Breezy System Administrator’s Guide¶
Introduction¶
Welcome to the Bazaar Version Control System’s guide for system administrators. Bazaar is a flexible system that provides many possible options for serving projects in ways that will hopefully meet your needs. If you have requirements that are not met by the current state of the Bazaar ecosystem, please let us know at bazaar@lists.canonical.com or on Launchpad at https://launchpad.net/bzr.
Scope of this guide¶
In this guide, we will discuss various techniques for making Bazaar projects available, migrating from other Version Control Systems, browsing code over the Web and combining Bazaar with other tools. In many of these categories, multiple options exist and we will try to explains the costs and benefits of the various options.
The intended audience for this guide is the individuals who administer the computers that will do the serving. Much of the configuration that we will discuss requires administrator privileges and we will not necessarily indicate every point that those privileges are needed. That said, reading this guide can also be very helpful for those who are interested in communicating to the system administrators about the requirements for making full use of Bazaar.
What you need to run a Bazaar server¶
Where possible, we will discuss both Unix (including GNU/Linux) and Windows server environments. For the purposes of this document, we will consider Mac OS X as a type of Unix.
In general, Bazaar requires only Python 2.6 or greater to run. If you would optionally like to be able to access branches using SFTP, you need paramiko and pycrypto.
For maximum performance, Bazaar can make use of compiled versions of some critical components of the code. Pure Python alternatives exist for all of these components, but they may be considerably slower. To compile these extensions, you need a C compiler and the relevant header files from the Python package. On GNU/Linux, these may be in a separate package. Other operating systems should have the required headers installed by default.
If you are installing a development version of Bazaar, rather than a released version, you will need Pyrex to create the C extensions. The release tarballs already have the Pyrex-created C files.
Simple Setups¶
Consider the following simple scenario where we will be serving Bazaar branches
that live on a single server. Those branches are in the subdirectories of
/srv/bzr
(or C:\bzr
) and they will all be related to a single project
called “ProjectX”. ProjectX will have a trunk branch and at least one feature
branch. As we get further, we will consider other scenarios, but this will be
a sufficiently motivating example.
Smart server¶
The simplest possible setup for providing outside access to the branches on the server uses Bazaar’s built-in smart server tunneled over SSH so that people who can access your server using SSH can have read and write access to branches on the server. This setup uses the authentication mechanisms of SSH including private keys, and the access control mechanisms of the server’s operating system. In particular, using groups on the server, it is possible to provide different access privileges to different groups of developers.
Setup¶
There is no setup required for this on the server, apart from having Bazaar installed and SSH access available to your developers. Using SSH configuration options it is possible to restrict developers from using anything but Bazaar on the server via SSH, and to limit what part of the file system they can access.
Client¶
Clients can access the branches using URLs with the bzr+ssh://
prefix. For
example, to get a local copy of the ProjectX trunk, a developer could do:
$ brz branch bzr+ssh://server.example.com/srv/bzr/projectx/trunk projectx
If the developers have write access to the /srv/bzr/projectx
directory, then
they can create new branches themselves using:
$ brz branch bzr+ssh://server.example.com/srv/bzr/projectx/trunk \
bzr+ssh://server.example.com/srv/bzr/projectx/feature-gui
Of course, if this isn’t desired, then developers should not have write access
to the /srv/bzr/projectx
directory.
Further Configuration¶
For a project with multiple branches that are all related, it is best to use a shared repository to hold all of the branches. To set this up, do:
$ cd /srv/bzr
$ brz init-shared-repo --no-trees projectx
The --no-trees
option saves space by not creating a copy of the working
files on the server’s filesystem. Then, any branch created under
/srv/bzr/projectx
(see Migration for some ways to do
this) will share storage space, which is particularly helpful for branches that
have many revisions in common, such as a project trunk and its feature
branches.
If Bazaar or Breezy is not installed on the user’s path or not specified in the
SSH configuration, then a path can be specified from the client with the
BZR_REMOTE_PATH
environment variable. For example, if the Bazaar executable
is installed in /usr/local/bzr-2.0/bin/bzr
, then a developer could use:
$ brz_REMOTE_PATH=/usr/local/bzr-2.0/bin/bzr bzr info \
bzr+ssh://server.example.com/srv/bzr/proectx/trunk
to get information about the trunk branch. The remote path can also be
specified in Bazaar’s configuration files for a particular location. See
brz help configuration
for more details.
If developers have home directories on the server, they can use /~/
in
URLs to refer to their home directory. They can also use /~username/
to
refer to the home directory of user username
. For example, if there are two
developers alice
and bob
, then Bob could use:
$ brz log bzr+ssh://server.example.com/~/fix-1023
to refer to one of his bug fix branches and:
$ brz log bzr+ssh://server.example.com/~alice/fix-2047
to refer to one of Alice’s branches. [1]
Using a restricted SSH account to host multiple users and repositories¶
Once you have a bzr+ssh setup using a shared repository you may want to share that repository among a small set of developers. Using shared SSH access enables you to complete this task without any complicated setup or ongoing management.
To allow multiple users to access Bazaar over ssh we can allow ssh access to a common account that only allows users to run a specific command. Using a single account simplifies deployment as no permissions management issues exist for the filesystem. All users are the same user at the server level. Bazaar labels the commits with each users details so seperate server accounts are not required.
To enable this configuration we update the ~/.ssh/authorized_keys
to include
command restrictions for connecting users.
In these examples the user will be called bzruser
.
