Context Navigation

source: general/prog/gitserver.xml

Visit:

trunk

Last change on this file was ab4fdfc, checked in by Pierre Labastie <pierre.labastie@…>, 3 months ago
Change all xml decl to encoding=utf-8
Property mode set to `100644`
File size: 14.3 KB

Line
1	<?xml version="1.0" encoding="UTF-8"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6	<!ENTITY gitgid "58">
7	<!ENTITY gituid "58">
8	]>
9
10	<sect1 id="gitserver" xreflabel="Running a Git Server">
11	<?dbhtml filename="gitserver.html"?>
12
13
14	<title>Running a Git Server</title>
15
16	<sect2 role="package">
17	<title>Introduction</title>
18
19	<para>
20	This section will describe how to set up, administer and secure a
21	<application>git</application> server. <application>Git</application>
22	has many options available. For more detailed documentation see
23	<ulink url="https://git-scm.com/book/en/v2"/>.
24	</para>
25
26	<bridgehead renderas="sect3">Server Dependencies</bridgehead>
27
28	<bridgehead renderas="sect4">Required</bridgehead>
29	<para role="required">
30	<xref linkend="git"/> and
31	<xref linkend="openssh"/>
32	</para>
33
34	</sect2>
35
36	<sect2 role="configuration">
37	<title>Setting up a Git Server</title>
38
39	<para>
40	The following instructions will install a
41	<application>git</application> server. It will be set
42	up to use <application>OpenSSH</application> as the secure
43	remote access method.
44	</para>
45
46	<para>
47	Configuration of the server consists of the following steps:
48	</para>
49
50	<sect3>
51	<title>1. Set Up Users, Groups, and Permissions</title>
52
53	<para>
54	You will need to be user <systemitem class='username'>root</systemitem>
55	for the initial portion of configuration. Create the <systemitem
56	class="username">git</systemitem> user and group and set and unusable
57	password hash with the following commands:
58	</para>
59
60	<screen role="root"><userinput>groupadd -g &gitgid; git &&
61	useradd -c "git Owner" -d /home/git -m -g git -s /usr/bin/git-shell -u &gituid; git &&
62	sed -i '/^git:/s/^git:[^:]:/git:NP:/' /etc/shadow</userinput></screen>
63
64	<para>
65	Putting in an unusable password hash (replacing the <literal>!</literal>
66	by <literal>NP</literal>) unlocks the account but it cannot be used
67	to login via password authentication. That is required by
68	<application>sshd</application> to work properly.
69	Next, create some files and directories in the home directory of the git user
70	allowing access to the git repository using ssh keys.
71	</para>
72
73	<screen role="root"><userinput>install -o git -g git -dm0700 /home/git/.ssh &&
74	install -o git -g git -m0600 /dev/null /home/git/.ssh/authorized_keys</userinput></screen>
75
76	<para>
77	For any developer who should have access to the repository
78	add his/her public ssh key to <filename>/home/git/.ssh/authorized_keys</filename>.
79	First, prepend some options to prevent users from using the
80	connection to git for port forwarding to other machines
81	the git server might reach.
82	</para>
83
84	<screen role="nodump"><userinput>echo -n "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty " >> /home/git/.ssh/authorized_keys &&
85	cat <user-ssh-key> >> /home/git/.ssh/authorized_keys</userinput></screen>
86
87	<para>
88	It is also useful to set the default name of the initial branch
89	of new repositories by modifying the git configuration. As the
90	<systemitem class='username'>root</systemitem> user, run:
91	</para>
92
93	<screen role="nodump"><userinput>git config --system init.defaultBranch trunk</userinput></screen>
94
95	<para>
96	Finally add the <filename>/usr/bin/git-shell</filename> entry to
97	the <filename>/etc/shells</filename> configuration file. This shell
98	has been set in the <systemitem class='username'>git</systemitem>
99	user profile and is to make sure that only git related actions
100	can be executed:
101	</para>
102
103	<screen role="root"><userinput>echo "/usr/bin/git-shell" >> /etc/shells</userinput></screen>
104
105	</sect3>
106
107	<sect3>
108	<title>2. Create a git repository</title>
109
110	<para>
111	The repository can be anywhere on the filesystem. It is
112	important that the git user has read/write access to that
113	location. We use <filename class="directory">/srv/git</filename>
114	as base directory. Create a new <application>git</application>
115	repository with the following commands (as the
116	<systemitem class="username">root</systemitem> user):
117	</para>
118
119	<note>
120	<para>
121	In all the instructions below, we use <emphasis>project1</emphasis>
122	as an example repository name. You should name your repository
123	as a short descriptive name for your specific project.
