Bug 19660

Thanks Marja! My Mageia user name is martinw.

Ping.

Priority: Normal => High

i do it today.

should be OK

(In reply to Nicolas Lécureuil from comment #3)
> i do it today.
(In reply to Nicolas Lécureuil from comment #4)
> should be OK

Thanks, Nicolas :-D

http://people.mageia.org/u/martinw.html :

> Groups: mga-iso_makers 

@ Martin

Please close this report if everything works as expected.

I'm not having any success, either with git or with ssh to rabbit.

For git, 'git config -l' shows

user.name=Martin Whitaker
credential.helper=cache
core.repositoryformatversion=0
core.filemode=true
core.bare=false
core.logallrefupdates=true
remote.origin.url=git://git.mageia.org/software/build-system/draklive
remote.origin.fetch=+refs/heads/*:refs/remotes/origin/*
remote.origin.pushurl=ssh://git@git.mageia.org/software/build-system/draklive
branch.master.remote=origin
branch.master.merge=refs/heads/master
user.email=mageia@martin-whitaker.me.uk

A git push prompts me for a password, but doesn't accept my password I give.

Similarly, 'ssh martinw@rabbit.mageia.org' prompts for, but doesn't accept my password.

In both cases I'm using my Mageia identity password, which works for buzilla, etc.

According to the Wiki, I should be able to add my ssh public key to my Mageia account, but I don't see any way to do this at https://identity.mageia.org/user. The only additional attributes on offer are 'mobile', 'roomNumber', and 'secretary'.

(In reply to Marja van Waes from comment #0)
> Martin Whitaker has proven to be a very good contributor by providing us
> great patches for our tools.
> 
> Also, he joined the iso builders group.
> 
> Please give him git commit rights and, if possible with current state of
> Rabbit and if nothing else blocks that, the needed rights on rabbit/bcd, too
> 
> @ Martin
> 
> please give your Mageia identity nick


Well, technically before opening accounts for anyone, they need a mentor assigned that reviews the work in the beginning.

Who's the mentor in this case ?

As for it still not working, I guess neoclust forgot about posix account promotion

CC: (none) => tmb

(In reply to Thomas Backlund from comment #7)
> (In reply to Marja van Waes from comment #0)
> > Martin Whitaker has proven to be a very good contributor by providing us
> > great patches for our tools.
> > 
> > Also, he joined the iso builders group.
> > 
> > Please give him git commit rights and, if possible with current state of
> > Rabbit and if nothing else blocks that, the needed rights on rabbit/bcd, too

> 
> 
> Well, technically before opening accounts for anyone, they need a mentor
> assigned that reviews the work in the beginning.

A mentor for:
* the iso building itself and for 
* committing to git/software/build-system/ 

but not for git/software/drakx*, correct?

(He's already proven himself for drakx*, Thierry would like him to have commit rights and Thierry sees everything anybody commits there, anyway ;-) )

> 
> Who's the mentor in this case ?

CC'ing all mga-iso_makers that weren't in the CC, yet.



> 
> As for it still not working, I guess neoclust forgot about posix account
> promotion

CC: (none) => arnaud.patard, ennael1, mageia, thierry.vignaud

Indeed Martin already provided valuable fixes for several bugs.

(In reply to Martin Whitaker from comment #6)
> I'm not having any success, either with git or with ssh to rabbit.
> 
> For git, 'git config -l' shows
> 
> user.name=Martin Whitaker
> credential.helper=cache
> core.repositoryformatversion=0
> core.filemode=true
> core.bare=false
> core.logallrefupdates=true
> remote.origin.url=git://git.mageia.org/software/build-system/draklive
> remote.origin.fetch=+refs/heads/*:refs/remotes/origin/*
> remote.origin.pushurl=ssh://git@git.mageia.org/software/build-system/draklive
> branch.master.remote=origin
> branch.master.merge=refs/heads/master
> user.email=mageia@martin-whitaker.me.uk
> 
> A git push prompts me for a password, but doesn't accept my password I give.
> 
> Similarly, 'ssh martinw@rabbit.mageia.org' prompts for, but doesn't accept
> my password.
> 
> In both cases I'm using my Mageia identity password, which works for
> buzilla, etc.
> 
> According to the Wiki, I should be able to add my ssh public key to my
> Mageia account, but I don't see any way to do this at
> https://identity.mageia.org/user. The only additional attributes on offer
> are 'mobile', 'roomNumber', and 'secretary'.


is it better now ?

(In reply to Nicolas Lécureuil from comment #10)
> is it better now ?

No, still the same response.

you should be able to add you sshkey

Getting there :-)

I can now add my sshkey, and this enables me to ssh to rabbit. Pushing to git is still failing, but in a different way:

% git push origin master
X11 forwarding request failed on channel 0
Counting objects: 3, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 367 bytes | 0 bytes/s, done.
Total 3 (delta 2), reused 0 (delta 0)
remote: FATAL: W refs/heads/master software/build-system/draklive martinw DENIED by fallthru
remote: error: hook declined to update refs/heads/master
To ssh://git@git.mageia.org/software/build-system/draklive
 ! [remote rejected] master -> master (hook declined)
error: failed to push some refs to 'ssh://git@git.mageia.org/software/build-system/draklive'

P.S. I found bug 16119 and tried the fix there (check out a new clone), but it didn't help.

I've just realised there is a major obstacle to me using rabbit to build Live ISOs. draklive runs an install in a chroot, so needs root privileges. I don't see a way round this.

draklive user on rabbit has root privilegies for the needed parts, so calling draklive with sudo should work

I'd need to be able to su to the draklive user to do that, wouldn't I?