The following example shows how a single line is configured:
command="brz serve --inet --allow-writes --directory=/srv/bzr",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAA...= my bzr key
This command allows the user to access only brz and disables other SSH use. Write
access to each repository in the directory /srv/bzr
has been granted with --allow-writes
and can be removed for individual users that should only require read access. The root of
the directory structure can be altered for each user to allow them to see only a subet
of the repositories available. The example below assumes two seperate repositories
for Alice and Bob. This method will not allow you to restrict access to part
of a repository, you may only restrict access to a single part of the directory structure:
command="brz serve --inet --allow-writes --directory=/srv/bzr/alice/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAA...= Alice's SSH Key
command="brz serve --inet --allow-writes --directory=/srv/bzr/bob/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAA...= Bob's SSH Key
command="brz serve --inet --allow-writes --directory=/srv/bzr/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAA...= Repo Manager SSH Key
Alice and Bob have access to their own repository and Repo Manager
has access to the each of their repositories. Users are not allowed access to any part of
the system except the directory specified. The bzr+ssh urls are simplified by
serving using brz serve
and the --directory
option.
If Alice logs in she uses the following command for her fix-1023 branch:
$ brz log bzr+ssh://bzruser@server.example.com/fix-1023
If Repo Manager logs in he uses the following command to access Alice’s fix-1023:
$ brz log bzr+ssh://bzruser@server.example.com/alice/fix-1023
Other Setups¶
Dumb servers¶
Bazaar can also serve branches over protocols that know nothing about Bazaar’s
specific needs. These are called “dumb servers” to distinguish them from
Bazaar’s native protocol. Currently HTTP, HTTPS, FTP, SFTP and HTTP+WebDAV can
be used to read branches remotely. FTP, SFTP and HTTP+WebDAV can be used for
writing as well. To use any of these protocols, it is just necessary to
provide access to the server’s filesystem under /srv/bzr
.
For example, for Apache to provide read-only access to the branches
in /srv/bzr
the configuration may look like this:
Alias /code /srv/bzr
<Directory /srv/bzr>
Options Indexes
# ...
</Directory>
and users could use the URL http://server.example.com/code/projectx/trunk
to refer to the trunk branch.
Note that SFTP access is often available whenever there is SSH access and it
may be a good choice when Bazaar cannot be installed on the server to allow
bzr+ssh://
access. Dumb servers are slower by their very nature than the
native protocol, but they can be a good choice in situations where the
software and protocols that can be used on the server or the network is
limited.
Smart server over HTTP(S)¶
Bazaar can use its native protocol with HTTP or HTTPS requests. Since HTTP is a network protocol that is available on many networks, this can be a good option where SSH access is not possible. Another benefit of this setup is that all of the authentication and access control methods available to the HTTP server (basic, LDAP, ActiveDirectory, etc.) are then available to control access to Bazaar branches. More information about setting up this type of access using Apache and FastCGI or mod_python or WSGI is in the smart server section of the User’s Guide.
Direct Smart Server Access¶
The built-in server that is used by bzr+ssh://
access can also be used as a
persistent server on a dedicated port. Bazaar’s official port is 4155,
although the port used can be configured. Further information on running the
Bazaar smart server from inetd, or directly from the shell is in the User’s
Guide. The dedicated Bazaar server does
not currently perform any authentication, so this server by default provides
read-only access. It can be run with the --allow-writes
option, but the
smart server does not do any additional access control so this may allow
undesired people to make changes to branches. (Which of course can be
reverted.) If the user that runs the server has write access to the branches
on the filesystem, then anyone with access to port 4155 on the server can make
changes to the branches stored there.
Migration¶
Migrating between version control systems can be a complicated process, and Bazaar has extensive documentation on the process at https://www.breezy-vcs.org/doc/migration/en and we won’t attempt to repeat that here. We will try to give a few motivating examples for conversion from Mercurial and Subversion.
Fast Import¶
In many projects wishing to use Bazaar, there is pre-existing history for the codebase that should be taken into consideration. Bazaar leverages an interchange format originally developed for Git called fast-import to provide migration strategies for many other version control systems.
The way that fast-import can be used for migration is to export the existing
history into a fast-import file, then use the brz fast-import
command.
The fastimport plugin includes exporters for Subversion, CVS, Git, Mercurial
and darcs, accessible as the fast-export-from-XXX
commands. Note that
fast-import
should not be used in a branch with existing history.
Assuming that ProjectX was first developed in Mercurial before switching to
Bazaar, and that the Mercurial repository is in /srv/hg/projectx
, the
following commands will import that history into a newly created trunk
branch. (Recall that in Further Configuration we created the
/srv/bzr/projectx
directory as a shared repository.)
$ cd /srv/bzr/projectx
$ brz fast-export-from-hg ../../hg/projectx projectx.fi
$ brz init trunk
$ brz fast-import projectx.fi trunk
Subversion Conversion¶
As the most common centralized version control system, migration from
Subversion is particularly important for any new version control system.
Bazaar’s svn plugin provides tools for interaction with Subversion
projects. In fact, Bazaar can be used transparently with projects stored in
Subversion, but that is beyond the scope of this document. (See
https://www.breezy-vcs.org/doc/migration/en/foreign/bzr-on-svn-projects.html for
more on that subject.) What is relevant here is the svn-import
command
provided by that plugin. This can import an entire subversion repository
including tags and branches, particularly if they are stored in Subversion’s
recommended directory structure: /tags/
, /branches/
and /trunk/
.
This command has flexible ways to specify what paths within the Subversion
repository contain branches and which contain tags. For example, the
recommended layout for Subversion projects (called trunk
by the svn
plugin) could be specified in ~/.config/breezy/subversion.conf
as
[203ae883-c723-44c9-aabd-cb56e4f81c9a]
branches = branches/*
tags = tags/*
This allows substantially complicated Subversion repositories to be converted
into a set of separate Bazaar branches. After installing the svn plugin, see
brz help svn-import
and brz help svn-layout
.