124	</para>
125	</note>
126
127	<screen role="root"><userinput>install -o git -g git -m755 -d /srv/git/project1.git &&
128	cd /srv/git/project1.git &&
129	git init --bare &&
130	chown -R git:git .</userinput></screen>
131
132	</sect3>
133
134	<sect3>
135	<title>3. Populate the repository from a client system</title>
136
137	<note>
138	<para>
139	All the instructions in this section and the next should
140	be done on a user system, not the server system.
141	</para>
142	</note>
143
144	<para>
145	Now that the repository is created, it can be used by the
146	developers to put some files into it. Once the ssh key of
147	the user is imported to git's <filename>authorized_keys</filename>
148	file, the user can interact with the repository.
149	</para>
150
151	<para>
152	A minimal configuration should be available on the developer's
153	system specifying its user name and the email address.
154	Create this minimal config file on client side:
155	</para>
156
157	<screen role="nodump"><userinput>cat > ~/.gitconfig <<EOF
158	[user]
159	name = <users-name>
160	email = <users-email-address>
161	EOF</userinput></screen>
162
163	<para>
164	On the developer's machine, set up some files to be pushed
165	to the repository as the initial content:
166	</para>
167
168	<note>
169	<para>
170	The <emphasis>gitserver</emphasis> term used below
171	should be the host name (or ip address) of the git server.
172	</para>
173	</note>
174
175	<screen role="nodump"><userinput>mkdir myproject
176	cd myproject
177	git init --initial-branch=trunk
178	git remote add origin git@gitserver:/srv/git/project1.git
179	cat >README <<EOF
180	This is the README file
181	EOF
182	git add README
183	git commit -m 'Initial creation of README'
184	git push --set-upstream origin trunk</userinput></screen>
185
186	<para>The initial content is now pushed to the server and
187	is available for other users. On the current machine, the
188	argument <literal>--set-upstream origin trunk</literal> is
189	now no longer required as the local repository is now
190	connected to the remote repository. Subsequent pushes
191	can be performed as
192	</para>
193
194	<screen role="nodump"><userinput>git push</userinput></screen>
195
196	<para>
197	Other developers can now clone the repository and do
198	modifications to the content (as long as their ssh keys
199	has been installed):
200	</para>
201
202	<screen role="nodump"><userinput>git clone git@gitserver:/srv/git/project1.git
203	cd project1
204	vi README
205	git commit -am 'Fix for README file'
206	git push</userinput></screen>
207
208	<note>
209	<para>
210	This is a very basic server setup based on
211	<application>OpenSSH</application> access. All developers are using
212	the <systemitem class="username">git</systemitem> user to perform
213	actions on the repository and the changes users are committing can be
214	distinguished as the local user name (see
215	<filename>~/.gitconfig</filename>) is recorded in the
216	changesets.
217	</para>
218	</note>
219
220	<para>
221	Access is restricted by the public keys added to git's
222	<filename>authorized_keys</filename> file and there is no
223	option for the public to export/clone the repository. To
224	enable this, continue with step 4 to set up the git server
225	for public read-only access.
226	</para>
227
228	<para>
229	In the URL used to clone the project, the absolute path (here
230	<filename>/srv/git/project1.git</filename>) has to be specified
231	as the repository is not in git's home directory but in
232	<filename class="directory">/srv/git</filename>. To get rid of the
233	need to expose the structure of the server installation, a symlink
234	can be added in git's home directory for each project like this:
235	</para>
236	<screen role="nodump"><userinput>ln -svf /srv/git/project1.git /home/git/</userinput></screen>
237
238	<para>
239	Now, the repository can be cloned using
240	</para>
241	<screen role="nodump"><userinput>git clone git@gitserver:project1.git</userinput></screen>
242
243	</sect3>
244
245	<sect3 id="gitserver-init">
246	<title>4. Configure the Server</title>
247
248	<para>
249	The setup described above makes a repository available for
250	authenticated users (via providing the ssh public key file).
251	There is also a simple way to publish the
252	repository to unauthenticated users — of course without write
253	access.
254	</para>
255
256	<para>
257	The combination of access via ssh (for authenticated users) and
258	the export of repositories to unauthenticated users via the
259	daemon is in most cases enough for a development site.
260	</para>
261
262	<note>
263	<para>
