Accessing a SVN repository

A project hosted in the Central SVN Service can be accessed in many ways: using SVN clients on Linux/Unix systems or Windows platform, or via read-only web interfaces. For all recommended, secure read-write access methods, you must have a CERN account. If you do not have one, please contact your supervisor or group administrator to request such an account. For any additional information about account creation, please write to Service-desk@cern.ch. The access to a certain project consists of two steps, first you authenticate who you are and secondly you may or may not be authorized to access that project. The authorization is controlled by the librarian responsible. There are two ways to authenticate to the SVN Service using SVN clients; via SSH, this is the fastest method, or HTTPS. If you are using Windows the recommended method is HTTPS, If you are using Linux/Unix the recommended method is SSH with Kerberos.

Contents

  1. SVN Clients
  2. Web Interfaces
  3. Configuring HTTPS access from Windows
  4. Configuring SSH access from Windows (not recommended)
  5. Access for Windows users (Tortoise SVN)
  6. Configuring SSH access from Linux/Unix
  7. Configuring HTTPS access_from Linux/Unix
  8. SVN access from MAC clients
  9. Displaying repository activity in TWiki
  10. Troubleshooting in SSH
  11. Using Winmerge

  1. SVN Clients

    SVN clients for different platforms can be found here.

    The CERN official version is the Redhat SVN client which is installed on the CERN lxplus Linux SLC service. Note that we do not control, and cannot support all the official SVN clients.

    Note that different versions of the SVN client may have problems when operating on the same local working copy. For example, newer versions of the client (>=1.5) update some local db schemes automatically, making the older client versions (e.g. 1.4) incompatible. Version 1.7 also changes the local working copy format and version 1.6 cannot use the 1.7 checkout format. Note that to make use of all the features available in the server, you need to use an SVN client of the same level or later. As of August 2011, lxplus has SVN client 1.6.11 on Linux SLC5 which avoids these problems provided you do not go back to an old SVN client on the same working copy. The SVN servers also run version 1.6.The SVN client officially supported by CERN is that on lxplus. For more information on Subversion client/server versions go to Subversion releases

    Some SVN features use the characters '{' and '}' which need to be escaped or quoted with the tcsh and csh shells. One way to avoid this is to escape the character by using the '\' character:

    svn log -r \{2001-01-13\} 

    or using quotes:

    svn log -r "{2001-01-13}" 

    Another way to avoid these problems is to use a shell interpreter which does not need the escape character '\' to protect the braces.

  2. Web Interfaces

    Web interfaces provided by the SVN Service allow read-only access to repository files (both current and previous versions) with a standard web browser. One can browse through a repository, make diffs between any two versions of a given file etc.

    The following alternatives are offered:

  3. Configuring HTTPS access from a Windows client (not browser)

    This is the recommended method from a windows client (not web browser), use the following URL:

    https://svn.cern.ch/reps/<your_project>

    the password may be cached by your windows SVN client unless you specifically tell it not to.

  4. Configuring SSH access from Windows (not recommended)

    This is not the recommended method for Windows clients, it is complicated to enable. It also depends on the exact version of Windows and Putty. The following is an example but some of the command files may be in different folders from those documented here. The svn Service uses the same home accounts as LXPLUS. If you can ssh to lxplus from Windows without typing your password, it will work also to run svn commands. However if this is not the case for you, follow the steps below in order to configure your Windows machine to access SVN servers without typing a password every time:

    Troubleshooting

    If SSH still asks you for your password, make sure that you followed all the instructions correctly. If it still fails, then try the following command to see more information about why it prompts for the password.

    "C:\Program Files\PuTTY\plink" -v USERNAME@svn.cern.ch
    1. If not already done, please install the latest PUTTY application via the "CERN Computer Management Framework (CMF)".
    2. Once it is done, run the application
      C:\Program Files\PuTTY\puttygen.exe

      Select SSH-2 RSA as "Type of key to generate", give 2048 as "Number of bits in a generated key" field, then generate private and public keys and save them on the disk (for example two files my_rsakey.ppk and my_rsakey.pub, respectively).

