When performing some action on another user's repo, you will see the message
Not trusting file /home/bob/repo/.hg/hgrc from untrusted user bob, group users
This is fine, and I don't necessarily want to trust bob, but when running certain commands, I don't want to see this output as it can interfere. It is printed to stderr, but I don't want to redirect all stderr output to null, nor do I want to redirect it to stdout and suppress it.
Is there any way to simply prevent mercurial from printing this? -q does not do it.
Yes, you can configure the warning:
[ui]
report_untrusted = False
The config settings are documented online and in the built-in help (hg help config) and in the manual page (man hgrc on a Unix-like system).
Related
I'm trying to clone a Mercurial repository hosted on BitBucket via SSH from the Windows command line.
When I add the --debug flag I can see that it never gets past the 'sending between command'
When I ctrl+c, it just shows interrupted! without any other error messages.
I'm also looking at the Resource Monitor and it's not showing any related network traffic after the first minute or so.
I have tried adding the --noupdate option and the --uncompressed option with the same results.
Windows Server 2012 with just Mercurial - No TortoiseHg
Any ideas?
Is there a reason the 'sending between command' would take awhile? The repository is about 150MB
I know I'm late to the party, since Bitbucket has long dropped the Mercurial support, still this might be relevant to those setting it up on Windows to use with any other service or in a self-hosted environment.
I assume that you've set plink as your SSH client. If not, this can be easily done by adding the ssh parameter in your Mercurial configuration. Here is what my mercurial.ini file's contents look like:
>hg config --edit
[ui]
ssh="C:\programs\putty\plink.exe" -ssh -2
I spent like two hours tinkering around with my setup before I had an Aha! moment and tried to connect to the server with plink to see if the problem lies there:
>plink.exe hg-ssh#hg.example.com -noagent id
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's ssh-ed25519 key fingerprint is:
ssh-ed25519 255 90:8d:b0:26:c5:6e:74:2a:6c:3d:80:42:54:9e:15:47
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n)
Bingo!
As you can see here, plink prompts for the input, and we have to provide it before it can proceed any further. So this is what makes hg hang indefinitely if we don't.
You can also download Process Explorer, open it and choose Show Process Tree (Ctrl+T) from the View menu, and search for the process plink. You can see that this process is running and is a child of hg.
I answered "y", and the key was cached in a registry entry under the
Computer\HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\SshHostKeys
The new entry contains the remote server name and the key itself.
Once that was out of the way, I could go about my business using clone, push, pull, as well as other commands, like in and out:
>hg clone ssh://hg-ssh#hg.example.com/review
destination directory: review
requesting all changes
adding changesets
adding manifests
adding file changes
added 2 changesets with 4 changes to 4 files
new changesets f82779871203:e9b1a2b79f98 (1 drafts)
updating to branch default
4 files updated, 0 files merged, 0 files removed, 0 files unresolved
It looks like hg messes with the input and the output of the SSH client, and you never get to see what is going on there, nor can you interact with it. And specifying the --debug option makes no difference.
You can also supply the -sshlog option to plink to save the log protocol details of a session to a file:
[ui]
ssh="C:\programs\putty\plink.exe" -ssh -2 -sshlog plink.log
Here is a portion of the log, where it says that a host key is unknown to the client:
Incoming packet #0x2, type 21 / 0x15 (SSH2_MSG_NEWKEYS)
Event Log: Server also has ecdsa-sha2-nistp256/ssh-rsa host keys,
but we don't know any of them
Event Log: Host key fingerprint is:
Event Log: ssh-ed25519 255 90:8d:b0:26:c5:6e:74:2a:6c:3d:80:42:54:9e:15:47
And it is getting stuck around that spot waiting for the user input.
Out of curiosity I downloaded the Mercurial source code and tracked the debug messages down to the method _performhandshake in hg/mercurial/sshpeer.py:
$ hg clone https://www.mercurial-scm.org/repo/hg
$ grep -R 'sending between command' hg
$ less hg/mercurial/sshpeer.py
ui.debug(b'sending hello command\n')
ui.debug(b'sending between command\n')
Full sshpeer.py source code.
You can see up the call stack there's a call inside the instance to the _makeconnection, which in turn calls the procutil.popen4, which then uses subprocess.Popen class constructor to spawn a new process, and subprocess.PIPE is used as a value of the stdin, stdout, and stderr arguments.
And from the subprocess manual, you can see that:
PIPE indicates that a new pipe to the child should be created.
So this pretty much explains why you cannot interact with the SSH client, as all its standard input, standard output, and standard error are eaten up by Mercurial.
Anyone reading this answer, give this solution a try, and let us know if it was helpful!
I've got my code in a Mercurial repository (secured with a self-signed certificate) and I'm trying to set up Jenkins to work with it.
I've got the Mercurial plugin installed in Jenkins (pointing to an install of TortoiseHg on the Jenkins Server/Slaves) and the Jenkins Job is properly configured to grab the source from the repository.
When I build manually (ie, via the web interface) everything works as expected.
However, it seems like the polling of the repository does not succeed as I get output similar to the following:
Started on Apr 27, 2012 1:07:41 PM
[<jobname>] $ hg pull --rev default
warning: <MercurialServerIP> certificate with fingerprint e3:5f:5e:ea:4f:da:ef:a4:0b:4a:bb:00:e8:31:59:de:ce:d0:28:94 not verified (check hostfingerprints or web.cacerts config setting)
abort: mercurial_keyring: http authorization required but program used in non-interactive mode
[<jobname>] $ hg log --style <workspace>\<jobname>\tmp688470509422797505style --branch default --no-merges --prune 65d180b20a1e625841c8385709c86b83c3e10421
Done. Took 1.9 sec
No changes
I've previously done a manual clone of a repository so that I was able to enter the user's password to work with the Mercurial keyring extension for the authorization, but based on the error output it doesn't seem as though that's being applied.