264	The daemon will be reachable at port <literal>9418</literal>
265	by default. Make sure that your firewall setup allows
266	access to that port.
267	</para>
268	</note>
269
270	<para revision="sysv">
271	To start the server at boot time, install the git-daemon
272	bootscript included in the <xref linkend="bootscripts"/> package:
273	</para>
274
275	<indexterm zone="gitserver gitserver-init" revision="sysv">
276	<primary sortas="f-git">git</primary>
277	</indexterm>
278
279	<screen role="root" revision="sysv"><userinput>make install-git-daemon</userinput></screen>
280
281	<para revision="systemd">
282	To start the server at boot time, install the
283	<filename>git-daemon.service</filename> unit from the
284	<xref linkend="systemd-units"/> package:
285	</para>
286
287	<indexterm zone="gitserver gitserver-init" revision="systemd">
288	<primary sortas="f-gitserve">gitserve</primary>
289	</indexterm>
290
291	<screen role="root" revision="systemd"><userinput>make install-git-daemon</userinput></screen>
292
293	<para>
294	In order to allow <application>git</application> to export a
295	repository, a file named <filename>git-daemon-export-ok</filename>
296	is required in each repository directory on the server. The
297	file needs no content, just its existence enables, its absence
298	disables the export of that repository.
299	</para>
300
301	<screen role="root"><userinput>touch /srv/git/project1.git/git-daemon-export-ok</userinput></screen>
302
303	<para revision="sysv">
304	The script to start the git daemon uses some default values
305	internally. Most important is the path to the repository
306	directory which is set to <filename class="directory">/srv/git</filename>.
307	In case you have for whatever reason created the repository in a
308	different location, you'll need to tell the boot script where the
309	repository is to be found. This can be achieved by creating a
310	configuration file named <filename>/etc/sysconfig/git-daemon</filename>.
311	This configuration file will be imported if it exists, meaning it is
312	optional. The file can look like:</para>
313	<screen revision="sysv">
314	# Begin /etc/sysconfig/git-daemon
315
316	# Specify the location of the git repository
317	GIT_BASE_DIR="/srv/git/"
318
319	# Directories added to whitelist
320	DFT_REPO_DIR="$GIT_BASE_DIR"
321
322	# Add extra options which will appended to the 'git daemon'
323	# command executed in the boot script
324	GIT_DAEMON_OPTS=""
325
326	# End /etc/sysconfig/git-daemon
327	</screen>
328	<para revision="systemd">
329	Along with the <filename>git-daemon.service</filename> unit, a
330	configuration file named <filename>/etc/default/git-daemon</filename>
331	has been installed. Review this configuration file to match your
332	needs.
333	</para>
334
335	<para>
336	There are only three options to set in the configuration file:
337	<itemizedlist>
338	<listitem>
339	<para>
340	GIT_BASE_DIR=<dirname>
341	</para>
342	<para>Specify the location of the git repositories.
343	Relative paths used when accessing the daemon will
344	translated relative to this directory.
345	</para>
346	</listitem>
347	<listitem>
348	<para>
349	DFT_REPO_DIR=<dirname>
350	</para>
351	<para>This directory is added to the white list of allowed
352	directories. This variable can hold multiple directory
353	names but is usually set equal to <literal>GIT_BASE_DIR</literal>.
354	</para>
355	</listitem>
356	<listitem>
357	<para>
358	GIT_DAEMON_OPTS=<options>
359	</para>
360	<para>
361	In case special options to the <command>git daemon</command>
362	command are needed, they have to be specified in this setting.
363	One example might be to adjust the port number where daemon is
364	listening. In this case, add <literal>--port=<port
365	number></literal> to this variable. For more information
366	about which options can be set, take a look at the output of
367	<command>git daemon --help</command>.
368	</para>
369	</listitem>
370	</itemizedlist>
371	</para>
372
373	<para>
374	After starting the daemon, unauthenticated users can clone exported
375	repositories by using
376	</para>
377	<screen role="nodump"><userinput>git clone git://gitserver/project1.git</userinput></screen>
378
379	<para>
380	As the base directory is <filename class="directory">/srv/git</filename>
381	by default (or set to a custom value in the configuration),
382	<application>git</application> interprets the incoming path
383	(/project1.git) relative to that base directory so that the repository
384	in <filename class="directory">/srv/git/project1.git</filename> is
385	served.
386	</para>
387
388	</sect3>
389
390	</sect2>
391
392	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: