tags:

views:

70

answers:

4
Q: 

Noob questions for SVN checkout and network issues regading it.

We have a local server with SVN installed on it that we are using for development/testing purpouses. We would like to checkout the data from it to the live server that is somewhere out there.

The only way to do that which I thought of was to use "svn checkout" from the live server, right? This way we do not need to FTP the changes to it, that may cause problems is we forget to upload some of the changes. And if we found a problem we can alway go back to previous stable version, right? Correct me if I am wrong about any of these.

The problem is that our local server (Ubuntu) does not have a IP that is reachable from outside. We have a router from out ISP, but we can not use that to access the local server from the live. We are willing to ask the ISP provider to setup a second IP for the local server, but for security sake they want to setup a separate machine with Windows and windows base security software (firewall - http://www.kerio.com/control/ and antivirus) that will cost us a lot. Can we just setup a free firewall on the local server (Ubuntu as I said) and solve the problem without spending additional money?

I hope I was clear.

+1  A: 

It's always hard to comment without knowing the exact situation, but this sounds a bit crazy.

What you would usually do is set up port forwarding for one port to the local server. The server would then be reachable (for example) through 123.45.67.89:3690

That's a three-minute task to set up in a normal household router.

As long as the Ubuntu server is closed otherwise, and Subversion or whatever you are using for authentication is properly configured and up to date, this should not create security issues.

In any case, putting a Windows machine in between to act as a firewall sounds really unnecessary. Ubuntu comes with everything necessary to secure the setup properly.

Pekka  2010-10-19 14:18:26
A: 

check if your ISP router provide some port forwarding abilities, You should probably forward the ssh port ( after ensuring that everyone password is secure/or enforcing login with ssh keys file), and use SVN+SSH protocol to access your repository.

dvhh  2010-10-19 14:19:31
How about https? This is how the local server is accessed from me right now.
Yasen Zhelev  2010-10-19 14:24:01
A: 

If the remote server has an ssh server, then you can use ssh forwarding.

From the internal svn server:

ssh -R 7711:localhost:3690 {REMOTE_SERVER}
  • 7711 is an arbitrary port (you can use any free port on the remote system) that will be forwarded from the remote system to port 3690 (svn) on the svn server.
  • 3690 is the port on the internal svn server that you want to talk to (via svn://).
  • If you are using subversion over http:// then use port 80 instead of 3690.
  • If you are using subversion over https:// then use port 443 instead of 3690.

After setting up the forward, then you can do this on the remote system:

svn checkout {SCHEME}://localhost:7711/{PATH}
  • {SCHEME} is svn, http, https, etc.
  • {PATH} is the normal svn path you want to check out.

Notes:

  • the forwarded traffic is tunneled through the ssh connection (on a different "channel") so it is also encrypted which is a nice benefit.

  • by default, the remote end of the forward will listen on the loopback interface so only processes on that system will be able to use the port forwarded port.

  • As soon as you close the ssh session, the forwarded port will also close. It only lasts the duration of the ssh connection.

  • ssh forwarding is very powerful. If you can ssh between two systems, then you can get around any sort of connection problem like this.

  • Do man ssh and read about the -L and -R options.

  • Useful links about ssh forwarding:

kanaka  2010-10-19 14:20:44
I will do my homework then. I am not experienced with SSH and SVN also.
Yasen Zhelev  2010-10-19 14:25:20
the setup with svn+ssh is way easier than setting it up over http ;)
dvhh  2010-10-19 14:30:04
So run the ssh -R 7711:localhost:3690 {REMOTE_SERVER} on the local server with the development files and then I can svn checkout {URL}:7711 /path/to/live/server/public_html/folder to svn co the fiels from the local to the live server. Do I get it correct?
Yasen Zhelev  2010-10-19 14:41:08
dvhh, svn+ssh vs http is irrelevant to the actual question. The key is that the local server is not visible to the outside. ssh forwarding will give the remote server access to the internal server without exposing any ports to the internet and without requiring any interaction with the ISP or their own routers/firewalls to setup forwarding. If you can ssh in one direction or the other then you can always use ssh forwarding regardless of any other network constraints.
kanaka  2010-10-19 14:44:12
Yasen Zhelev. You run the ssh command from the internal system. This will give you an ssh prompt on the remote system (and setup the forwarding). From the remote system you then run the svn checkout command (using the same ssh connection). You just need to get the svn checkout command to use the start port (7711 in the example) instead of the default.
kanaka  2010-10-19 14:46:51
Yasen Zhelev. You can simplify the forward slightly to use 3690 on both side (instead of 7711), then you don't have to pass the port and you can just do 'svn co svn://localhost/PATH' (or whatever it would normally look like but with localhost instead of the normal server name).
kanaka  2010-10-19 14:50:08
Just to be clear, if you use ssh forwarding and the svn server uses svn+ssh you are encrypted the traffic twice. That's not a problem (slight performance penalty) but if the server is configured to use the normal svn protocol or http, there is no additional security reason to switch to svn+ssh if you use ssh forwarding. If you open the internal server to the world via network forwarding then you absolutely should ONLY forward the svn+ssh port.
kanaka  2010-10-19 14:53:48
And we should have SVN installe don the live server to run svn co on it, right? I will do some tests soon and will see if it works for us.
Yasen Zhelev  2010-10-19 15:00:00
Technically you just need the subversion client. Unfortunately, subversion is usually one huge package that includes both client and server.
kanaka  2010-10-19 15:20:55
Another note: if this is production web data, make sure your webserver doesn't serve the .svn directories, otherwise people can see history and developer names and other information that you likely don't want to share with the world.
kanaka  2010-10-19 15:23:23
I was going to "svn export" not "svn co" to the production server to prevent that. Thanks for reminding me.
Yasen Zhelev  2010-10-19 15:38:42
After I run svn checkout <https://localhost:7711/svn/trunk> /home/test I get that svn: Propfind of '/svn/trunk': 405 Method not allowed (<http://localhost:7711>) :( Any ideas?
Yasen Zhelev  2010-10-20 10:24:07
One more addition. As I am connecting to SVN usign https , should I make the Apache server on the local listen to 7711 in order to be able to handle requests like <https://localhost:7711/svn/trunk>
Yasen Zhelev  2010-10-20 13:44:00
If you are using https then I believe your target port needs to be 443 instead of 3690 (3690 is the port for svn://). 7711 is just an arbitrary unused port on the remote system; there should not be anything else running on that port. The port forward command sets up port 7711 (or whatever you choose) to be a tunnel to port 3690 (or 443) on the internal system that you ssh'd from. By getting svn to talk to port 7711 on the remote system it's like you are talking to port 3690 (or 443) on the internal system.
kanaka  2010-10-20 15:04:26
Aha ok, thank for explanation. So running "svn co https://localhost:7711/sv.trunk /home/code" is like actually running "svn co https://{OUR_LOCAL_SERVER_ADDRESS}/svn/trunk /home/code" from the remote server and getting the local SVN repository files to the remove server /home/code folder? I just need to figure out why it is not working :(
Yasen Zhelev  2010-10-20 15:24:43
Yes, you'll still need to prefix your URL with the scheme (svn://, http://, https://, etc), and depending on the scheme that will determine the target port (3690, 80, 443, etc). I updated my answer with some clarifications from our discussion.
kanaka  2010-10-20 15:27:32
Thanks kanaka, I really appreciate.
Yasen Zhelev  2010-10-20 15:40:37
A: 

You should be able to open up and forward a single port (3690 by default) on your existing IP to the local server, as pointed out by Pekka. This depends on your router, and your ability to access the configuration interface on the router.

Instead of having to deal with SSH and worry about people trying to access your local server from anywhere, you could setup a firewall to only allow incoming traffic from your single remote server. Depending on the router setup, you could simply use the builtin firewall on the local server. It would still be advisable to have some svn authentication, though.

The SSH forwarding method described by kanaka prevents the entire issue about remote access to the local machine, but it requires you to execute the forwarding command from the local server every time you need to access svn on the remote server.

Mikkel Blanné  2010-10-20 00:29:02
The SVN is on the local server, not on the remote server. I need to "svn co" from local to remote. I know that usually the SVN is on the remote, but right now this is the setup.
Yasen Zhelev  2010-10-20 08:05:44
I know. The SVN repository is on the local server, and you need to checkout a working copy on the remote server. In svn lingo, your local server is the 'server' and your remote server is the 'client'. The checkout procedure is performed on the client (in this case remote), and this requires network access initiated from remote to local. Unless of course you use SSH forwarding which reverses the network connection and is a bit harder to understand.
Mikkel Blanné  2010-10-20 16:11:56

related questions

Best strategy to write hooks for subversion in Windows
Database Version Control
Version control PHP Web Project
Experience with SVN vs. Team Foundation Server?
Best SVN Client Ignore Pattern for VB.NET Solutions?
SVN merge merged extra stuff
What is your favorite web app deployment workflow with SVN?
Integrating Fogbugz with TortoiseSVN with no URL/Subversion backend
Version Control. Getting started...
ASP.NET Display SVN Revision Number
How do I create a branch in SVN?
What do the result codes in svn mean?
Could you recommend a good free project hosting website?
Federated (Synced) Subversion servers?
Mechanisms for tracking DB schema changes
What are the advantages of using SVN over CVS?
Use SVN Revision to label build in CCNET
Best subversion client for Mac OS
Why is Git better than Subversion?
ASP.NET, Visual Studio and Subversion - how to integrate?
Best Practice: Collaborative Environment, Bin Directory, SVN
How do I sync the SVN revision number with my ASP.NET web site?
Best Subversion clients for Windows Vista (64bit)
Good branch/merge tutorials for Tortoise SVN?
How can you get Subclipse in Aptana to work with the newest release of Subversion?