Extending Bazaar with Hooks and Plugins¶
Bazaar offers a powerful extension mechanism for adding capabilities. In addition to offering full library API access to all of its structures, which can be useful for outside programs that would like to interact with Bazaar branches, Bazaar can also load plugins that perform specific tasks. These specific tasks are specified by hooks that run during certain steps of the version control process.
For full documentation on the available hooks, see brz help hooks
. Among
those, some of the most significant hooks from an administration
standpoint are pre_commit, post_commit and post_change_branch_tip.
A pre_commit hook can inspect a commit before it happens and cancel it if
some criteria are not met. This can be useful for enforcing policies about
the code, such as line-endings or whitespace conventions. A
post_commit hook can take actions based on the commit that just happened,
such as providing various types of notifications. Finally, a
post_change_branch_tip hook is a more general form of a post_commit
hook which is used whenever the tip of a branch changes (which can happen in
more ways than just committing). This too can be used for notification
purposes, as well as for backups and mirroring.
Information on the whole range of Bazaar plugins is available at
https://www.breezy-vcs.org/doc/plugins/en/. For purposes of installation,
plugins are simply python packages. They can be installed alongside Bazaar in
the breezy.plugins
package using each plugin’s setup.py
. They can
also be installed in the plugin path which is the user’s
~/.config/breezy/plugins
directory or can be specified with the
BRZ_PLUGIN_PATH
environment variable. See brz help configuration
for
more on specifying the location of plugins.
Email Notification¶
A common need is for every change made on a branch to send an email message to some address, most often a mailing list. These plugins provide that capability in a number of different ways.
The email plugin sends email from each individual developer’s computer. This can be useful for situations that want to track what each individual developer is working on. On the downside, it requires that every developer’s branches be configured individually to use the same plugin.
The next two plugins hookless-email and email-notifier address this concern by running on a central server whenever changes happen on centrally stored branches.
email¶
To configure this plugin, simply install the plugin and configure the
post_commit_to
option for each branch. This configuration can be done
in the locations.conf
file or individually in each branch’s
branch.conf
file. The sender’s email address can be specified as
post_commit_sender
if it is different than the email address reported by
brz whoami
. The post_commit_mailer
option specifies how the
mail should be sent. If it isn’t set, email is sent via /usr/bin/mail
.
It can also be configured to communicate directly with an SMTP server.
For more details on configuring this plugin, see
https://www.breezy-vcs.org/doc/plugins/en/email-plugin.html. As examples,
consider the following two possible configurations. A minimal one (uses
/usr/bin/mail
)
[DEFAULT]
post_commit_to = projectx-commits@example.com
and a more complicated one (using all of the options)
[DEFAULT]
post_commit_url = http://www.example.com/code/projectx/trunk
post_commit_to = projectx-commits@example.com
post_commit_sender = donotreply@example.com
post_commit_mailer = smtplib
smtp_server = mail.example.com:587
smtp_username = bob
# smtp_password = 'not specified, will prompt'
hookless-email¶
This plugin is basically a server-side version of the email plugin. It is
a program that runs either from the command line or as a daemon that monitors
the branches specified on the command line for any changes. When a change
occurs to any of the monitored branches, it will send an email to the
specified address. Using our simple example, the following command would send
an email to projectx-commits@example.com
on any of the branches under
/srv/bzr
since the last time the command was run. (This command could be
set up to run at regular intervals, for example from cron
.)
$ brz_hookless_email.py --email=projectx-commits@example.com \
--recurse /srv/bzr
email-notifier¶
This is a more elaborate version of the hookless-email plugin that can send
templated HTML emails, render wiki-style markup in commit messages and update
working copies on the server (similar to push_and_update). It can also
send emails reporting the creation of new branches or the removal of branches
under a specified directory (here /srv/bzr/projectx
). As it is more
complicated, its configuration is also more complicated and we won’t repeat
its documentation here, but a simple configuration that will send emails on
commits and creation/deletion of branches is
[smtp]
server=smtp.example.com
# If user is not provided then no authentication will be performed.
user=bob
password=pAssW0rd
[commits]
# The address to send commit emails to.
to=projctx-commits@example.com
from=$revision.committer
# A Cheetah template used to construct the subject of the email message.
subject=$relative_path: $revision_number $summary
[new-branches]
to=projectx-commits@example.com
from=donotreply@example.com
subject=$relative_path: New branch created
[removed-branches]
to=projectx-commits@example.com
from=donotreply@example.com
subject=$relative_path: Branch removed
If this file is stored as /srv/bzr/email-notifier.conf
, then the command
$ brz-email-notifier.py --config=/srv/bzr/email-notifier.conf /srv/bzr/projectx
will watch all branches under the given directory for commits, branch creations and branch deletions.
Feed Generation¶
A related concept to sending out emails when branches change is the generation of news feeds from changes on each branch. Interested parties can then choose to follow those news feeds in order to see what is happening on a branch.
branchfeed¶
This plugin creates an ATOM feed for every branch on every branch change
(commit, etc.). It stores these files as .bzr/branch/branch.atom
inside
each branch. Currently, it includes the 20 most recent changes in each feed.
To use it, simply install the plugin and set your feed reader to follow the
branch.atom
files.
In addition, there are other tools that are not plugins for creating news feeds from Breezy branches. See http://wiki.breezy-vcs.org/FeedGenerators for more on those tools.
