source: general/prog/gitserver.xml@ 427b46a

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;
  <!ENTITY gitgid "58">
  <!ENTITY gituid "58">
]>

<sect1 id="gitserver" xreflabel="Running a Git Server">
  <?dbhtml filename="gitserver.html"?>

  <sect1info>
  <othername>$LastChangedBy$</othername>
  <date>$Date$</date>
  </sect1info>

  <title>Running a Git Server</title>

  <sect2 role="package">
    <title>Introduction</title>

    <para>
      This section will describe how to set up, administer and secure a
      <application>git</application> server. <application>Git</application>
      has many options available. For more detailed documentation see 
      <ulink url="https://git-scm.com/book/en/v2"/>. 
    </para>

    <bridgehead renderas="sect3">Server Dependencies</bridgehead>

    <bridgehead renderas="sect4">Required</bridgehead>
    <para role="required">
      <xref linkend="git"/> and
      <xref linkend="openssh"/>
    </para>

  </sect2>

  <sect2 role="configuration">
    <title>Setting up a Git Server</title>

    <para>
      The following instructions will install a
      <application>git</application> server. It will be set
      up to use <application>OpenSSH</application> as the secure
      remote access method.
    </para>

    <para>
      Configuration of the server consists of the following steps:
    </para>

    <sect3>
      <title>1. Setup Users, Groups, and Permissions</title>

      <para>
        You will need to be user <systemitem class='username'>root</systemitem>
        for the initial portion of configuration. Create the <systemitem
        class="username">git</systemitem> user and group and set and unusable
        password hash with the following commands:
      </para>

<screen role="root"><userinput>groupadd -g &gitgid; git &amp;&amp;
useradd -c "git Owner" -d /home/git -m -g git -s /usr/bin/git-shell -u &gituid; git &amp;&amp;
sed -i '/^git:/s/^git:[^:]:/git:NP:/' /etc/shadow</userinput></screen>

      <para>
        Putting in an unuable password hash (replacing the <literal>!</literal>
        by <literal>NP</literal>) unlocks the account but it cannot be used
        to login via password authentication. That is required by 
        <application>sshd</application> to work properly.
        Next, create some files and directories in the home directory of the git user
        allowing access to the git repository using ssh keys.
      </para>
      
<screen role="root"><userinput>install -o git -g git -dm0700 /home/git/.ssh &amp;&amp;
install -o git -g git -m0600 /dev/null /home/git/.ssh/authorized_keys</userinput></screen>

      <para>
        For any developer who should have access to the repository
        add his/her public ssh key to <filename>/home/git/.ssh/authorized_keys</filename>.
        First, prepend some options to prevent users from using the
        connection to git for port forwarding to other machines
        the git server might reach.
      </para>

<screen role="nodump"><userinput>echo -n "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty " >> /home/git/.ssh/authorized_keys &amp;&amp;
cat &lt;user-ssh-key&gt; &gt;&gt; /home/git/.ssh/authorized_keys</userinput></screen>

      <para>
        It is also useful to set the default name of the initial branch 
        of new repositories by modifying the git configuration. As the
        <systemitem class='username'>root</systemitem> user, run:
      </para>

<screen role="nodump"><userinput>git config --system init.defaultBranch trunk</userinput></screen>

      <para>
        Finally add the <filename>/usr/bin/git-shell</filename> entry to
        the <filename>/etc/shells</filename> configuration file. This shell
        has been set in the <systemitem class='username'>git</systemitem>
        user profile and is to make sure that only git related actions
        can be executed:
      </para>
      
<screen role="root"><userinput>echo "/usr/bin/git-shell" &gt;&gt; /etc/shells</userinput></screen>

    </sect3>

    <sect3>
      <title>2. Create a git repository</title>

      <para>
        The repository can be anywhere on the filesystem. It is
        important that the git user has read/write access to that
        location. We use <filename class="directory">/srv/git</filename>
        as base directory. Create a new <application>git</application>
        repository with the following commands (as the
        <systemitem class="username">root</systemitem> user):
      </para>

