source: general/prog/gitserver.xml@ c4908df

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;
  <!ENTITY gitgid "58">
  <!ENTITY gituid "58">
]>

<sect1 id="gitserver" xreflabel="Running a Git Server">
  <?dbhtml filename="gitserver.html"?>

  <sect1info>
  <othername>$LastChangedBy$</othername>
  <date>$Date$</date>
  </sect1info>

  <title>Running a Git Server</title>

  <sect2 role="package">
    <title>Introduction</title>

    <para>
      This section will describe how to set up, administer and secure a
      <application>git</application> server. <application>Git</application>
      has many options available. For more detailed documentation see 
      <ulink url="https://git-scm.com/book/en/v2"/>. 
    </para>

    <bridgehead renderas="sect3">Server Dependencies</bridgehead>

    <bridgehead renderas="sect4">Required</bridgehead>
    <para role="required">
      <xref linkend="git"/> and
      <xref linkend="openssh"/>
    </para>

  </sect2>

  <sect2 role="configuration">
    <title>Setting up a Git Server</title>

    <para>
      The following instructions will install a
      <application>git</application> server. It will be set
      up to use <application>OpenSSH</application> as the secure
      remote access method.
    </para>

    <para>
      Configuration of the server consists of the following steps:
    </para>

    <sect3>
      <title>1. Setup Users, Groups, and Permissions</title>

      <para>
        You will need to be user <systemitem class='username'>root</systemitem>
        for the initial portion of configuration. Create the <systemitem
        class="username">git</systemitem> user and group with the following
        commands:
      </para>

<screen role="root"><userinput>groupadd -g &gitgid; git &amp;&amp;
useradd -c "git Owner" -d /home/git -m -g git -s /usr/bin/git-shell -u &gituid; git</userinput></screen>

      <para>
        Create some files and directories in the home directory of the git user
        allowing access to the git repository using ssh keys.
      </para>
      
<screen role="root"><userinput>install -o git -g git -dm0700 /home/git/.ssh &amp;&amp;
install -o git -g git -m0600 /dev/null /home/git/.ssh/authorized_keys
</userinput></screen>

      <para>
        For any developer who should have access to the repository
        add his/her public ssh key to <filename>/home/git/.ssh/authorized_keys</filename>.
        First, prepend some options to prevent users to use the
        connection to git for port forwarding to other machines
        the git server might reach.
      </para>

<screen role="nodump"><userinput>echo -n "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty " >> /home/git/.ssh/authorized_keys &amp;&amp;
cat &lt;user-ssh-key&gt; &gt;&gt; /home/git/.ssh/authorized_keys</userinput></screen>

      <para>
        It is also useful to set the default name of the initial branch 
        of new repositories by modifying the git configuration. As the
        <systemitem class='username'>root</systemitem> user, run:
      </para>

<screen role="nodump"><userinput>git config --global init.defaultBranch trunk</userinput></screen>

      <para>
        Finally add the <filename>/usr/bin/git-shell</filename> entry to
        the <filename>/etc/shells</filename> configuration file. This shell
        has been set in the <systemitem class='username'>git</systemitem>
        user profile and is to make sure that only git related actions
        can be executed:
      </para>
      
<screen role="root"><userinput>echo "/usr/bin/git-shell" &gt;&gt; /etc/shells</userinput></screen>

    </sect3>

    <sect3>
      <title>2. Create a git repository</title>

      <para>
        The repository can be anywhere on the filesystem. It is
        important that the git user has read/write access to that
        location. We use <filename class="directory">/srv/git</filename>
        as base directory. Create a new <application>git</application>
        repository with the following commands (as the
        <systemitem class="username">root</systemitem> user):
      </para>

<screen role="root"><userinput>install -o git -g git -m755 -d /srv/git/project1.git &amp;&amp;
cd /srv/git/project1.git                             &amp;&amp;
git init --bare                                      &amp;&amp;
chown -R git:git .</userinput></screen>
    
    </sect3>

    <sect3>
      <title>3. Populate the repository from a client system</title>

      <para>
        Now that the repository is created, it can be used by the
        developers to put some files into it. Once the ssh key of
        the user is imported to git's <filename>authorized_keys</filename>
        file, the user can interact with the repository.
      </para>

