1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
5 | %general-entities;
|
---|
6 | <!ENTITY gitgid "58">
|
---|
7 | <!ENTITY gituid "58">
|
---|
8 | ]>
|
---|
9 |
|
---|
10 | <sect1 id="gitserver" xreflabel="Running a Git Server">
|
---|
11 | <?dbhtml filename="gitserver.html"?>
|
---|
12 |
|
---|
13 | <sect1info>
|
---|
14 | <othername>$LastChangedBy$</othername>
|
---|
15 | <date>$Date$</date>
|
---|
16 | </sect1info>
|
---|
17 |
|
---|
18 | <title>Running a Git Server</title>
|
---|
19 |
|
---|
20 | <sect2 role="package">
|
---|
21 | <title>Introduction</title>
|
---|
22 |
|
---|
23 | <para>
|
---|
24 | This section will describe how to set up, administer and secure a
|
---|
25 | <application>git</application> server. <application>Git</application>
|
---|
26 | has many options available. For more detailed documentation see
|
---|
27 | <ulink url="https://git-scm.com/book/en/v2"/>.
|
---|
28 | </para>
|
---|
29 |
|
---|
30 | <bridgehead renderas="sect3">Server Dependencies</bridgehead>
|
---|
31 |
|
---|
32 | <bridgehead renderas="sect4">Required</bridgehead>
|
---|
33 | <para role="required">
|
---|
34 | <xref linkend="git"/> and
|
---|
35 | <xref linkend="openssh"/>
|
---|
36 | </para>
|
---|
37 |
|
---|
38 | </sect2>
|
---|
39 |
|
---|
40 | <sect2 role="configuration">
|
---|
41 | <title>Setting up a Git Server.</title>
|
---|
42 |
|
---|
43 | <para>
|
---|
44 | The following instructions will install a
|
---|
45 | <application>git</application> server. It will be set
|
---|
46 | up to use <application>OpenSSH</application> as the secure
|
---|
47 | remote access method.
|
---|
48 | </para>
|
---|
49 |
|
---|
50 | <para>
|
---|
51 | Configuration of the server consists of the following steps:
|
---|
52 | </para>
|
---|
53 |
|
---|
54 | <sect3>
|
---|
55 | <title>1. Setup Users, Groups, and Permissions</title>
|
---|
56 |
|
---|
57 | <para>
|
---|
58 | You will need to be user <systemitem class='username'>root</systemitem>
|
---|
59 | for the initial portion of configuration. Create the <systemitem
|
---|
60 | class="username">git</systemitem> user and group with the following
|
---|
61 | commands:
|
---|
62 | </para>
|
---|
63 |
|
---|
64 | <screen role="root"><userinput>groupadd -g &gitgid; git &&
|
---|
65 | useradd -c "git Owner" -d /home/git -m -g git -s /usr/bin/git-shell -u &gituid; git</userinput></screen>
|
---|
66 |
|
---|
67 | <para>
|
---|
68 | Create some files and directories in the home directory of the git user
|
---|
69 | allowing access to the git repository using ssh keys.
|
---|
70 | </para>
|
---|
71 |
|
---|
72 | <screen role="root"><userinput>install -o git -g git -dm0700 /home/git/.ssh &&
|
---|
73 | install -o git -g git -m0600 /dev/null /home/git/.ssh/authorized_keys
|
---|
74 | </userinput></screen>
|
---|
75 |
|
---|
76 | <para>
|
---|
77 | For any developer who should have access to the repository
|
---|
78 | add his/her public ssh key to <filename>/home/git/.ssh/authorized_keys</filename>.
|
---|
79 | First, prepend some options to prevent users to use the
|
---|
80 | connection to git for port forwarding to other machines
|
---|
81 | the git server might reach.