      <note>
        <para>
          In all the instructions below, we use <emphasis>project1</emphasis>
          as an example repository name.  You should name your repository 
          as a short descriptive name for your specific project.
        </para>
      </note>

<screen role="root"><userinput>install -o git -g git -m755 -d /srv/git/project1.git &amp;&amp;
cd /srv/git/project1.git                             &amp;&amp;
git init --bare                                      &amp;&amp;
chown -R git:git .</userinput></screen>
    
    </sect3>

    <sect3>
      <title>3. Populate the repository from a client system</title>

      <note>
        <para>
          All the instructions in this section and the next should
          be done on a user system, not the server system.
        </para>
      </note>

      <para>
        Now that the repository is created, it can be used by the
        developers to put some files into it. Once the ssh key of
        the user is imported to git's <filename>authorized_keys</filename>
        file, the user can interact with the repository.
      </para>

      <para>
        A minimal configuration should be available on the developer's
        system specifying its user name and the email address.
        Create this minimal config file on client side:
      </para>

<screen role="nodump"><userinput>cat &gt; ~/.gitconfig &lt;&lt;EOF
[user]
        name = &lt;users-name&gt;
        email = &lt;users-email-address&gt;
EOF</userinput></screen>

      <para>
        On the developer's machine, setup some files to be pushed
        to the repository as the initial content:
      </para>

      <note>
        <para>
          The <emphasis>gitserver</emphasis> term used below 
          should be the host name (or ip address) of the git server. 
        </para>
      </note>

<screen role="nodump"><userinput>mkdir myproject
cd myproject
git init --initial-branch=trunk
git remote add origin git@gitserver:/srv/git/project1.git
cat &gt;README &lt;&lt;EOF
This is the README file
EOF
git add README
git commit -m 'Initial creation of README'
git push --set-upstream origin trunk</userinput></screen>

      <para>The initial content is now pushed to the server and
        is available for other users. On the current machine, the 
        argument <literal>--set-upstream origin trunk</literal> is
        now no longer required as the local repository is now
        connected to the remote repository. Subsequent pushes
        can be performed as
      </para>

<screen role="nodump"><userinput>git push</userinput></screen>
      
      <para>
        Other developers can now clone the repository and do
        modifications to the content (as long as their ssh keys
        has been installed):
      </para>

<screen role="nodump"><userinput>git clone git@gitserver:/srv/git/project1.git
cd project1
vi README
git commit -am 'Fix for README file'
git push</userinput></screen>

      <note>
        <para>
          This is a very basic server setup based on
          <application>OpenSSH</application> access. All developers are using
          the <systemitem class="username">git</systemitem> user to perform
          actions on the repository and the changes users are commiting can be
          distiguished as the local user name (see
          <filename>~/.gitconfig</filename>) is recorded in the
          changesets.
        </para>
      </note>

      <para>
        Access is restricted by the public keys added to git's
        <filename>authorized_keys</filename> file and there is no
        option for the public to export/clone the repository. To
        enable this, continue with step 4 to set up the git server
        for public read-only access.
      </para>

      <para>
        In the URL used to clone the project, the absolute path (here 
        <filename>/srv/git/project1.git</filename>) has to be specified
        as the repository is not in git's home directory but in
        <filename class="directory">/srv/git</filename>. To get rid of the
        need to expose the structure of the server installation, a symlink
        can be added in git's home directory for each project like this:
      </para>
<screen role="nodump"><userinput>ln -svf /srv/git/project1.git /home/git/</userinput></screen>

      <para>
        Now, the repository can be cloned using
      </para>
<screen role="nodump"><userinput>git clone git@gitserver:project1.git</userinput></screen>

    </sect3>

    <sect3 id="gitserver-init">
      <title>4. Configure the Server</title>

      <para>
        The setup described above makes a repository available for
        authenticated users (via providing the ssh public key file).
        There is also a simple way to publish the 
        repository to unauthenticated users &mdash; of course without write
        access.
      </para>

      <para>
        The combination of access via ssh (for authenticated users) and
        the export of repositories to unauthenticated users via the
        daemon is in most cases enough for a development site.
      </para>
      
