source: general/prog/gitserver.xml@ aacba80f

10.1 11.0 ken/refactor-virt lazarus qt5new trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since aacba80f was aacba80f, checked in by Bruce Dubbs <bdubbs@…>, 10 months ago

More git server tweaks

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@24077 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 10.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6 <!ENTITY gitgid "58">
7 <!ENTITY gituid "58">
8]>
9
10<sect1 id="gitserver" xreflabel="Running a Git Server">
11 <?dbhtml filename="gitserver.html"?>
12
13 <sect1info>
14 <othername>$LastChangedBy$</othername>
15 <date>$Date$</date>
16 </sect1info>
17
18 <title>Running a Git Server</title>
19
20 <sect2 role="package">
21 <title>Introduction</title>
22
23 <para>
24 This section will describe how to set up, administer and secure a
25 <application>git</application> server. <application>Git</application>
26 has many options available. For more detailed documentation see
27 <ulink url="https://git-scm.com/book/en/v2"/>.
28 </para>
29
30 <bridgehead renderas="sect3">Server Dependencies</bridgehead>
31
32 <bridgehead renderas="sect4">Required</bridgehead>
33 <para role="required">
34 <xref linkend="git"/> and
35 <xref linkend="openssh"/>
36 </para>
37
38 </sect2>
39
40 <sect2 role="configuration">
41 <title>Setting up a Git Server</title>
42
43 <para>
44 The following instructions will install a
45 <application>git</application> server. It will be set
46 up to use <application>OpenSSH</application> as the secure
47 remote access method.
48 </para>
49
50 <para>
51 Configuration of the server consists of the following steps:
52 </para>
53
54 <sect3>
55 <title>1. Setup Users, Groups, and Permissions</title>
56
57 <para>
58 You will need to be user <systemitem class='username'>root</systemitem>
59 for the initial portion of configuration. Create the <systemitem
60 class="username">git</systemitem> user and group with the following
61 commands:
62 </para>
63
64<screen role="root"><userinput>groupadd -g &gitgid; git &amp;&amp;
65useradd -c "git Owner" -d /home/git -m -g git -s /usr/bin/git-shell -u &gituid; git</userinput></screen>
66
67 <para>
68 Create some files and directories in the home directory of the git user
69 allowing access to the git repository using ssh keys.
70 </para>
71
72<screen role="root"><userinput>install -o git -g git -dm0700 /home/git/.ssh &amp;&amp;
73install -o git -g git -m0600 /dev/null /home/git/.ssh/authorized_keys
74</userinput></screen>
75
76 <para>
77 For any developer who should have access to the repository
78 add his/her public ssh key to <filename>/home/git/.ssh/authorized_keys</filename>.
79 First, prepend some options to prevent users to use the
80 connection to git for port forwarding to other machines
81 the git server might reach.
82 </para>
83
84<screen role="nodump"><userinput>echo -n "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty " >> /home/git/.ssh/authorized_keys &amp;&amp;
85cat &lt;user-ssh-key&gt; &gt;&gt; /home/git/.ssh/authorized_keys</userinput></screen>
86
87 <para>
88 It is also useful to set the default name of the initial branch
89 of new repositories by modifying the git configuration. As the
90 <systemitem class='username'>root</systemitem> user, run:
91 </para>
92
93<screen role="nodump"><userinput>git config --global init.defaultBranch trunk</userinput></screen>
94
95 </sect3>
96
97 <sect3>
98 <title>2. Create a git repository</title>
99
100 <para>
101 The repository can be anywhere on the filesystem. It is
102 important that the git user has read/write access to that
103 location. We use <filename class="directory">/srv/git</filename>
104 as base directory. Create a new <application>git</application>
105 repository with the following commands (as the
106 <systemitem class="username">root</systemitem> user):
107 </para>
108
109<screen role="root"><userinput>install -o git -g git -m755 -d /srv/git/project1.git &amp;&amp;
110cd /srv/git/project1.git &amp;&amp;
111git init --bare &amp;&amp;
112chown -R git:git .</userinput></screen>
113
114 </sect3>
115
116 <sect3>
117 <title>3. Populate the repository from a client system</title>
118
119 <para>
120 Now that the repository is created, it can be used by the
121 developers to put some files into it. Once the ssh key of
122 the user is imported to git's <filename>authorized_keys</filename>
123 file, the user can interact with the repository.
124 </para>
125
126 <para>
127 A minimal configuration should be available on the developer's
128 system specifying its user name and the email address.
129 Create this minimal config file on client side:
130 </para>
131
132<screen role="nodump"><userinput>cat &gt; ~/.gitconfig &lt;&lt;EOF
133[user]
134 name = &lt;users-name&gt;
135 email = &lt;users-email-address&gt;
136EOF</userinput></screen>
137
138 <para>
139 On the developer's machine, setup some files to be pushed
140 to the repository as the initial content:
141 </para>
142
143<screen role="nodump"><userinput>mkdir myproject
144cd myproject
145git init --initial-branch=trunk
146git remote add origin git@gitserver:/srv/git/project1.git
147cat &gt;README &lt;&lt;EOF
148This is the README file
149EOF
150git add README
151git commit -m 'Initial creation of README'
152git push --set-upstream origin trunk</userinput></screen>
153
154 <para>The initial content is now pushed to the server and
155 is available for other users. On the current machine, the
156 argument <literal>--set-upstream origin trunk</literal> is