|
---|
82 | </para>
|
---|
83 |
|
---|
84 | <screen role="nodump"><userinput>echo -n "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty " >> /home/git/.ssh/authorized_keys &&
|
---|
85 | cat <user-ssh-key> >> /home/git/.ssh/authorized_keys</userinput></screen>
|
---|
86 |
|
---|
87 | </sect3>
|
---|
88 |
|
---|
89 | <sect3>
|
---|
90 | <title>2. Create a git repository.</title>
|
---|
91 |
|
---|
92 | <para>
|
---|
93 | The repository can be anywhere on the filesystem. It is
|
---|
94 | important that the git user has read/write access to that
|
---|
95 | location. We use <filename class="directory">/srv/git</filename>
|
---|
96 | as base directory. Create a new <application>git</application>
|
---|
97 | repository with the following commands (as the
|
---|
98 | <systemitem class="username">root</systemitem> user):
|
---|
99 | </para>
|
---|
100 |
|
---|
101 | <screen role="root"><userinput>install -o git -g git -m755 -d /srv/git/project1.git &&
|
---|
102 | cd /srv/git/project1.git &&
|
---|
103 | git init --bare &&
|
---|
104 | chown -R git:git .</userinput></screen>
|
---|
105 |
|
---|
106 | <para>
|
---|
107 | Now that the repository is created, it can be used by the
|
---|
108 | developers to put some files into it. Once the ssh key of
|
---|
109 | the user is imported to git's <filename>authorized_keys</filename>
|
---|
110 | file, the user can interact with the repository.
|
---|
111 | </para>
|
---|
112 |
|
---|
113 | <para>
|
---|
114 | A minimal configuration should be available on the developer's
|
---|
115 | dudyrm specifying its user name and the email address.
|
---|
116 | Create this minimal config file on client side:
|
---|
117 | </para>
|
---|
118 |
|
---|
119 | <screen role="nodump"><userinput>cat > ~/.gitconfig <<EOF
|
---|
120 | [user]
|
---|
121 | name = <users-name>
|
---|
122 | email = <users-email-address>
|
---|
123 | EOF</userinput></screen>
|
---|
124 |
|
---|
125 | <para>
|
---|
126 | On the developer's machine, setup some files to be pushed
|
---|
127 | to the repository as the initial content:
|
---|
128 | </para>
|
---|
129 |
|
---|
130 | <screen role="nodump"><userinput>mkdir myproject
|
---|
131 | cd myproject
|
---|
132 | git init --initial-branch=main
|
---|
133 | git remote add origin git@gitserver:/srv/git/project1.git
|
---|
134 | cat >README <<EOF
|
---|
135 | This is the README file
|
---|
136 | EOF
|
---|
137 | git add README
|
---|
138 | git commit -m 'Initial creation of README'
|
---|
139 | git push --set-upstream origin main</userinput></screen>
|
---|
140 |
|
---|
141 | <para>The initial content is now pushed to the server and
|
---|
142 | is available for other users. On the current machine, the
|
---|
143 | argument <literal>--set-upstream origin main</literal> is
|
---|
144 | now no longer required as the local repository is now
|
---|
145 | connected to the remote repository. Subsequent pushes
|
---|
146 | can be performed as
|
---|
147 | </para>
|
---|
148 |
|
---|
149 | <screen role="nodump"><userinput>git push</userinput></screen>
|
---|
150 |
|
---|
151 | <para>
|
---|
152 | Other developers can now clone the repository and do
|
---|
153 | modifications to the content (as long as their ssh keys
|
---|
154 | has been installed):
|
---|
155 | </para>
|
---|
156 |
|
---|
157 | <screen role="nodump"><userinput>git clone git@gitserver:/srv/git/project1.git
|
---|
158 | cd project1
|
---|
159 | vi README
|
---|
160 | git commit -am 'Fix for README file'
|
---|
161 | git push</userinput></screen>
|
---|
162 |
|
---|
163 | <note>
|
---|
164 | <para>
|
---|
165 | This is a very basic server setup based on
|
---|
166 | <application>OpenSSH</application> access. All developers are using
|
---|
167 | the <systemitem class="username">git</systemitem> user to perform
|
---|
168 | actions on the repository and the changes users are commiting can be
|
---|
169 | distiguished as the local user name (see
|
---|
170 | <filename>~/.gitconfig</filename>) is recorded in the
|
---|
171 | changesets.</para>
|
---|
172 | </note>
|
---|
173 |
|
---|
174 | <para>
|
---|
175 | Access is restricted by the public keys added to git's
|
---|
176 | <filename>authorized_keys</filename> file and there is no
|
---|
177 | option for the public to export/clone the repository. To
|
---|
178 | enable this, continue with step 3 to setup the git server.