      <note>
        <para>
          The daemon will be reachable at port <literal>9418</literal>
          by default. Make sure that your firewall setup allows
          access to that port.
        </para>
      </note>

      <para revision="sysv">
        To start the server at boot time, install the git-daemon
        bootscript included in the <xref linkend="bootscripts"/> package:
      </para>

      <indexterm zone="gitserver gitserver-init" revision="sysv">
        <primary sortas="f-git">git</primary>
      </indexterm>

<screen role="root" revision="sysv"><userinput>make install-git-daemon</userinput></screen>

      <para revision="systemd">
        To start the server at boot time, install the
        <filename>git-daemon.service</filename> unit from the
        <xref linkend="systemd-units"/> package:
      </para>

      <indexterm zone="gitserver gitserver-init" revision="systemd">
        <primary sortas="f-gitserve">gitserve</primary>
      </indexterm>

<screen role="root" revision="systemd"><userinput>make install-git-daemon</userinput></screen>

      <para>
        In order to allow <application>git</application> to export a
        repository, a file named <filename>git-daemon-export-ok</filename>
        is required in each repository directory on the server. The
        file needs no content, just its existance enables, its absence
        disables the export of that repository.
      </para>

<screen role="root"><userinput>touch /srv/git/project1.git/git-daemon-export-ok</userinput></screen>

      <para revision="sysv">
        The script to start the git daemon uses some default values
        internally. Most important is the path to the repository
        directory which is set to <filename class="directory">/srv/git</filename>.
        In case you have for whatever reason created the repository in a
        different location, you'll need to tell the boot script where the
        repository is to be found. This can be achieved by creating a
        configuration file named <filename>/etc/sysconfig/git-daemon</filename>.
        This configuration file will be imported if it exists, meaning it is
        optional. The file can look like:</para>
<screen revision="sysv">
# Begin /etc/sysconfig/git-daemon

# Specify the location of the git repository
GIT_BASE_DIR="/srv/git/"

# Directories added to whitelist
DFT_REPO_DIR="$GIT_BASE_DIR"

# Add extra options which will appended to the 'git daemon'
# command executed in the boot script
GIT_DAEMON_OPTS=""

# End /etc/sysconfig/git-daemon
</screen>
      <para revision="systemd">
        Along with the <filename>git-daemon.service</filename> unit, a
        configuration file named <filename>/etc/default/git-daemon</filename>
        has been installed. Review this configuration file to match your
        needs.
      </para>

      <para>
        There are only three options to set in the configuration file:
        <itemizedlist>
          <listitem>
            <para>
              GIT_BASE_DIR=&lt;dirname&gt;
            </para>
            <para>Specify the location of the git repositories.
              Relative paths used when accessing the daemon will 
              translated relative to this directory.
            </para>
          </listitem>
          <listitem>
            <para>
              DFT_REPO_DIR=&lt;dirname&gt;
            </para>
            <para>This directory is added to the white list of allowed
              directories. This variable can hold multiple directory
              names but is usually set equal to <literal>GIT_BASE_DIR</literal>.
            </para>
          </listitem>
          <listitem>
            <para>
              GIT_DAEMON_OPTS=&lt;options&gt;
            </para>
            <para>
              In case special options to the <command>git daemon</command>
              command are needed, they have to be specified in this setting.
              One example might be to adjust the port number where daemon is
              listening. In this case, add <literal>--port=&lt;port
              number&gt;</literal> to this variable.  For more information
              about which options can be set, take a look at the output of
              <command>git daemon --help</command>.
            </para>
          </listitem>
        </itemizedlist>
      </para>

      <para>
        After starting the daemon, unauthenticated users can clone exported
        repositories by using
      </para>
<screen role="nodump"><userinput>git clone git://gitserver/project1.git</userinput></screen>

      <para>
        As the base directory is <filename class="directory">/srv/git</filename> 
        by default (or set to a custom value in the configuration),
        <application>git</application> interprets the incoming path
        (/project1.git) relative to that base directory so that the repository
        in <filename class="directory">/srv/git/project1.git</filename> is
        served.
      </para>
      
    </sect3>

  </sect2>

</sect1>