Mirroring¶
Sometimes it is useful to ensure that one branch exists as an exact copy of another. This can be used to provide simple backup facilities or redundancy (see Back-up and restore for more details on backups). One way to do this using Bazaar’s workflows is to make the branch where changes happen into a bound branch of the mirror branch. Then, when commits happen on the working branch, they will also happen on the mirror branch. Note that commits to bound branches do not update the mirror branch’s working copy, so if the mirror branch is more than just a backup of the complete history of the branch, for example if it is being served as a web page, then additional plugins are necessary.
push_and_update¶
This plugin updates Bazaar’s push
command to also update the remote
working copy. It can only work over connections that imply filesystem or SSH
access to the remote working copy (bzr+ssh://
, sftp://
and
file://
). Also, it is only useful when the remote branch is updated with
an explicit push
command.
automirror¶
This plugin is similar to push_and_update in that it updates the working
copy of a remote branch. The difference is that this plugin is designed to
update the remote branch on every change to the working branch. To configure
this, set the post_commit_mirror = URL
option on a branch. This option
can include multiple branch URLs separated by commas to create multiple
mirrors. For example, if we want to mirror our /srv/bzr/projectx/trunk
branch to the URL sftp://www.example.com/var/www/projectx
(for example if
ProjectX were a web project that we wanted to access at
http://www.example.com/projectx
), then we could include
[DEFAULT]
post_commit_mirror = sftp://www.example.com/var/www/branches/trunk
in the file /srv/bzr/projectx/trunk/.bzr/branch/branch.conf
.
Other Useful Plugins¶
pqm (plugin)¶
Facilitating interaction with PQM, this plugin provides support for submitting merge requests to a remote Patch Queue Manager. PQM provides a way to automatically run the test suite before merging changes to the trunk branch.
testrunner¶
Sometimes referred to as the poor man’s PQM, this plugin runs a single command
on the updated revision (in a temporary directory) and if the command returns
0, then the revision can be committed to that branch. For example, if the
testsuite is run with the command nosetests
in the root of the branch
(which returns 0 if the test suite passes and 1 if it doesn’t pass), then one
can set
[DEFAULT]
pre_change_branch_tip_test_command = nosetests
in .bzr/branch/branch.conf
.
checkeol¶
This plugin is an example of a pre_commit hook that checks the revision
being committed for meeting some policy. In this case, it checks that all of
the files have the specified line endings. It uses a configuration file
.bzreol
in the root of the working tree (similar to the .bzrignore
file). This configuration file has sections for line feed endings (LF),
carriage return/line-feed endings (CRLF) and carriage return endings (CR).
For an unusual example that specifies different line endings for different
files, that file might look like
[LF]
*.py
*.[ch]
[CRLF]
*.txt
*.ini
[CR]
foo.mac
or if you simply want to enforce a single line ending convention on the branch you can use
[LF]
*
This plugin needs to be installed on the server where the branch updates will
happen, and the .bzreol
file must be in each branch where line ending
policies will be enforced. (Adding it to the branch with bzr add .bzreol
is an easy way to ensure this, although it means that branches on the server
must have working trees.)
text_checker¶
This plugin is a more advanced version of checkeol that can check such
coding style guidelines such as trailing whitespace, long lines and files that
don’t end with a newline. It is configured using Bazaar’s built in rules
specification in BRZ_HOME/rules
(see bzr help rules
for more
information. For different types of undesired changes, you can specify
different types of actions. For example
[name NEWS README]
trailing_whitespace=fail
long_lines=warn
newline_at_eof=ignore
[name *.py]
tabs=fail
long_line_length=78
long_lines=fail
trailing_whitespace=fail
will prevent changes from adding new trailing whitespace to the specified
files and keep all python source files free of tabs and lines over 78
characters. To commit while violating these rules, one can pass the
--text-check-warn-only
option to commit.
Web-based code browsing¶
Browsing the history of a project online is an important part of version control, since it allows people to easily see what happens in a branch without having to have a local, up-to-date copy of that branch. There are a number of possible choices for browsing Bazaar branches on the web, but we will cover one of them in particular detail and briefly mention the other choices where they differ.
Loggerhead¶
Loggerhead is a code browsing interface for Bazaar branches (now used in
Launchpad). To see an example of Loggerhead in action, browse to
http://bazaar.launchpad.net/~bzr-pqm/bzr/bzr.dev/files which is the loggerhead
view of Bazaar’s trunk branch. Loggerhead runs as a web application on the
server which is accessed over HTTP via a RESTful interface. It is possible to
run this application on its own dedicated port as
http://www.example.com:8080
or to proxy this location behind a separate web
server, for example at http://www.example.com/loggerhead/
. We will discuss
both of these configurations below.
Requirements¶
Loggerhead depends on a number of other Python packages for the various Web technologies that it builds on. Some of these must be installed to use loggerhead, although some of them are optional. From the loggerhead README file, these are
SimpleTAL for templating. On Ubuntu, sudo apt-get install python-simpletal or download from http://www.owlfish.com/software/simpleTAL/download.html
simplejson for producing JSON data. On Ubuntu, sudo apt-get install python-simplejson or use easy_install simplejson.
Paste for the server. (You need version 1.2 or newer of Paste.) On Ubuntu, sudo apt-get install python-paste or use easy_install Paste
Paste Deploy (optional, needed when proxying through Apache) On Ubuntu, sudo apt-get install python-pastedeploy or use easy_install PasteDeploy
flup (optional, needed to use FastCGI, SCGI or AJP) On Ubuntu, sudo apt-get install python-flup or use easy_install flup
Although directions for installing these on Ubuntu are given, most other
GNU/Linux distributions should package these dependencies, making installation
easy. For Windows and Mac OS X, they should all be easy_install
-able or at
worst installable from the Python sources.