|
---|
179 | </para>
|
---|
180 |
|
---|
181 | </sect3>
|
---|
182 |
|
---|
183 | <sect3>
|
---|
184 | <title>3. Configure the Server</title>
|
---|
185 |
|
---|
186 | <para>
|
---|
187 | The setup described above makes a repository available for
|
---|
188 | authenticated users (via providing the ssh public key file).
|
---|
189 | There is also a quite simple way to publish the
|
---|
190 | repository to unauthenticated users - of course without write
|
---|
191 | access.
|
---|
192 | </para>
|
---|
193 | <para>
|
---|
194 | The compination of access via ssh (for authenticated users) and
|
---|
195 | the export of repositories to unauthenticated users via the
|
---|
196 | daemon is in most cases enough for a development site.
|
---|
197 | </para>
|
---|
198 |
|
---|
199 | <note>
|
---|
200 | <para>
|
---|
201 | The daemon will be reachable at port <literal>9418</literal>
|
---|
202 | by default. Make sure that your firewall setup allows
|
---|
203 | access to that port.
|
---|
204 | </para>
|
---|
205 | </note>
|
---|
206 |
|
---|
207 | <para>
|
---|
208 | As user <systemitem class='username'>root</systemitem> do:
|
---|
209 | </para>
|
---|
210 |
|
---|
211 | <screen role="root" revision="sysv"><userinput>cat > /etc/rc.d/init.d/git-daemon <<"EOF"
|
---|
212 | #!/bin/sh
|
---|
213 | ########################################################################
|
---|
214 | # Begin /etc/rc.d/init.d/git-daemon
|
---|
215 | #
|
---|
216 | # Description : Start/Stop git as a daemon
|
---|
217 | #
|
---|
218 | # Authors :
|
---|
219 | #
|
---|
220 | # Version : LFS 10.0
|
---|
221 | #
|
---|
222 | # Notes :
|
---|
223 | #
|
---|
224 | ########################################################################
|
---|
225 |
|
---|
226 | ### BEGIN INIT INFO
|
---|
227 | # Provides: git-daemon
|
---|
228 | # Required-Start: network
|
---|
229 | # Should-Start:
|
---|
230 | # Required-Stop:
|
---|
231 | # Should-Stop:
|
---|
232 | # Default-Start:
|
---|
233 | # Default-Stop:
|
---|
234 | # Short-Description: git as daemon
|
---|
235 | # Description:
|
---|
236 | # X-LFS-Provided-By:
|
---|
237 | ### END INIT INFO
|
---|
238 |
|
---|
239 | . /lib/lsb/init-functions
|
---|
240 |
|
---|
241 | GIT_BIN="/usr/bin/git"
|
---|
242 | DFT_REPO_DIR="/srv/git/"
|
---|
243 | PID_FILE="/run/git-daemon.pid"
|
---|
244 |
|
---|
245 | case "${1}" in
|
---|
246 | start)
|
---|
247 | log_info_msg "Starting git-daemon ..."
|
---|
248 | $GIT_BIN daemon \
|
---|
249 | --detach \
|
---|
250 | --pid-file=$PID_FILE \
|
---|
251 | --user=git \
|
---|
252 | --group=git \
|
---|
253 | --reuseaddr \
|
---|
254 | --base-path=$DFT_REPO_DIR $DFT_REPO_DIR
|
---|
255 | evaluate_retval
|
---|
256 | ;;
|
---|
257 |
|
---|
258 | stop)
|
---|
259 | log_info_msg "Stopping git-daemon ..."
