that I have now to see how I can replicate the feeds on all of my computers. Maybe I should try a news reader from yahoo.

A lot of exciting things happened. We’ve finished upgrading rPath’s issue tracker, Jira, to the latest version. And we did it in a eat-your-own-dogfood way: it’s a software appliance living on a Xen machine, as a domU. I was involved in this initially just for the Mercurial plugin for Jira, but figured we might as well go to the latest version of Jira. I had to fix several other plugins that were broken by API change (yes I wish you didn’t have to touch plugins to make them work on newer versions). It’s pretty cool, if your reference a Jira issue in your mercurial commit message, it will get indexed by Jira and linked to the issue (viewable as the Mercurial Commits tab). This link is an example.

The software appliance lets you isolate the application from the base operating system, and it makes it trivial to update it. No mess left on the host operating system either. I know package managers are supposed to help there, I’ve been installing rpm packages for almost 10 years now, trying to achieve that. But the very moment you deploy the system in a production environment, you know things get installed that you didn’t plan for. Conary helps a lot here.

I am looking forward to version 0.45 of Inkscape to land in Foresight. The screenshots look awesome. Ken promises he’ll have it committed in a couple of hours. It’s very nice to have the latest and greatest software, and Foresight is doing a great job there. A big thanks to the Foresight community and to Ken for making Foresight a great distribution – which DistroWatch reviewed yesterday.

On the personal front, we’ve been unhappy with my daughter’s school (or maybe looking for a reason to move into a larger home). At any rate, we’re in negotiations for the repairs the seller has to perform before we close. This is exciting. Except for the hour I spent today with the heating technician inspecting the gas pack in a chilly 18 degrees Fahrenheit. And for the amount of siding that has to be fixed. Hopefully we’ll get to an agreement on this. But I had to spend a lot of time on the phone with lenders, insurance agencies, inspectors, real estate agents and the such.