Built-in Web Server¶
Loggerhead has a built-in web server and when started with the
serve-branches
command, that web server is started on a default port
listening on the localhost. If port 8080 (the default) is accessible on
www.example.com
, then running
$ serve-branches --host=www.example.com --port=8080 /srv/bzr
will list all of the available branches under that directory on
http://www.example.com:8080/
, so that the ProjectX trunk could be browsed
at http://www.example.com:8080/projectx/trunk
. Note that loggerhead
provides HTTP access to the underlying Bazaar branches (similar to that
described in Smart server over HTTP(S)), so this command should be run
as a user without write privileges in /srv/bzr
. By default, loggerhead
only listens on the localhost, not any external ports, unless specified as
above.
Behind a Proxy¶
A more common and more safe way to run loggerhead is behind another web server which will proxy certain requests to the loggerhead server on the localhost. To do this, you need to have PasteDeploy installed (see Requirements). Assuming that your server has Apache running, you need to add configuration such as this to set up the proxy
<Location "/loggerhead/">
ProxyPass http://127.0.0.1:8080/
ProxyPassReverse http://127.0.0.1:8080/
</Location>
If your proxy runs at some path within the server, then the serve-branches
command must be started with the --prefix
option. For this example, we
could start loggerhead with the command
$ serve-branches --prefix=/loggerhead /srv/bzr
This would allow the trunk branch of ProjectX to be browsed at
http://www.example.com/loggerhead/projectx/trunk
.
Loggerhead comes with a script allowing it to run as a service on
init.d
based Unix systems. Contributions to do a similar thing on
Windows servers would be welcomed at http://launchpad.net/loggerhead.
Other web interfaces¶
There are a number of other web interfaces available for Bazaar branches (see the list at http://wiki.breezy-vcs.org/WebInterfaces) and we will just mention a couple of them here for their advantages in particular situations.
- trac+bzr (http://launchpad.net/trac-bzr)
Trac is a popular web app that integrates a browser for branches, an issue tracker and a wiki. trac+bzr is a trac extension that allows for the trac to be used with Bazaar.
- webbzr (http://thoughts.enseed.com/webbzr)
This is a notable solution because it is written in pure PHP for web hosts that don’t provide a way to run arbitrary Python applications such as Trac or Loggerhead.
- Redmine (http://redmine.org/)
Like trac, Redmine is a full project management application using the Ruby on Rails framework. It includes support for Bazaar branches.
Integration with Other Tools¶
Patch Queue Manager (PQM)¶
Bug Trackers¶
Continuous Integration Tools¶
Bundle Buggy¶
Security¶
Authentication¶
Bazaar’s philosophy on authentication is that it is best to reuse existing authentication technologies, rather than trying to reinvent potentially complicated methods for securely identifying users. As such, we describe two such uses of existing software for authentication purposes.
Using SSH¶
SSH is a very well tested and featureful technology for authenticating users.
For situations where all of the developers have local accounts on the server,
it is trivial to provide secure, authenticated bzr+ssh://
access. One
concern with this method is that it may not be desirable to grant shell access
to developers on the server machine. In this case, Bazaar provides
bzr_ssh_path_limiter
, a script that runs the Bazaar smart server on the
server machine at a specified path, and allows no other access.
To set it up, specify:
command="/path/to/bzr_ssh_path_limiter <path>" <typical key line>
in each user’s ~/.ssh/authorized_keys
file on the server, where <path> is
the path to limit access to (and its subdirectories). For more documentation
on the syntax of the authorized_keys
file see the documentation of the SSH
server. This will only permit Bazaar access to the specified path and no other
SSH access for that user.
If it isn’t desired to give each user an account on the server, multiple
private/public key pairs can be included under one single SSH account (say
sshuser) in the ~sshuser/.ssh/authorized_keys
file and then each developer
can be given their own private key. They can then use
bzr+ssh://sshuser@server.example.com/
URLs to access the server.
Using HTTP authentication methods¶
Access Control¶
Many projects need fine-grained access control on who may read and write to
which branches. Incorporating these controls into OS-level user accounts
using groups and filesystem permissions can be difficult or even not permitted
in some instances. Bazaar provides a script called bzr_access
that can be
used to provide access control based on usernames, with authentication
performed by SSH. To do so, we need to set up private-key authentication in
SSH. This can be done using a single SSH user on the server, or one account
per user. The idea is to use the SSH’s authorized_keys
file to specify
the bzr_access
script as the only command that can be run by a user
identified by a particular key pair.
First, you will need to generate a private/public key pair for each user who
will be accessing the repository. The private key should be distributed to
the user and the public key will be needed on the server to identify the user.
On the server, in the SSH user’s ~/.ssh/authorized_keys
file, use the
following line for each repository user and the corresponding public key:
command="/path/to/bzr_access /path/to/bzr /path/to/repository <username>",no- port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-<type> <key>
where <key> is the (possibly very long) public key, <type> is the type of SSH key and <username> is the username to associate with that public key.
The bzr_access
script obtains its configuration information from the file
/path/to/repository/bzr_access.conf
. This file should not be placed under
version control in a branch located at /path/to/repository
since that
would allow anyone with access to the repository to change the access control
rules. The bzr_access.conf
file is in a simple INI-style format with
sections defined by [groups]
and [/]
. The options in the [groups]
section are the names of groups and the values of those options should be the
usernames in that group. Inside the [/]
section, the options are
usernames or group names (prefixed with @
) and the values are either
rw
, r
or nothing, representing read-write access, read-only access or
no access at all. A sample of bzr_access.conf
could be:
[groups]
admins = alpha
devels = beta, gamma, delta
[/]
@admins = rw
@devels = r
upsilon =
where the user whose key is associated with alpha would have read-write
access, the users beta, gamma and delta would have read-only access and
user upsilon would not be able to access any branches under
/path/to/repository
.
