header

Torsten Curdt’s weblog

Publishing maven artifacts

So lucky you has just finished a release of your latest and greatest project. And now you want to make it available to the whole wide world. If you are in maven land this usually means getting it up into the central maven repository. There are currently two ways of doing this as described in the official guide. You can either file a manual upload request or have the central repository pull your releases from your own repository. Especially bigger entities like Apache or Codehaus are using this mechanism – but there is no reason you can’t yourself. Manual upload request are -well- manual work and requests are only served on voluntary basis. Worst case this could take a couple of weeks until your artifacts are available. That’s why I’ve recently switched to the automatic repository sync.

The central repository machine will use rsync to connect to your machine. As I did not wanted to open up another service on my server I went for the rsync over ssh option. So I’ve created a new account. Then added my public key and the public key from the repository server.

adduser --disabled-password --home /home/rsync rsync
cd /home/rsync
mkdir .ssh
cat > .ssh/authorized_keys

Copy over your repostitory into a m2repo folder.

/home/rsync# ls -l m2repo/
total 8
drwxr-xr-x 3 tcurdt tcurdt 4096 Oct 21 11:49 releases
drwxr-xr-x 3 tcurdt tcurdt 4096 Oct 21 11:49 snapshots

Then make sure you can successfully login and sync files from there to your local machine

rsync --include=*/ --include=**/maven-metadata.xml* --exclude=* -Lrtivz "--rsh=ssh " [email protected]:m2repo test

Now you are pretty much done already. As described you can just open a jira issue with the CSVs for your server.

"org.yourdomain","[email protected]:m2repo/releases","rsync_ssh","Your Name","[email protected]",,

Just subscribe to the atom feed to see if there are any error coming up. As of today synchronization happens every 4 hours.

While you could stop here, I didn’t. I didn’t really feel comfortable handing out ssh access to my server like that. You can restrict access to server even further via ssh.

#!/bin/sh

LOG=error.log

case "$SSH_ORIGINAL_COMMAND" in
*\&*)
    echo "Rejected $SSH_ORIGINAL_COMMAND" >> $LOG
    echo "Rejected $SSH_ORIGINAL_COMMAND"
    ;;
*\;*)
    echo "Rejected $SSH_ORIGINAL_COMMAND" >> $LOG
    echo "Rejected $SSH_ORIGINAL_COMMAND"
    ;;
rsync\ --server\ --sender\ -vLtrze.i\ .\ *)
    $SSH_ORIGINAL_COMMAND
    ;;
*)
    echo "Rejected $SSH_ORIGINAL_COMMAND" >> $LOG
    echo "Rejected $SSH_ORIGINAL_COMMAND"
    ;;
esac


To restrict the ssh you need to edit the .ssh/authorized_keys file and prepend the following options to the individual lines

no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="/home/rsync/.rsync/validate-rsync.sh" ssh-dss ...

Now the only command that gets accepted via ssh is the desired rsync. Much better!

  • Oleg
    As per http://www.javaworld.com/commu... this type of publishing is no longer supported :(
  • itjobs1
    Thanks for that! That's very useful. ;-)
  • ... for either the original access script or mine, check the log file to adjust the "rsync-server*" parameters to exactly what Maven sends. For getting things started, I recommend using my script and copying the printf line to the top and relaxing the "rsync -server..." pattern until you can see what Maven is sending.
  • More succinct access control script with better logging:

    #!/bin/bash -p

    case "$SSH_ORIGINAL_COMMAND" in
    *['&;']*) break;;
    'rsync --server --sender -vLtrze.i . m2repo/'*) exec $SSH_ORIGINAL_COMMAND;;
    esac


    TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S')
    printf "%s @%s Rejected command (%s)\n" "$TIMESTAMP" "${SSH_CLIENT%% *}" "$SSH_ORIGINAL_COMMAND" >> "$HOME/rsync-error.log"
    echo "Rejected $SSH_ORIGINAL_COMMAND"
  • great! I have added a link to this instructions in the guide
    http://maven.apache.org/guides...
blog comments powered by Disqus