Using a jumpbox with subversion

25 mei 2009 - Remco - ssh - subversion - tunnel - Software

Just as I wrote in Using a jumpbox in ssh it can also come in handy to use a jumpbox with subversion.

A jumpbox is an in between server which you use to tunnel traffic through, because the end point is somehow not reachable directly. In this case we migrated to a new internet connection in our office. Which brought in a Zyxel modem/router. Our company's subversion server is internal to the network. And somehow the Zyxel messed things up when we tried to reach our internal subversion server from within our own network, so we looked into the possibility of using an external box as a hop, in between connecting to our internal svn server. (update: we managed to fix this on the router.)

Subversion allows for what are called tunnels which can be used by checking out using svn+[tunnel_name] as the protocol identifier. Tunnels are defined in the [tunnels] section of ~/.subversion/config. Actually this is the mechanism that is used for svn+ssh, but since svn+ssh is used so often it doesn't require an explicit entry in the [tunnels] section. If it did it would look like this:

[tunnels]
ssh = $SVN_SSH ssh

Subversion uses a standard mechanism for creating tunnels, which is actually quite simple. It assumes that a certain command will accept the hostname in the svn url and the svnserve -t command to be run on the remote machine:

<command> <hostname> svnserve -t

All the tunnels section defines is aliasses for the <command> part. So doing svn co svn+ssh//[hostname]/ just runs ssh [hostname] svnserve -t.

Now to instruct subversion to tunnel the svn connection through an in between box, just configure a tunnel called my_tunnel like this:

[tunnels]
my_tunnel = /usr/bin/ssh -A [hostname or ip of jumpbox] ssh -A -p [port] -l [username]
Options used:
  • -A: forces the ssh client used by subversion to forward ssh-agent. This is used for passwordless login through the jumpbox to the remote machine.
  • -p: optionally you can define a port here if you run the ssh server on a non standard port
  • -l: optionally you can define a user this way, so you don't have to specify a user in your SVN url. Which can be irritating if you have multiple people doing deployments from the same repository.

Note: The first ssh command is the one used to connect to the jumpbox. The second ssh command is used to connect from the jumpbox to the subversion server.

Now all you have to do is svn co svn+my_tunnel://[hostname]/[path_to_svn_repo] and you are tunneling the subversion traffic through your jumpbox.



Latest Tweets