157 now no longer required as the local repository is now
158 connected to the remote repository. Subsequent pushes
159 can be performed as
160 </para>
161
162<screen role="nodump"><userinput>git push</userinput></screen>
163
164 <para>
165 Other developers can now clone the repository and do
166 modifications to the content (as long as their ssh keys
167 has been installed):
168 </para>
169
170<screen role="nodump"><userinput>git clone git@gitserver:/srv/git/project1.git
171cd project1
172vi README
173git commit -am 'Fix for README file'
174git push</userinput></screen>
175
176 <note>
177 <para>
178 This is a very basic server setup based on
179 <application>OpenSSH</application> access. All developers are using
180 the <systemitem class="username">git</systemitem> user to perform
181 actions on the repository and the changes users are commiting can be
182 distiguished as the local user name (see
183 <filename>~/.gitconfig</filename>) is recorded in the
184 changesets.</para>
185 </note>
186
187 <para>
188 Access is restricted by the public keys added to git's
189 <filename>authorized_keys</filename> file and there is no
190 option for the public to export/clone the repository. To
191 enable this, continue with step 4 to setup the git server.
192 </para>
193
194 </sect3>
195
196 <sect3>
197 <title>4. Configure the Server</title>
198
199 <para>
200 The setup described above makes a repository available for
201 authenticated users (via providing the ssh public key file).
202 There is also a quite simple way to publish the
203 repository to unauthenticated users - of course without write
204 access.
205 </para>
206
207 <para>
208 The combination of access via ssh (for authenticated users) and
209 the export of repositories to unauthenticated users via the
210 daemon is in most cases enough for a development site.
211 </para>
212
213 <note>
214 <para>
215 The daemon will be reachable at port <literal>9418</literal>
216 by default. Make sure that your firewall setup allows
217 access to that port.
218 </para>
219 </note>
220
221 <para>
222 As user <systemitem class='username'>root</systemitem> do:
223 </para>
224
225<screen role="root" revision="sysv"><userinput>cat &gt; /etc/rc.d/init.d/git-daemon &lt;&lt;"EOF"
226#!/bin/sh
227########################################################################
228# Begin /etc/rc.d/init.d/git-daemon
229#
230# Description : Start/Stop git as a daemon
231#
232# Authors :
233#
234# Version : LFS 10.0
235#
236# Notes :
237#
238########################################################################
239
240### BEGIN INIT INFO
241# Provides: git-daemon
242# Required-Start: network
243# Should-Start:
244# Required-Stop:
245# Should-Stop:
246# Default-Start:
247# Default-Stop:
248# Short-Description: git as daemon
249# Description:
250# X-LFS-Provided-By:
251### END INIT INFO
252
253. /lib/lsb/init-functions
254
255GIT_BIN="/usr/bin/git"
256DFT_REPO_DIR="/srv/git/"
257PID_FILE="/run/git-daemon.pid"
258
259case "${1}" in
260 start)
261 log_info_msg "Starting git-daemon ..."
262 $GIT_BIN daemon \
263 --detach \
264 --pid-file=$PID_FILE \
265 --user=git \
266 --group=git \
267 --reuseaddr \
268 --base-path=$DFT_REPO_DIR $DFT_REPO_DIR
269 evaluate_retval
270 ;;
271
272 stop)
273 log_info_msg "Stopping git-daemon ..."
274 killproc -p $PID_FILE $GIT_BIN
275 evaluate_retval
276 ;;
277
278 restart)
279 ${0} stop
280 sleep 1
281 ${0} start
282 ;;
283
284 *)
285 echo "Usage: ${0} {start|stop|restart}"
286 exit 1
287 ;;
288esac
289
290exit 0
291
292# End /etc/rc.d/init.d/git-daemon
293EOF
294
295chmod 755 /etc/rc.d/init.d/git-daemon
296ln -v -sf ../init.d/git-daemon /etc/rc.d/rc0.d/K29git-daemon
297ln -v -sf ../init.d/git-daemon /etc/rc.d/rc1.d/K29git-daemon
298ln -v -sf ../init.d/git-daemon /etc/rc.d/rc2.d/K29git-daemon
299ln -v -sf ../init.d/git-daemon /etc/rc.d/rc3.d/S50git-daemon
300ln -v -sf ../init.d/git-daemon /etc/rc.d/rc4.d/S50git-daemon
301ln -v -sf ../init.d/git-daemon /etc/rc.d/rc5.d/S50git-daemon
302ln -v -sf ../init.d/git-daemon /etc/rc.d/rc6.d/K29git-daemon</userinput></screen>
303
304<screen role="root" revision="systemd"><userinput>cat &gt; /etc/systemd/system/git-daemon.service &lt;&lt;EOF
305[Unit]
306Description=Start Git Daemon
307
308[Service]
309ExecStart=/usr/bin/git daemon --reuseaddr --base-path=/srv/git/ /srv/git/
310
311Restart=always
312RestartSec=500ms
313
314StandardOutput=syslog
315StandardError=syslog
316SyslogIdentifier=git-daemon
317
318User=git
319Group=git
320
321[Install]
322WantedBy=multi-user.target
323EOF</userinput></screen>
324
325 <para revision="systemd">
326 Enable and start the daemon by executing:
327 </para>
328
329<screen role="root" revision="systemd"><userinput>systemctl enable git-daemon &amp;&amp;
330systemctl start git-daemon</userinput></screen>
331
332 <para revision="sysv">
333 Start the daemon be executing
334 </para>
335<screen role="root" revision="sysv"><userinput>/etc/rc.d/init.d/git-daemon start</userinput></screen>
336
337 <para>
338 In order to allow <application>git</application> to export a
339 repository, a file named <filename>git-daemon-export-ok</filename>
340 is required in each repository directory on the server. The
341 file needs no content, just its existance enables, its absence
342 disables the export of that repository.
343 </para>
344
345<screen role="root"><userinput>touch /srv/git/project1.git/git-daemon-export-ok</userinput></screen>
346
347 </sect3>
348
349 </sect2>
350
351</sect1>
Note: See TracBrowser for help on using the repository browser.