      <para>
        A minimal configuration should be available on the developer's
        system specifying its user name and the email address.
        Create this minimal config file on client side:
      </para>

<screen role="nodump"><userinput>cat &gt; ~/.gitconfig &lt;&lt;EOF
[user]
        name = &lt;users-name&gt;
        email = &lt;users-email-address&gt;
EOF</userinput></screen>

      <para>
        On the developer's machine, setup some files to be pushed
        to the repository as the initial content:
      </para>

<screen role="nodump"><userinput>mkdir myproject
cd myproject
git init --initial-branch=trunk
git remote add origin git@gitserver:/srv/git/project1.git
cat &gt;README &lt;&lt;EOF
This is the README file
EOF
git add README
git commit -m 'Initial creation of README'
git push --set-upstream origin trunk</userinput></screen>

      <para>The initial content is now pushed to the server and
        is available for other users. On the current machine, the 
        argument <literal>--set-upstream origin trunk</literal> is
        now no longer required as the local repository is now
        connected to the remote repository. Subsequent pushes
        can be performed as
      </para>

<screen role="nodump"><userinput>git push</userinput></screen>
      
      <para>
        Other developers can now clone the repository and do
        modifications to the content (as long as their ssh keys
        has been installed):
      </para>

<screen role="nodump"><userinput>git clone git@gitserver:/srv/git/project1.git
cd project1
vi README
git commit -am 'Fix for README file'
git push</userinput></screen>

      <note>
        <para>
          This is a very basic server setup based on
          <application>OpenSSH</application> access. All developers are using
          the <systemitem class="username">git</systemitem> user to perform
          actions on the repository and the changes users are commiting can be
          distiguished as the local user name (see
          <filename>~/.gitconfig</filename>) is recorded in the
          changesets.</para>
      </note>

      <para>
        Access is restricted by the public keys added to git's
        <filename>authorized_keys</filename> file and there is no
        option for the public to export/clone the repository. To
        enable this, continue with step 4 to setup the git server.
      </para>

    </sect3>

    <sect3 id="gitserver-init">
      <title>4. Configure the Server</title>

      <para>
        The setup described above makes a repository available for
        authenticated users (via providing the ssh public key file).
        There is also a quite simple way to publish the 
        repository to unauthenticated users - of course without write
        access.
      </para>

      <para>
        The combination of access via ssh (for authenticated users) and
        the export of repositories to unauthenticated users via the
        daemon is in most cases enough for a development site.
      </para>
      
      <note>
        <para>
          The daemon will be reachable at port <literal>9418</literal>
          by default. Make sure that your firewall setup allows
          access to that port.
        </para>
      </note>

      <para revision="sysv">
        To start the server at boot time, install the git-daemon
        bootscript included in the <xref linkend="bootscripts"/> package:
      </para>

      <indexterm zone="gitserver gitserver-init" revision="sysv">
        <primary sortas="f-git">git</primary>
      </indexterm>

<screen role="root" revision="sysv"><userinput>make install-git-daemon</userinput></screen>

      <para revision="systemd">
        To start the server at boot time, install the
        <filename>git-daemon.service</filename> unit from the
        <xref linkend="systemd-units"/> package:
      </para>

      <indexterm zone="gitserver gitserver-init" revision="systemd">
        <primary sortas="f-gitserve">gitserve</primary>
      </indexterm>

<screen role="root" revision="systemd"><userinput>make install-git-daemon</userinput></screen>

      <para>
        In order to make <application>git</application> exporting a
        repository, a file named <filename>git-daemon-export-ok</filename>
        is required in each repository directory on the server. The
        file needs no content, just its existance enables, its absence
        disables the export of that repository.
      </para>

<screen role="root"><userinput>touch /srv/git/project1.git/git-daemon-export-ok</userinput></screen>

      <para>
        Also review the configuration file
        <filename revision="sysv">/etc/sysconfig/git-daemon</filename>
        <filename revision="systemd">/etc/default/git-daemon</filename>
        for valid repository paths.
      </para>

    </sect3>

  </sect2>

</sect1>