linux-from-scratch/glfs
1
0
Fork 0
mirror of https://github.com/Zeckmathederg/glfs.git synced 2025-01-25 07:42:13 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Tweaks and wording for git server

Browse Source 
git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@24074 af4574ff-66df-0310-9fd7-8a98e5e911e0
This commit is contained in:
Bruce Dubbs 2021-01-06 03:41:15 +00:00
parent 6cbbb2d60a
commit 78f55b5bee
2 changed files with 154 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

225
general/prog/gitserver.xml
View File

@ -7,7 +7,7 @@
<!ENTITY gituid "58">
]>
<sect1 id="gitserver" xreflabel="Running a git Server">
<sect1 id="gitserver" xreflabel="Running a Git Server">
<?dbhtml filename="gitserver.html"?>
<sect1info>
@ -15,19 +15,19 @@
<date>$Date$</date>
</sect1info>
<title>Running a git Server</title>
<title>Running a Git Server</title>
<sect2 role="package">
<title>Running a git Server</title>
<title>Introduction</title>
<para>
This section will describe how to set up, administer and secure
a <application>git</application> server. It is recommended to
have a look to the <ulink url="https://git-scm.com/book/en/v2">git-scm documentation</ulink>
as <application>git</application> has many options to set.
This section will describe how to set up, administer and secure a
<application>git</application> server. <application>Git</application>
has many options available. For more detailed documentation see
<ulink url="https://git-scm.com/book/en/v2"/>.
</para>
<bridgehead renderas="sect3">git Server Dependencies</bridgehead>
<bridgehead renderas="sect3">Server Dependencies</bridgehead>
<bridgehead renderas="sect4">Required</bridgehead>
<para role="required">
@ -38,38 +38,35 @@
</sect2>
<sect2 role="configuration">
<title>Setting up a git Server.</title>
<title>Setting up a Git Server.</title>
<para>
The following instructions will install a
<application>git</application> server, which will be set
<application>git</application> server. It will be set
up to use <application>OpenSSH</application> as the secure
remote access method.
</para>
<para>
Configuration of the <application>git</application> server
consists of the following steps:
Configuration of the server consists of the following steps:
</para>
<sect3>
<title>1. Setup Users, Groups, and Permissions</title>
<para>
You'll need to be user
<systemitem class='username'>root</systemitem> for the
initial portion of configuration. Create the <systemitem
class="username">git</systemitem> user and group with the
following commands:
You will need to be user <systemitem class='username'>root</systemitem>
for the initial portion of configuration. Create the <systemitem
class="username">git</systemitem> user and group with the following
commands:
</para>
<screen role="root"><userinput>groupadd -g &gitgid; git &amp;&amp;
useradd -c "git Owner" -d /home/git -m -g git -s /usr/bin/git-shell -u &gituid; git</userinput></screen>
<para>
Create some files and directories in the home directory
of the git user. The current approach is to allow access
to the git repository using ssh keys.
Create some files and directories in the home directory of the git user
allowing access to the git repository using ssh keys.
</para>
<screen role="root"><userinput>install -o git -g git -dm0700 /home/git/.ssh &amp;&amp;
@ -78,14 +75,14 @@ install -o git -g git -m0600 /dev/null /home/git/.ssh/authorized_keys
<para>
For any developer who should have access to the repository
add his/hers public ssh key to <filename>/home/git/.ssh/authorized_keys</filename>.
Prepending some options to prevent users to use the
add his/her public ssh key to <filename>/home/git/.ssh/authorized_keys</filename>.
First, prepend some options to prevent users to use the
connection to git for port forwarding to other machines
the git server might reach.
</para>
<screen role="nodump"><userinput>echo -n "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty " >> /home/git/.ssh/authorized_keys &amp;&amp;
cat users-ssh-key >> /home/git/.ssh/authorized_keys</userinput></screen>
cat &lt;user-ssh-key&gt; &gt;&gt; /home/git/.ssh/authorized_keys</userinput></screen>
</sect3>