Additional Considerations with bzr_access
¶
As currently written, bzr_access
only allows each public key to be
associated with a single repository location. This means that if developers
need to access two or more different repositories, then each developer will
need to have two or more private keys for SSH and be able to select between
them (see man ssh
for more information on configuring multiple private
keys).
Also, each repository can only have a single configuration file, with access configured for all branches in the repository. This means that if different access rules are needed for different projects, then those projects must be in different repositories. This then necessitates the use of multiple private keys as just described.
Finally, as noted above under Using SSH all of the public keys may be
included in the authorized_keys
file of a single user on the server. It
is also possible to use a single private/public key pair for all of the
developers, but this only allows a single username for access control to the
repository (since the username is associated with the public key in
authorized_keys
. While this is certainly possible it seems to defeat the
purpose of fine-grained access control, although it does provide the same
limited SSH access as that described above.
Back-up and Restore¶
Backing up Bazaar branches can be done in two different ways. If an existing filesystem-based backup scheme already exists, then it can easily be used where the Bazaar branches reside. Alternately, Bazaar itself can be used to mirror the desired branches to or from another location for backup purposes.
Filesystem Backups¶
Bazaar transactions are atomic in the sense that the disk format is such that it is in a valid state at any instant in time. However, for a backup process that takes a finite amount of time to complete, it is possible to have inconsistencies between different on-disk structures when backing up a live branch or repository. (Bazaar itself manages this concurrency issue by only reading those structures in a well-defined order.) Tools such as LVM that allow instantaneous snapshots of the contents of a disk can be used to take filesystem backups of live Bazaar branches and repositories.
For other backup methods, it is necessary to take the branch or repository
offline while the backup is being done in order to guarantee consistency
between the various files that comprise a Bazaar branch’s history. This
requirement can be alleviated by using Bazaar as its own backup client,
since it follows an order for reading that is designed to manage concurrent
access (see the next section for details). Depending on the different
access methods that are being used for a branch, there are different ways to
take the branch “offline”. For bzr+ssh://
access, it is possible to
temporarily change the filesystem permissions to prevent write access from
any users. For http://
access, changing permissions, shutting down
the HTTP server or switching the server to a separate configuration that
disallows access are all possible ways to take a branch offline for backup.
Finally, for direct filesystem access, it is necessary to make the branch
directories un-writable.
Because this sort of downtime can be very disruptive, we strongly encourage using Bazaar itself as a backup client, where branches are copied and updated using Bazaar directly.
Bazaar as its own backup¶
The features that make Bazaar a good distributed version control system also
make it a good choice for backing itself up. In particular, complete and
consistent copies of any branch can easily be obtained with the branch
and
pull
commands. As a result, a backup process can simply run brz pull
on a copy of the main branch to fully update that copy. If this backup
process runs periodically, then the backups will be as current as the last
time that pull
was run. (This is in addition to the fact
that revisions are immutable in Bazaar so that a prior revision of a branch is
always recoverable from that branch when the revision id is known.)
As an example, consider a separate backup server that stores backups in
/var/backup
. On that server, we could initially run
$ cd /var/backup
$ brz branch bzr+ssh://server.example.com/srv/bzr/trunk
$ brz branch bzr+ssh://server.example.com/srv/bzr/feature-gui
to create the branches on the backup server. Then, we could regularly (for
example from cron
) do
$ cd /var/backup/trunk
$ brz pull # the location to pull from is remembered
$ cd ../var/backup/feature-gui
$ brz pull # again, the parent location is remembered
The action of pulling from the parent for all branches in some directory is common enough that there is a plugin to do it.
Bound Branch Backups¶
When brz pull
is run regularly to keep a backup copy up to date, then it
is possible that there are new revisions in the original branch that have not
yet been pulled into the backup branch. To alleviate this problem, we can set
the branches up so that new revisions are pushed to the backup rather than
periodically pulling. One way to do this is using Bazaar’s concept of bound
branches, where a commit in one branch happens only when the same commit
succeeds in the branch to which it is bound. As a push-type technology, it
is set up on the server itself rather than on the backup machine. For each
branch that should be backed up, you just need to use the bind
command to
set the URL for the backup branch. In our example, we first need to create
the branches on the backup server (we’ll use brz push
, but we could as
easily have used brz branch
from the backup server)
$ cd /srv/bzr/projectx/trunk
$ brz push bzr+ssh://backup.example.com/var/backup/trunk
$ cd ../feature-gui
$ brz push bzr+ssh://backup.example.com/var/backup/feature-gui
and then we need to bind the main branches to their backups
$ cd ../trunk
$ brz bind bzr+ssh://backup.example.com/var/backup/trunk
$ cd ../feature-gui
$ brz bind bzr+ssh://backup.example.com/var/backup/feature-gui
A branch can only be bound to a single location, so multiple backups cannot be created using this method.
Using the automirror plugin mentioned under Hooks and Plugins, one can
also make a push-type backup system that more naturally handles mutliple
backups. Simply set the post_commit_mirror
option to multiple URLs
separated by commas. In order to backup to the backup server and a
remote location, one could do
$ cd /srv/bzr/trunk
$ echo "post_commit_mirror=bzr+ssh://backup.example.com/var/backup/trunk,\
bzr+ssh://offsite.example.org/projectx-corp/backup/trunk" >> .bzr/branch/branch.conf
$ cd ../feature-gui
$ echo "post_commit_mirror=bzr+ssh://backup.example.com/var/backup/feature-gui,\
bzr+ssh://offsite.example.org/projectx-corp/backup/feature-gui" >> .bzr/branch/branch.conf
As for any push-type backup strategy that maintains consistency, the downside of this method is that all of the backup commits must succeed before the initial commit can succeed. If there is a many mirror branches or if the bound branch has a slow network connection, then the delay in the original commit may be unacceptably long. In this case, pull-type backups, or a mixed system may be preferable.