(In reply to Martin Whitaker from comment #13)

> remote: FATAL: W refs/heads/master software/build-system/draklive martinw
> DENIED by fallthru
> remote: error: hook declined to update refs/heads/master
> To ssh://git@git.mageia.org/software/build-system/draklive
>  ! [remote rejected] master -> master (hook declined)
> error: failed to push some refs to
> 'ssh://git@git.mageia.org/software/build-system/draklive'

Hi Martin,

I have added you to the mga-packagers-committers group (and thus mga-shell_access as well, so you should now be able to push.

The gitolite configs reads:
repo software/build-system/draklive
   RW+ master$    = tmb
   RW+ distro/    = tmb
   RW+ topic/     = tmb
   RW+ refs/tags/ = tmb
   RW  master$    = @mga-packagers-committers
   RW  distro/    = @mga-packagers-committers
   RW+ topic/     = @mga-packagers-committers
   RW  refs/tags/ = @mga-packagers-committers
   RW  master$    = @mga-i18n-committers
   RW  distro/    = @mga-i18n-committers
   RW  topic/     = @mga-i18n-committers
   RW+ master$    = @mga-sysadmin
   RW+ distro/    = @mga-sysadmin
   RW+ topic/     = @mga-sysadmin
   RW+ refs/tags/ = @mga-sysadmin
   RW+ user/USER/ = @all
   R              = @all

It seems mga-packagers-committers is the default group owner for all "software" repositories, and we can not easily change it for a specific repository.
The mga-iso_makers group would have been the ideal owner for this repository, but well, no need to make things overly complicated.

(In reply to Martin Whitaker from comment #17)
> I'd need to be able to su to the draklive user to do that, wouldn't I?

This should be ok already:

[root@rabbit ~]# sudo -l -U martinw 
...
User martinw may run the following commands on rabbit:
    (bcd) SETENV: NOPASSWD: ALL
    (draklive) SETENV: NOPASSWD: ALL

Thanks Olivier. But...

(In reply to Olivier Blin from comment #18)
> I have added you to the mga-packagers-committers group (and thus
> mga-shell_access as well, so you should now be able to push.

That's done. On rabbit I get:

$ groups
mga-users mga-packagers-committers mga-iso_makers

but I'm still getting the same error message when I attempt to push. If you want to test this, I've got a checkout of draklive in ~martinw on rabbit with my patches applied.


(In reply to Olivier Blin from comment #19)
> (In reply to Martin Whitaker from comment #17)
> > I'd need to be able to su to the draklive user to do that, wouldn't I?
> 
> This should be ok already:
> 
> [root@rabbit ~]# sudo -l -U martinw 
> ...
> User martinw may run the following commands on rabbit:
>     (bcd) SETENV: NOPASSWD: ALL
>     (draklive) SETENV: NOPASSWD: ALL

Turns out the problem is that draklive doesn't have the permission to do what I was trying to do:

$ sudo -l -U draklive
User draklive may run the following commands on rabbit:
    (root) NOPASSWD: /usr/sbin/draklive

So I can run the existing version of draklive, but not my patched version. I can work round this for now, particularly as /sbin/draklive has been hacked to fix one of the bugs.

For your push issue: You did git clone with ssh, not https, didn't you?

Keywords: (none) => NEEDINFO

No, I cloned with git, but push with ssh (as per config in comment 6). This should work (it's equivalent to the instructions in https://wiki.mageia.org/en/How_to_use_Git), but just to be sure, I've just done a clean checkout using ssh, and get the same error on push.

Keywords: NEEDINFO => (none)

(In reply to Martin Whitaker from comment #20)

> but I'm still getting the same error message when I attempt to push. If you
> want to test this, I've got a checkout of draklive in ~martinw on rabbit
> with my patches applied.

I had to run this manually on the git server to update gitolite.conf:
su -c '/usr/bin/mgagit glrun' - git

Should be better now

> Turns out the problem is that draklive doesn't have the permission to do
> what I was trying to do:
> 
> $ sudo -l -U draklive
> User draklive may run the following commands on rabbit:
>     (root) NOPASSWD: /usr/sbin/draklive
> 
> So I can run the existing version of draklive, but not my patched version. I
> can work round this for now, particularly as /sbin/draklive has been hacked
> to fix one of the bugs.

I guess we can enlarge the permissions, even if that's basically giving root access.

Ideally, we should rewrite some draklive parts to use a wrapper for root commands like iurt, so that draklive can run as users and only specific parts require root.
This would help a bit.

(In reply to Olivier Blin from comment #23)

> I had to run this manually on the git server to update gitolite.conf:
> su -c '/usr/bin/mgagit glrun' - git

To give more details: groups are inlined in gitolite.conf

(In reply to Olivier Blin from comment #23)
> I had to run this manually on the git server to update gitolite.conf:
> su -c '/usr/bin/mgagit glrun' - git
> 
> Should be better now

Thanks Olivier, that worked :-)


> I guess we can enlarge the permissions, even if that's basically giving root
> access.

Well, what we have now has a hole. I've held off my patch that mounted /dev in the chroot (to provide /dev/null) until we discuss this further.


> Ideally, we should rewrite some draklive parts to use a wrapper for root
> commands like iurt, so that draklive can run as users and only specific
> parts require root.
> This would help a bit.

Would be nicer, just to prevent accidents. I'll give this some thought once I've got the 5.1 ISOs built.

Can close this one now. Thanks everyone.

Status: NEW => RESOLVED
Resolution: (none) => FIXED