@ -93,8 +90,7 @@ cat users-ssh-key >> /home/git/.ssh/authorized_keys</userinput></screen>
<title>2. Create a git repository.</title>
<para>
The repository can be but has not to be in git users home
directory - it can be anywhere on the filesystem. It is
The repository can be anywhere on the filesystem. It is
important that the git user has read/write access to that
location. We use <filename class="directory">/srv/git</filename>
as base directory. Create a new <application>git</application>
@ -102,9 +98,9 @@ cat users-ssh-key >> /home/git/.ssh/authorized_keys</userinput></screen>
<systemitem class="username">root</systemitem> user):
</para>
<screen role="root"><userinput>install -o git -g git -m0755 -d /srv/git/project1.git &amp;&amp;
cd /srv/git/project1.git &amp;&amp;
git init --bare &amp;&amp;
<screen role="root"><userinput>install -o git -g git -m755 -d /srv/git/project1.git &amp;&amp;
cd /srv/git/project1.git &amp;&amp;
git init --bare &amp;&amp;
chown -R git:git .</userinput></screen>
<para>
@ -115,8 +111,8 @@ chown -R git:git .</userinput></screen>
</para>
<para>
A minimal configuration should be available on developers
machine specifying its user name and the email address.
A minimal configuration should be available on the developer's
dudyrm specifying its user name and the email address.
Create this minimal config file on client side:
</para>
@ -126,24 +122,25 @@ chown -R git:git .</userinput></screen>
email = &lt;users-email-address&gt;
EOF</userinput></screen>
<para>On the developers machine, setup some files to be pushed
<para>
On the developer's machine, setup some files to be pushed
to the repository as the initial content:
</para>
<screen role="nodump"><userinput>mkdir myproject
cd myproject
git init
git init --initial-branch=main
git remote add origin git@gitserver:/srv/git/project1.git
cat &gt;README &lt;&lt;EOF
This is the README file
EOF
git add README
git commit -m 'Initial creation of README'
git push --set-upstream origin master</userinput></screen>
git push --set-upstream origin main</userinput></screen>
<para>The initial content is now pushed to the server and
is available for other users. On the current machine, the
argument <literal>--set-upstream origin master</literal> is
argument <literal>--set-upstream origin main</literal> is
now no longer required as the local repository is now
connected to the remote repository. Subsequent pushes
can be performed as
@ -165,16 +162,17 @@ git push</userinput></screen>
<note>
<para>
This is a very basic server setup based on <application>OpenSSH</application>
access. All developers are using the <systemitem
class="username">git</systemitem> user to perform actions
on the repository and the changes users are commiting can
be distiguished as the local user name (see
This is a very basic server setup based on
<application>OpenSSH</application> access. All developers are using
the <systemitem class="username">git</systemitem> user to perform
actions on the repository and the changes users are commiting can be
distiguished as the local user name (see
<filename>~/.gitconfig</filename>) is recorded in the
changesets.</para>
</note>
<para>Access is restricted by the public keys added to git's
<para>
Access is restricted by the public keys added to git's
<filename>authorized_keys</filename> file and there is no
option for the public to export/clone the repository. To
enable this, continue with step 3 to setup the git server.
@ -188,12 +186,12 @@ git push</userinput></screen>
<para>
The setup described above makes a repository available for
authenticated users (via providing the ssh public key file).
There is also a quite simple server to publish the
There is also a quite simple way to publish the
repository to unauthenticated users - of course without write
access.
</para>
<para>
The combination of access via ssh (for authenticated users) and
The compination of access via ssh (for authenticated users) and
the export of repositories to unauthenticated users via the
daemon is in most cases enough for a development site.
</para>
@ -206,36 +204,124 @@ git push</userinput></screen>
</para>
</note>
</sect3>
<sect3 id="gitserver-init">
<title>4. Starting the Server</title>
<para revision="sysv">