    3. In the PuTTY Key Generator windows the public key that you have just generated is displayed (Under Key, Public key for pasting into OpenSSH authorized_keys file). Mark it beginning from ssh-rsa to the end and copy, next log on to lxplus (use PuTTY for example) and put the public key into (right click will paste your public key into the terminal window) ~/.ssh/authorized_keys, you may use the command:
      echo "your public key..." >> ~/.ssh/authorized_keys 
    4. Since the AFS home directory is on AFS, ssh needs AFS tokens to read ~/.ssh/authorized_keys, to fix this, execute the following script on lxplus:
      /afs/cern.ch/project/svn/dist/bin/set_ssh 
    5. From Windows run the C:\Program Files\PuTTY\pageant.exe command. It will install an icon in your system tray (right-bottom corner of the screen). Right-click on it, choose Add Key menu item from the pop up menu and select the file with your private key that you have saved before (my_rsakey.ppk). You may later verify if your key was taken in account by choosing the View Keys menu item.

      The pageant.exe has to be executed after each login to Windows, and the key added each time pageant is started. This can be automated as follows:

      • In Control Panel->Scheduled tasks->Add Scheduled Task->Browse to
        C:\Program Files\PuTTY\pageant.exe
      • Select "When I logon" bullet, click next
      • Username CERN\yourNICEUsername and password, click next
      • Tick "open advanced properties", click Finish
      • in "Run" field, add the dfs path to your private key file, e.g.:
        C:\Program Files\PuTTY\pageant.exe \\cern.ch\dfs\users\n\niceuser\private\my_rsakey.ppk
    6. From Start->Run... menu run command:
      C:\Program Files\PuTTY\putty

      P.S.: The host name given to plink must correspond exactly to the name of the saved PuTTy session where the ssh2 protocol is defined

      • Create a Session called svn.cern.ch to <your account>@svn.cern.ch.
      • For that session, in Category->Connection->SSH->Auth select SSH-2 and Pageant as Authentication method.
      • In Category->Connection->SSH select Preferred SSH protocol version 2.
      • In Category->Connection->SSH->X11 Disable X11 Forwarding
      • Go back to Category->Session and save the svn.cern.ch you have just created and close the PuTTY Configuration window.
    7. From Start->Run... menu run command:
      "C:\Program Files\PuTTY\putty" <your_account>@svn.cern.ch

      You should not be prompted for a password. You will just see a warning message and the session will automatically close since login is not allowed in SVN servers.

  5. Access for Windows users (Tortoise SVN client)

    There exist many windows client tools, for example: Tortoise SVN. It is a lightweight client, and although it offers less functionality than many others, it may be more intuitive for most users. It integrates directly with Windows Explorer and provides a right-click context menu for SVN files and modules. Tortoise SVN web page address is http://tortoisesvn.net.

    If you decide to use HTTPS access you do not need to set up ssh. Just define the Tortoise URL argument to:

    https://svn.cern.ch/reps/<your_project>

    If you are using Eclipse, documentation about how to integrate it with Subversion can be found here: Subclipse, Easy how to, Comprehensive documentation and here.

  6. Configuring SSH access from Linux/Unix

On a Linux or UNIX system, install the subversion client. For example to make a check out of your project, do:

svn co svn+ssh://svn.cern.ch/reps/<your_project>

or if you use a different user name for LXPLUS:

svn co svn+ssh://<lxplus_username>@svn.cern.ch/reps/<your_project>

The SVN servers use the same home accounts used by LXPLUS If you can ssh to lxplus from your Linux machine without typing your password, it will work also to run svn commands. From lxplus it will work as well (via Kerberos). However if this is not the case, To access the Central SVN Service using SSH from your Linux/Unix machine without providing password each time; you need to configure either Kerberos or ssh key setup.

Please note that ssh authentication via Kerberos, as can be seen in the CERN SSH FAQ, is the recommended method at CERN.
However, here are the instructions for access via public ssh keys.

In order to genenate your ssh keys, execute the following command and follow the instructions:

ssh-keygen -t rsa

After generating you ssh private and public keys, copy your public key to your AFS home directory:

scp ~/.ssh/*.pub USERNAME@lxplus.cern.ch:.ssh/

Execute the following script in lxplus (This is the only step particular to CERN, the rest is standard ssh public/private keys and it is due to AFS being used for home directories):

/afs/cern.ch/project/svn/public/bin/set_ssh

This makes sure the files have the correct permisisons and that are moved and linked to the correct folders. The public keys will be moved to the ~/public folder and the private keys to the ~/private folder (only used if you connect from lxplus or other system where AFS is your home directory), and a link will be created to each file from the ~/.ssh folder. Also it will take care of adding your public keys to the ~/.ssh/authorized_keys file and activate Kerberos access.