How can I configure Jenkins or the machine running the build to do the polling successfully?
This may not be the best way to address the issue, but it worked for me and I'm able to move on.
The only way I was able to figure out how to get the server to remember the password in my setup was to specify it manually in \mercurial.ini .
NOTE: You may also have to remove the mercurial_keyring line from mercurial.ini. (This disables the keyring extension since we're specifying everything manually.)
I had previously believed that cloning a repository once on the server would let it remember the password, but this doesn't seem to work with the polling functionality in Jenkins (although it did work with my actual build scripts when they were executed on the server).
I'm not particularly pleased with having the password in plain text on the server, but until I find a better way to get the polling to work I can live with this.
Using the "kilnauth extension" you can have you credentials stored on your machine. This way you don't have to configure anything special on Jenkins.
$ hg help kilnauth
kilnauth extension - stores authentication cookies for HTTP
repositories. This extension knows how to capture Kiln
authentication tokens when pushing over HTTP.
This means you only need to enter your login and password once;
after that, the FogBugz token will be stored in your home
directory, allowing pushing without a password.
For instructions on how to install it follow: http://kiln.stackexchange.com/questions/341/how-can-i-install-kilns-mercurial-extensions-manually
This may seem like a dumb idea, but is there anyway to serve a mercurial repository over http without any of the webinterface features bundled in hgweb.cgi .
I would like users to be able to clone/push the repository over http:// but I do not want them to be able to view the repositories or files through a web interface.
Static HTTP is an option, but the official mercurial docs claim that this is very slow.
If this is not trivial, is anyone aware of a example code that serves an hg repository over http, without any support for a browser interface preferrably?
Thanks in advance.
I did a quick check of the hgweb files and found this:
Find the hgweb/webcommands.py file of your mercurial installation, and open it in an editor. Change the following code at the top of the file:
__all__ = [
'log', 'rawfile', 'file', 'changelog', 'shortlog', 'changeset', 'rev',
'manifest', 'tags', 'bookmarks', 'branches', 'summary', 'filediff', 'diff',
'annotate', 'filelog', 'archive', 'static', 'graph', 'help',
]
to this:
__all__ = [
]
This disables all web commands; you can still view the list of repos, but not any more infos about them.
I did check hg clone and hg pull, but not hg push.
I don't know why you want to restrict access to the UI part since any information provided here is accessible if they can access the files, but so be it :P
If you want some clean solution, I think taking the code of hgweb.cgi and rewrite it won't be too difficult, but I think you can also do something quicker : hg serve -t /dev/null
This will use /dev/null as the template for the UI part, so the users will receive an "Internal Server Error" page when connecting to the server but will be able to access the repository just fine through hg.
Only downside, the log will be field with errors if there's access through a browser.
PS: if you're not on a Unix system, just use any empty directory as a source for the templates.
I am trying to set up a hook to notify me about new commits via mail.
Because of the issue described in Mercurial hook not executing properly, I can't seem to get it running by simply adding the following to my .hg/hgrc, since the script wouldn't run:
[hooks]
changegroup = /path/to/script
As a workaround, I added the hook in the hgweb.config where it runs as expected. Now since I'm pushing through HTTP, the actual user running the script is apache (as determined by running id from within the hook), which means that I get errors like
Not trusting file .hg/hgrc from untrusted user u, group g
I added
[trusted]
users = u
but the same errors remain. What am I doing wrong? Am I understanding this completly wrong? Appreciate any help!
You should add both the hook and the trust blocks not in the hgweb.config but in a .hgrc file in the apache user's home directory. One doesn't usually think of system users having home directories, but they all do, and you can find in in /etc/password. It's often something like /var/www, so if you create a /var/www/.hgrc file, make sure it's owned by the Apache user, and add the hook and the trust you'll be good to go.
Would anyone know how I can restrict users from pushing to an hg repository if I give then access via hg-ssh?
Some details to help eliminate the obvious:
1) This is a for a shared hosting situation where I don't have root access to install mercurial-server nor can I create the "hg" username that it requires.
2) When I allow a user to connect via SSH to a shared hosting site, they will basically have their public key in my authorized_keys file and they will have be authenticated as me (i.e. they will have my credentials on the server). I can restrict their access to only a few hg repositories by specifying a "command=" clause in my authorized_keys file as documented here: https://www.mercurial-scm.org/repo/hg-stable/raw-file/tip/contrib/hg-ssh. However that gives the user full access to these repositories. Can I restrict this to pull-only access?
Any of these would solve my problem:
1) I know that mercurial-server solves this problem somehow because all the users their share the same user account called "hg". How do they do it? Can I do the same without root-access to set up things?
OR 2) Is there is a patch that I can add to hg-ssh such that hg-ssh can take some permissions on its command-line. Something like "hg-ssh -read-only repo1 repo2 -read-write repo3".
OR 3) Get "hg -R {repo} serve --stdio" to take a command line option such that it will not allow push.
The quick and dirty way would be to tweak the command= value to be something like this:
command=hg-ssh --config hooks.pretxnchangegroup=false repo1 repo2
but that's just the AclExtension done sloppily.
mercurial-server gives you the simplest control over this. You can install it as a non-root user, but you have to take a little longer to understand how it works.
Use the AclExtension. It lets you block access for ssh actions as well as http actions, and since it's enabled/disabled by hooks you'll be able to bypass it when you're logged in interactively.