|
---|
260 | killproc -p $PID_FILE $GIT_BIN
|
---|
261 | evaluate_retval
|
---|
262 | ;;
|
---|
263 |
|
---|
264 | restart)
|
---|
265 | ${0} stop
|
---|
266 | sleep 1
|
---|
267 | ${0} start
|
---|
268 | ;;
|
---|
269 |
|
---|
270 | *)
|
---|
271 | echo "Usage: ${0} {start|stop|restart}"
|
---|
272 | exit 1
|
---|
273 | ;;
|
---|
274 | esac
|
---|
275 |
|
---|
276 | exit 0
|
---|
277 |
|
---|
278 | # End /etc/rc.d/init.d/git-daemon
|
---|
279 | EOF
|
---|
280 |
|
---|
281 | chmod 755 /etc/rc.d/init.d/git-daemon
|
---|
282 | ln -v -sf ../init.d/git-daemon /etc/rc.d/rc0.d/K29git-daemon
|
---|
283 | ln -v -sf ../init.d/git-daemon /etc/rc.d/rc1.d/K29git-daemon
|
---|
284 | ln -v -sf ../init.d/git-daemon /etc/rc.d/rc2.d/K29git-daemon
|
---|
285 | ln -v -sf ../init.d/git-daemon /etc/rc.d/rc3.d/S50git-daemon
|
---|
286 | ln -v -sf ../init.d/git-daemon /etc/rc.d/rc4.d/S50git-daemon
|
---|
287 | ln -v -sf ../init.d/git-daemon /etc/rc.d/rc5.d/S50git-daemon
|
---|
288 | ln -v -sf ../init.d/git-daemon /etc/rc.d/rc6.d/K29git-daemon</userinput></screen>
|
---|
289 |
|
---|
290 | <screen role="root" revision="systemd"><userinput>cat > /etc/systemd/system/git-daemon.service <<EOF
|
---|
291 | [Unit]
|
---|
292 | Description=Start Git Daemon
|
---|
293 |
|
---|
294 | [Service]
|
---|
295 | ExecStart=/usr/bin/git daemon --reuseaddr --base-path=/srv/git/ /srv/git/
|
---|
296 |
|
---|
297 | Restart=always
|
---|
298 | RestartSec=500ms
|
---|
299 |
|
---|
300 | StandardOutput=syslog
|
---|
301 | StandardError=syslog
|
---|
302 | SyslogIdentifier=git-daemon
|
---|
303 |
|
---|
304 | User=git
|
---|
305 | Group=git
|
---|
306 |
|
---|
307 | [Install]
|
---|
308 | WantedBy=multi-user.target
|
---|
309 | EOF</userinput></screen>
|
---|
310 |
|
---|
311 | <para revision="systemd">
|
---|
312 | Enable and start the daemon by executing:
|
---|
313 | </para>
|
---|
314 |
|
---|
315 | <screen role="root" revision="systemd"><userinput>systemctl enable git-daemon &&
|
---|
316 | systemctl start git-daemon</userinput></screen>
|
---|
317 |
|
---|
318 | <para revision="sysv">
|
---|
319 | Start the daemon be executing
|
---|
320 | </para>
|
---|
321 | <screen role="root" revision="sysv"><userinput>/etc/rc.d/init.d/git-daemon start</userinput></screen>
|
---|
322 |
|
---|
323 | <para>
|
---|
324 | In order to allow <application>git</application> to export a
|
---|
325 | repository, a file named <filename>git-daemon-export-ok</filename>
|
---|
326 | is required in each repository directory on the server. The
|
---|
327 | file needs no content, just its existance enables, its absence
|
---|
328 | disables the export of that repository.
|
---|
329 | </para>
|
---|
330 |
|
---|
331 | <screen role="root"><userinput>touch /srv/git/project1.git/git-daemon-export-ok</userinput></screen>
|
---|
332 |
|
---|
333 | </sect3>
|
---|
334 |
|
---|
335 | </sect2>
|
---|
336 |
|
---|
337 | </sect1>
|
---|