Then you are done, in order to test execute:

ssh USERNAME@svn.cern.ch

and accept the server key. You should not be prompted for a password, and you should see the login message something like this:

******************************************************************************* 			
*                                                                             
*	Reminder: You have agreed to comply with the CERN computing rules         
*				http://cern.ch/ComputingRules                                 
*			                                                                  
*******************************************************************************
SVN server - only svn allowed, interactive login disabled 
Connection to svn closed.

which means that ssh access to SVN servers is properly configured.

As you probably realized, when you login on LXPLUS without providing your password, unless you have Kerberos configured, you do not have AFS and Kerberos tokens. In order to be asked for the password while connecting to LXPLUS and not to be asked for it for SVN connections, create ~/.ssh/config file on your Linux/Unix machine, and put the following contents in it:

Host lxplus.cern.ch lxplus 
Protocol 2 
PubkeyAuthentication no 
PasswordAuthentication yes

Host svn.cern.ch svn 
GSSAPIAuthentication yes
GSSAPITrustDNS yes
GSSAPIDelegateCredentials yes 
Protocol 2 
ForwardX11 no

The GSSAPI lines enables Kerberos in case you would have it installed. Now try the two commands:

ssh USERNAME@lxplus.cern.ch 
ssh USERNAME@svn.cern.ch

The first call to ssh will prompt for a password, while the second one should not (which was the purpose).

  1. Configuring HTTPS access from Linux/Unix

    In order to access a project using HTTPS authorization, use:

    svn co https://svn.cern.ch/reps/<your_project>
    

    The password will be cashed by the Subversion client.

  2. SVN access from MAC clients

Mac OSX ships with a built-in SVN command-line client (see http://www.apple.com/opensource/), which is fully supported as a component of OSX. (There is also a Git client.)  To use the MAC client, please work with a terminal Window and follow the Linux instructions above.

From "Mac Support":

Apparently, the svn client does not use the OS keychain for validating the certificate trust for the command line svn over https.

The workarounds are:
(1) use ssh tunnelling with this syntax: svn co svn+ssh://username@svn.cern.ch/our-repository , or:
(2) accept the fingerprint of the certificate (type "t" when prompted by the svn client) after checking that the certificate has the same fingerprint as the certificate you get if you access
https://svn.cern.ch from your web browser (which correctly recognises the trust chain).

  1. Displaying repository activity in TWiki

    Note that this works only for world-readable repositories.

    It is possible to embed dynamic information about your repository activity in a TWiki page, using the SvnPlugin for TWiki.

    Here is an example of project your_repository_name that will display:

    ---+ Latest 10 commits:
    
    %SVNTIMELINE{ 
      ticketprefix="MyProject <project>"  
      svnpath= "http://svnweb.cern.ch/guest/<project>/"
      format="|[[http://svnweb.cern.ch/world/wsvn/<project>/listing.php?repname=$svnpath?op=revision&rev=$rev][rev.$rev]] |$author |$msg  |"
      limit="10"
    }%
    
    Additional notes:
    • information about the latest 10 commits (limit="10" - please do not exceed 25);
    • parameters $rev, $author and $msg are replaced by revision, author and commit message;
    • if nothing is displayed it means that your Twiki code has errors;
    • please use a "limit" value of 25 as the maximum;
    • this works only for world-readable repositories;
    • for more configuration options please see the SvnPlugin documentation.
  2. Troubleshooting with SSH

    If SSH still asks you for your password, make sure that you followed all the instructions correctly, possibly try following them again. If it still fails, please try the command below to see more information about why it prompts for the password. If necessary, report it to SVN.Support@cern.ch, sending also the output of this command:

    ssh -vvv USERNAME@svn.cern.ch

    Regardless of the problem you may have using your svn client, please always send us the output of the failing command. You can also use HTTPS access instead.

  3. Using WinMerge

    WinMerge is a visual text file differencing and merging tool for Windows platforms. It is useful for determining what has changed between project versions, and then merging changes between versions. Although this tool is not officially supported by the SVN Service, it might be found useful for SVN users. You can download WinMerge from SourceForge. Make sure that the version you download is not older that 2.0, even if it is a Beta version or a Release Candidate (older versions have some problems with comparing files on network drives). Run the .exe file to install it.

You are here