Restoring from Backups¶
Checking backup consistency¶
Many a system administrator has been bitten by having a backup process,
but when it came time to restore from backups, finding out that the backups
themselves were flawed. As such, it is important to check the quality of the
backups periodically. In Bazaar, there are two ways to do this: using the
brz check
command and by simply making a new branch from the backup. The
brz check
command goes through all of the revisions in a branch and checks
them for validity according to Bazaar’s internal invariants. Since it goes
through every revision, it can be quite slow for large branches. The other
way to ensure that the backups can be restored from is to perform a test
restoration. This means performing the restoration process in a temporary
directory. After the restoration process, brz check
may again be relevant
for testing the validity of the restored branches. The following two sections
present two restoration recipes.
Restoring Filesystem Backups¶
There are many different backup tools with different ways of accessing the
backup data, so we can’t cover them all here. What we will say is that
restoring the contents of the /srv/bzr
directory completely will restore
all branches stored there to their state at the time of the backup (see
Filesystem Backups for concerns on backing up live branches.) For
example, if the backups were mounted at /mnt/backup/bzr
then we could
restore using simply:
$ cd /srv
$ mv bzr bzr.old
$ cp -r /mnt/backup/bzr bzr
Of course, to restore only a single branch from backup, it is sufficient to copy only that branch. Until the restored backup has been successfully used in practice, we recommend keeping the original directory available.
Restoring Bazaar-based Backups¶
In order to restore from backup branches, we can simply branch them into the appropriate location:
$ cd /srv
$ mv bzr bzr.old
$ cd bzr
$ brz branch bzr+ssh://backup.example.com/var/backup/trunk
$ brz branch bzr+ssh://backup.example.com/var/backup/feature-gui
If there are multiple backups, then change the URL above to restore from the other backups.
Upgrades¶
Bazaar has a strong commitment to inter-version compatibility both on disk and over the network. Newer clients should be able to interact with older versions on the server (although perhaps not at optimal speed) and older clients should also be able to communicate with newer versions of Bazaar on the server. Divergences from this rule are considered bugs and are fixed in later versions.
That said, Bazaar is constantly improving and the most recent versions are the most featureful and have better performance. In particular, the Bazaar versions 2.0 and later have significant advantages over earlier versions, including a more compact disk format, faster network operations and overall performance improvements. With the 2.0 release, Bazaar has moved to a stable/development release model where the 2.x series is maintained with bugfixes releases for six months, while simultaneously the 2.(x+1) series is being developed with monthly beta releases that are suitable for everyday use. Bazaar development has a stable trunk with an extensive test suite, so there is no reason to fear using the development series for everyday use, it simply changes more often than the stable series. Many users do run the development version of Bazaar and update it regularly, including most of the Bazaar developers themselves.
Software upgrades¶
Upgrading the Bazaar software is as simple as re-installing the Python package using either the latest binary package for Windows or Mac OS X, the binary package provided by your GNU/Linux distribution, or installing from the source release. See http://wiki.breezy-vcs.org/Downloads for the latest releases for all supported platforms.
Bazaar’s later versions support all of the earlier disk formats (back to the very first one), so there is no need to upgrade the branches on the disk when upgrading the software. To make use of particular new features that might need updated versions on both the server and developer’s machines, it does not matter if the clients or the servers are upgraded first.
Disk format upgrades¶
In its evolution, Bazaar has used a sequence of disk formats for improved storage efficiency and speed. With the new disk format released in version 2.0, there is a commitment to keep that disk format until version 3.0 is released, which has not even been planned yet. (Bazaar 2.0 was released almost two years after Bazaar 1.0.) As a result, disk format upgrades should be extremely infrequent.
If there are existing branches in an older format that you would like to upgrade to the latest format, you can see the 2.0 Upgrade Guide for more information. From the system administration perspective, it is important to coordinate the timing of various upgrades in the process. First, the central branches on the server should be upgraded. Next, any local mirrors that developers have should be upgraded. Finally, developers’ local branches should be upgraded. These upgrades will require an appropriate version of the software whenever they are performed. (It is possible to upgrade branches remotely over the network, but it may be much slower.)
Plugin upgrades¶
When Bazaar does update its version, plugins that use the Bazaar API may need to be upgraded to reflect changes in that API. Some plugins have strict version dependencies on the version of the Bazaar API that they will accept. If this is the case, then you should ensure that the plugins you depend on have been updated before you upgrade your Bazaar version to avoid a situation where your plugins won’t work with the installed version of Bazaar. If this does happen, then the solution is simply to reinstall the previous version of Bazaar that did work with the plugins. For installations that depend on a large number of plugins, this sort of version upgrade should be tested in a safe sandbox to ensure that the entire collection of Bazaar and its plugins can all work together.
Advanced Topics¶
System Monitoring¶
Capacity Planning Tips¶
Clustering¶
Multi-site Setups¶
The “distributed” in distributed version control system should indicate that Bazaar is well suited for multi-site development situations and indeed, that is the case. The advantage comes from the ease and transparency of managing merges between branches with divergent history. Note that there are many, many different ways to manage widely-flung development setups using Bazaar and its branching and merging capabilities. These can be discovered and tested before being implemented as policy. We will describe one such possible setup here.
