%general-entities; ]> $LastChangedBy$ $Date$ This section will describe how to set up, administer and secure a git server. It is recommended to have a look to the git-scm documentation as git has many options to set. git Server Dependencies Required and The following instructions will install a git server, which will be set up to use OpenSSH as the secure remote access method. Configuration of the git server consists of the following steps: You'll need to be user root for the initial portion of configuration. Create the git user and group with the following commands: groupadd -g &gitgid; git && useradd -c "git Owner" -d /home/git -m -g git -s /usr/bin/git-shell -u &gituid; git Create some files and directories in the home directory of the git user. The current approach is to allow access to the git repository using ssh keys. install -o git -g git -dm0700 /home/git/.ssh && install -o git -g git -m0600 /dev/null /home/git/.ssh/authorized_keys For any developer who should have access to the repository add his/hers public ssh key to /home/git/.ssh/authorized_keys. Prepending some options to prevent users to use the connection to git for port forwarding to other machines the git server might reach. echo -n "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty " >> /home/git/.ssh/authorized_keys && cat users-ssh-key >> /home/git/.ssh/authorized_keys The repository can be but has not to be in git users home directory - it can be anywhere on the filesystem. It is important that the git user has read/write access to that location. We use /srv/git as base directory. Create a new git repository with the following commands (as the root user): install -o git -g git -m0755 -d /srv/git/project1.git && cd /srv/git/project1.git && git init --bare && chown -R git:git . Now that the repository is created, it can be used by the developers to put some files into it. Once the ssh key of the user is imported to git's authorized_keys file, the user can interact with the repository. A minimal configuration should be available on developers machine specifying its user name and the email address. Create this minimal config file on client side: cat > ~/.gitconfig <<EOF [user] name = <users-name> email = <users-email-address> EOF On the developers machine, setup some files to be pushed to the repository as the initial content: mkdir myproject cd myproject git init git remote add origin git@gitserver:/srv/git/project1.git cat >README <<EOF This is the README file EOF git add README git commit -m 'Initial creation of README' git push --set-upstream origin master The initial content is now pushed to the server and is available for other users. On the current machine, the argument --set-upstream origin master is now no longer required as the local repository is now connected to the remote repository. Subsequent pushes can be performed as git push Other developers can now clone the repository and do modifications to the content (as long as their ssh keys has been installed): git clone git@gitserver:/srv/git/project1.git cd project1 vi README git commit -am 'Fix for README file' git push This is a very basic server setup based on OpenSSH access. All developers are using the git user to perform actions on the repository and the changes users are commiting can be distiguished as the local user name (see ~/.gitconfig) is recorded in the changesets. Access is restricted by the public keys added to git's authorized_keys file and there is no option for the public to export/clone the repository. To enable this, continue with step 3 to setup the git server. The setup described above makes a repository available for authenticated users (via providing the ssh public key file). There is also a quite simple server to publish the repository to unauthenticated users - of course without write access. The compination of access via ssh (for authenticated users) and the export of repositories to unauthenticated users via the daemon is in most cases enough for a development site. The daemon will be reachable at port 9418 by default. Make sure that your firewall setup allows access to that port. As user root do: cat > /etc/rc.d/init.d/git-daemon <<"EOF" #!/bin/sh ######################################################################## # Begin /etc/rc.d/init.d/git-daemon # # Description : Start/Stop git as a daemon # # Authors : # # Version : LFS x.x # # Notes : # ######################################################################## ### BEGIN INIT INFO # Provides: git-daemon # Required-Start: network # Should-Start: # Required-Stop: # Should-Stop: # Default-Start: # Default-Stop: # Short-Description: git as daemon # Description: # X-LFS-Provided-By: ### END INIT INFO . /lib/lsb/init-functions GIT_BIN="/usr/bin/git" DFT_REPO_DIR="/srv/git/" PID_FILE="/run/git-daemon.pid" case "${1}" in start) log_info_msg "Starting git-daemon ..." $GIT_BIN daemon \ --detach --pid-file=$PID_FILE \ --user=git --group=git \ --reuseaddr --base-path=$DFT_REPO_DIR $DFT_REPO_DIR evaluate_retval ;; stop) log_info_msg "Stopping git-daemon ..." killproc -p $PID_FILE $GIT_BIN evaluate_retval ;; restart) ${0} stop sleep 1 ${0} start ;; *) echo "Usage: ${0} {start|stop|restart}" exit 1 ;; esac exit 0 # End /etc/rc.d/init.d/git-daemon EOF chmod 755 /etc/rc.d/init.d/git-daemon ln -v -sf ../init.d/git-daemon /etc/rc.d/rc0.d/K29git-daemon ln -v -sf ../init.d/git-daemon /etc/rc.d/rc1.d/K29git-daemon ln -v -sf ../init.d/git-daemon /etc/rc.d/rc2.d/K29git-daemon ln -v -sf ../init.d/git-daemon /etc/rc.d/rc3.d/S50git-daemon ln -v -sf ../init.d/git-daemon /etc/rc.d/rc4.d/S50git-daemon ln -v -sf ../init.d/git-daemon /etc/rc.d/rc5.d/S50git-daemon ln -v -sf ../init.d/git-daemon /etc/rc.d/rc6.d/K29git-daemon cat > /etc/systemd/system/git-daemon.service <<EOF [Unit] Description=Start Git Daemon [Service] ExecStart=/usr/bin/git daemon --reuseaddr --base-path=/srv/git/ /srv/git/ Restart=always RestartSec=500ms StandardOutput=syslog StandardError=syslog SyslogIdentifier=git-daemon User=git Group=git [Install] WantedBy=multi-user.target EOF Enable and start the daemon be executing systemctl enable git-daemon && systemctl start git-daemon Start the daemon be executing /etc/rc.d/init.d/git-daemon start In order to make git exporting a repository, a file named git-daemon-export-ok is required in each repository directory on the server. The file needs no content, just its existance enables, its absence disables the export of that repository. touch /srv/git/project1.git/git-daemon-export-ok