The server tools is called sglserver and has to controlled by superuser (root) only.
Client uses SSH key challenge-response authentication to access the server repository. For security reasons, server-side repository is owned by special account sglserver and all operations are restricted to Git repository operations. Record of the account in a password database should look like this:
[root@rawhide /]# getent passwd sglserver
sglserver:x:500:500:Sandglass Server:/var/lib/sandglass/server:/usr/bin/git-shell
Server has to be configured allow public key authentication. Following option should be enabled in /etc/ssh/sshd_config (if you are using OpenSSH):
PubkeyAuthentication yes
Server repository can be initialized with sglserver init command. Option --force can allow reinitialization of already initialized repository while removing history from all clients. Please note, authorized_keys file is not affected (see following subsections).
[root@rawhide ~]# sglserver init
Initialized Sandglass Server repository.
[root@rawhide ~]# sglserver status
# List of synchronized clients
# client last rev. date
On behalf of enabling a client synchronization on the server, client SSH key (generated on purpose for Sandglass) has to be transfered onto the server. This can be done manually by adding client’s content of /var/lib/sandglass/client_key.pub into /var/lib/sandglass/server/.ssh/authorized_keys on the server. Please, make sure that permissions are set correctly (mode 0600, correct owner).
Status of synchronized clients, with their last revision and date of last synchronization can be obtained with sglserver status command.
[root@rawhide ~]# sglserver status
# List of synchronized clients
# client last rev. date
f14 2b6e9bc 2011-05-17 08:37:05
rawhide 035f19c 2011-05-16 20:03:24
Server tool has a very same set of commands as a client tool. In some cases, client name has to be specified. Client name is generated from system hostname.
[root@rawhide ~]# sglserver log f14
a46e82c 2011-05-17 12:38:06 +0200 - yum(post) autocommit: @sgltest
77ac3a9 2011-05-17 11:32:19 +0200 - initial import of /etc
Showing the content of commit works the same as in client tool.
[root@rawhide ~]# sglserver show f9bd6d1
commit f9bd6d1f21ec2e4a388d2f7b947fe8e72d4da957
Author: root (rawhide) <root@rawhide>
Date: Wed May 18 10:01:56 2011 +0200
yum(post) autocommit: @sgltest-noreplace
diff --sgl a/etc/sgltest-noreplace.conf b/etc/sgltest-noreplace.conf
index f5219a0..a977d63 100644
mode 0644 0644
owner root:root root:root
context system_u:object_r:etc_t:s0 system_u:object_r:etc_t:s0
--- a/etc/sgltest-noreplace.conf
+++ b/etc/sgltest-noreplace.conf
@@ -1 +1 @@
-sgltest-noreplace-1.0-2.fc16
+sgltest-noreplace-1.0-1.fc16
Demonstration of showing a difference in /etc/openldap/ldap.conf between two synchronized clients.
[root@f14 sandglass]# sglserver status
# List of synchronized clients
# client last rev. date
f14 2b6e9bc 2011-05-18 08:37:05
rawhide f9bd6d1 2011-05-18 10:01:56
[root@f14 sandglass]# sglserver diff 2b6e9bc f9bd6d1 --files /etc/openldap/ldap.conf
diff --sgl a/etc/openldap/ldap.conf b/etc/openldap/ldap.conf
index a94cfaa..c2cefeb 100644
mode 0644 0644
owner root:root root:root
context - system_u:object_r:etc_t:s0
--- a/etc/openldap/ldap.conf
+++ b/etc/openldap/ldap.conf
@@ -5,7 +5,7 @@
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
-#BASE dc=example,dc=com
+BASE dc=rawhide,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
(Some improvements in revision specification on server side are on the plan.)
Any client history can be deleted using sglserver delete command. Please note, that you have to manually remove client’s key from authorized_keys.
[root@rawhide ~]# sglserver delete rawhide
History of client 'rawhide' sucessfully removed.
[root@rawhide ~]# sglserver status
# List of synchronized clients
# client last rev. date
f14 2b6e9bc 2011-05-17 08:37:05
Transfering the changes between clients will be assured by command sglserver pick. Unfortunatelly, this cannot is implemented at the moment. Git has some problems with cherry-picking the patches when we are working with bare repository (without working tree). Picking the changes would mean doing local checkout with copying the whole history of both clients, then transfering the change, merging back to the repository a then syncing with clients. This is not a very comfortable solution and it’s even quite slow. This will be implemented later together with Marahari Agent on server side. This will allow transfering the patch directly to client and applying it there.
[root@rawhide ~]# sglserver pick client commit
ERROR: NotImplementedError.
If you have issues with key authentication, please take a look into /var/log/audit/audit.log. Your authorized_keys file can have invalid permissions. Another possibility is, that SELinux prevents SSH server from accessing the file. This is likely possible, if you have SELinux in enforcing mode. As the sglserver home directory is nonstandard path, you the files are not labeled automatically as expected. In Fedora, these issues are usually resolved in selinux-policy package by adding new rules after package inclusion into the distribution. For the moment, the easiest workaround is setting the SELinux into permissive mode. This can be done with following command:
[root@rawhide ~]# setenforce 0
[root@rawhide ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 25
Policy from config file: targeted