Publishing maven artifacts
So lucky you has just finished a release of your latest and greatest project. And now you want to make it available to the whole wide world. If you are in maven land this usually means getting it up into the central maven repository. There are currently two ways of
doing this as described in the official guide. You can either file a manual upload request or have the central repository pull your releases from your own repository.
Especially bigger entities like Apache or Codehaus are using this mechanism – but there is no reason you
can’t yourself. Manual upload request are -well- manual work and requests are only served on voluntary basis. Worst case this could take a couple of weeks until your artifacts are
available. That’s why I’ve recently switched to the automatic repository sync.
The central repository machine will use rsync to connect to your machine. As I did not wanted to open up another service on my server I went for the rsync over ssh option. So I’ve
created a new account. Then added my public key and the public key from the repository server.
adduser --disabled-password --home /home/rsync rsync cd /home/rsync mkdir .ssh cat > .ssh/authorized_keys
Copy over your repostitory into a m2repo folder.
/home/rsync# ls -l m2repo/ total 8 drwxr-xr-x 3 tcurdt tcurdt 4096 Oct 21 11:49 releases drwxr-xr-x 3 tcurdt tcurdt 4096 Oct 21 11:49 snapshots
Then make sure you can successfully login and sync files from there to your local machine
rsync --include=*/ --include=**/maven-metadata.xml* --exclude=* -Lrtivz "--rsh=ssh " [email protected]:m2repo test
Now you are pretty much done already. As described you can just open a jira issue with the CSVs for your server.
"org.yourdomain","[email protected]:m2repo/releases","rsync_ssh","Your Name","[email protected]",,
Just subscribe to the atom feed to see if there are any error coming up. As of today synchronization happens every 4 hours.
While you could stop here, I didn’t. I didn’t really feel comfortable handing out ssh access to my server like that. You can restrict access to server even further via
ssh.
#!/bin/sh
LOG=error.log
case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected $SSH_ORIGINAL_COMMAND" >> $LOG
echo "Rejected $SSH_ORIGINAL_COMMAND"
;;
*\;*)
echo "Rejected $SSH_ORIGINAL_COMMAND" >> $LOG
echo "Rejected $SSH_ORIGINAL_COMMAND"
;;
rsync\ --server\ --sender\ -vLtrze.i\ .\ *)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected $SSH_ORIGINAL_COMMAND" >> $LOG
echo "Rejected $SSH_ORIGINAL_COMMAND"
;;
esac
To restrict the ssh you need to edit the .ssh/authorized_keys file and prepend the following options to the individual lines
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="/home/rsync/.rsync/validate-rsync.sh" ssh-dss ...
Now the only command that gets accepted via ssh is the desired rsync. Much better!