Consider ProjectX Corp’s international expansion with a new branch office in Darwin, Australia, in addition to the company’s headquarters in Austin, Texas, USA. One of the difficulties of a far-flung multi-site development environment such as this is that the network connection between Australia and Texas is slow and unreliable. So, each branch office would like the master branch to be local to them. (In situations with good network connectivity, a local branch bound to the remote master may be all that is needed to support multi-site development.)
Of course, with two master branches, there is always the question of which one is authoritative. Given Bazaar’s facility at managing multiple branches, we suggest that it is best not to privilege either the Texas or Australia branches, but to merge both of them into a separate master branch (which may reside at either site). For definiteness, we will locate the master branch at the Texas site. So, we will have three branches stored on two servers: trunk and texas-integration at the Texas site and australia-integration at the Darwin site. These branches are named in terms of the sites where the development takes place, but in many cases it may make more sense to name branches after the functional teams rather their geographical locations. Since we are trying illustrate the issues with multi-site development, we will persist in this naming scheme.
Setup¶
Using our previous setup at the Texas site, we will simply rename the old trunk branch as trunk and branch a copy as texas-integration.
$ cd /srv/bzr/projectx
$ mv trunk trunk # can simply rename on the filesystem
$ brz branch trunk texas-integration # very fast in a shared repository
In Australia, we need to set up the /srv/bzr/projectx
directory and get a
copy of the current trunk as australia-integration:
$ mkdir -p /srv/bzr
$ cd /srv/bzr
$ brz init-shared-repo --no-trees projectx
$ cd projectx
$ brz branch bzr+ssh://server.example.com/srv/bzr/trunk
$ brz branch trunk australia-integration
Merging to master¶
Then, each office works with their local copy of the trunk. At some point, sooner or later depending on the pace of development in the two locations, the two local trunks need to be merged. (In general, sooner beats later when merging, since there is no penalty for multiple merges.) In this example, Alice at the Texas office will do the merging on her local machine using branches on the server:
# Get a copy of the Australia branch in Texas. After the initial branch
# command, use pull to keep the branch up to date. With a slow network,
# this is the only slow part
$ brz branch bzr+ssh://autralia.example.com/srv/bzr/projectx/australia-integration \
bzr+ssh://server.example.com/srv/bzr/projectx/australia-integration
# Check out the master branch locally for doing the merge
$ cd ~/projectx
$ brz checkout bzr+ssh://server.example.com/srv/bzr/projectx/trunk
$ cd trunk
$ brz merge bzr+ssh://server.example.com/srv/bzr/projectx/texas-integration
# Run the test suite and resolve any conflicts
$ brz commit -m "Merge Texas branch to master"
# Now, merge from Australia using the local copy of that branch
$ brz merge bzr+ssh://server.example.com/srv/bzr/projectx/australia-integration
# Run the test suite and resolve any conflicts between the two offices
$ brz commit -m "Merge Australia branch to master"
Note that Bazaar does not commit even cleanly applied merges by default. This
is because although a merge may apply cleanly, the merged state still needs to
be checked before it is committed. (Just because there are no text conflicts
does not mean that everything will work after a merge.) An alternative that
can pull when possible and merge otherwise is available with
brz merge --pull
.
Merging back to local trunks¶
Now the trunk branch is the most up-to-date version of the software and
both of the local trunks need to reincorporate the changes from the master.
If no new commits have been made to texas-integration, then that can happen using
brz pull
:
$ cd ~/projectx
$ brz checkout bzr+ssh://server.example.com/srv/bzr/projectx/texas-integration
$ cd texas-integration
$ brz pull ../trunk # Use trunk from the local disk
# No need to commit
If new changes have happened on texas-integration since the integration with trunk, then the above pull will produce an error suggesting to use merge:
$ brz merge ../trunk
# Run test suite, resolve conflicts
$ brz commit -m "Merging Australian changes"
In Australia, they will need to update their local copy of trunk:
$ cd /srv/bzr/projectx/trunk
$ brz pull # parent location is used by default
Then, they need to pull or merge the changes from trunk into the local trunk. This should be done by a developer with a checkout of australia-integration so that they can run the test suite:
$ cd ~/projectx
$ brz co bzr+ssh://australia.example.com/srv/bzr/projectx/australia-integration
$ cd australia-integration
$ brz merge bzr+ssh://australia.example.com/srv/bzr/projectx/trunk
# Run test suite and integrate Texan changes with only recent local
# development
$ brz commit -m "Integrate work from Texas"
Other Considerations¶
Multi-site deployments can be complicated, due to the many possible variations of development velocity, divisions of labor, network connectivity, resources for integration, etc. The preceding description is meant to be one possible way to do fairly symmetric multi-site development. (Neither Texas or Australia is privileged in this structure.) In a situation where there is one main site and other smaller sites, one of the local trunk branches can be eliminated and trunk can be used directly for development at the main site.
It is also up to the particular situation how frequently the local trunks are integrated into the master trunk. Given resources specifically for integration, it is conceivable that a developer may be constantly responsible for integrating changes from the two teams. Alternatively, the two sites could work on well-separated, well-defined features and merge to the master trunk only when their respective features are complete. Given the difficulty of resolving conflicts in very large merges and the ease of merge handling in Bazaar, we suggest that merges be done more frequently, rather than less.
Licence¶
Copyright 2008-2011 Canonical Ltd. Copyright 2018 Breezy Developers
Breezy is free software, and you may use, modify and redistribute both Breezy and this document under the terms of the GNU General Public License version 2 or later. See <http://www.gnu.org/licenses/>.