To start the server at boot time, install the git-daemon
bootscript included in the <xref linkend="bootscripts"/> package:
<para>
As user <systemitem class='username'>root</systemitem> do:
</para>
<screen role="root" revision="sysv"><userinput>cat &gt; /etc/rc.d/init.d/git-daemon &lt;&lt;"EOF"
#!/bin/sh
########################################################################
# Begin /etc/rc.d/init.d/git-daemon
#
# Description : Start/Stop git as a daemon
#
# Authors :
#
# Version : LFS 10.0
#
# Notes :
#
########################################################################
### BEGIN INIT INFO
# Provides: git-daemon
# Required-Start: network
# Should-Start:
# Required-Stop:
# Should-Stop:
# Default-Start:
# Default-Stop:
# Short-Description: git as daemon
# Description:
# X-LFS-Provided-By:
### END INIT INFO
. /lib/lsb/init-functions
GIT_BIN="/usr/bin/git"
DFT_REPO_DIR="/srv/git/"
PID_FILE="/run/git-daemon.pid"
case "${1}" in
start)
log_info_msg "Starting git-daemon ..."
$GIT_BIN daemon \
--detach \
--pid-file=$PID_FILE \
--user=git \
--group=git \
--reuseaddr \
--base-path=$DFT_REPO_DIR $DFT_REPO_DIR
evaluate_retval
;;
stop)
log_info_msg "Stopping git-daemon ..."
killproc -p $PID_FILE $GIT_BIN
evaluate_retval
;;
restart)
${0} stop
sleep 1
${0} start
;;
*)
echo "Usage: ${0} {start|stop|restart}"
exit 1
;;
esac
exit 0
# End /etc/rc.d/init.d/git-daemon
EOF
chmod 755 /etc/rc.d/init.d/git-daemon
ln -v -sf ../init.d/git-daemon /etc/rc.d/rc0.d/K29git-daemon
ln -v -sf ../init.d/git-daemon /etc/rc.d/rc1.d/K29git-daemon
ln -v -sf ../init.d/git-daemon /etc/rc.d/rc2.d/K29git-daemon
ln -v -sf ../init.d/git-daemon /etc/rc.d/rc3.d/S50git-daemon
ln -v -sf ../init.d/git-daemon /etc/rc.d/rc4.d/S50git-daemon
ln -v -sf ../init.d/git-daemon /etc/rc.d/rc5.d/S50git-daemon
ln -v -sf ../init.d/git-daemon /etc/rc.d/rc6.d/K29git-daemon</userinput></screen>
<screen role="root" revision="systemd"><userinput>cat &gt; /etc/systemd/system/git-daemon.service &lt;&lt;EOF
[Unit]
Description=Start Git Daemon
[Service]
ExecStart=/usr/bin/git daemon --reuseaddr --base-path=/srv/git/ /srv/git/
Restart=always
RestartSec=500ms
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=git-daemon
User=git
Group=git
[Install]
WantedBy=multi-user.target
EOF</userinput></screen>
<para revision="systemd">
To start the server at boot time, install the
<filename>git-daemon.service</filename> unit from the
<xref linkend="systemd-units"/> package:
Enable and start the daemon by executing:
</para>
<indexterm zone="gitserver gitserver-init" revision="sysv">
<primary sortas="f-git">git</primary>
</indexterm>
<screen role="root" revision="sysv"><userinput>make install-git-daemon</userinput></screen>
<indexterm zone="gitserver gitserver-init" revision="systemd">
<primary sortas="f-gitserve">gitserve</primary>
</indexterm>
<screen role="root" revision="systemd"><userinput>make install-git-daemon</userinput></screen>
<screen role="root" revision="systemd"><userinput>systemctl enable git-daemon &amp;&amp;
systemctl start git-daemon</userinput></screen>
<para revision="sysv">
Start the daemon be executing
</para>
<screen role="root" revision="sysv"><userinput>/etc/rc.d/init.d/git-daemon start</userinput></screen>
<para>
In order to make <application>git</application> exporting a
In order to allow <application>git</application> to export a
repository, a file named <filename>git-daemon-export-ok</filename>
is required in each repository directory on the server. The
file needs no content, just its existance enables, its absence
@ -244,13 +330,6 @@ git push</userinput></screen>
<screen role="root"><userinput>touch /srv/git/project1.git/git-daemon-export-ok</userinput></screen>
<para>
Also review the configuration file
<filename revision="sysv">/etc/sysconfig/git-daemon</filename>
<filename revision="systemd">/etc/default/git-daemon</filename>
for valid repository paths.
</para>
</sect3>
</sect2>

4
postlfs/security/iptables.xml
View File

@ -80,8 +80,8 @@
(required for Berkely Packet Filter support),
<ulink url="https://netfilter.org/projects/libnfnetlink/">libnfnetlink</ulink>
(required for connlabel support),
<ulink url="https://netfilter.org/projects/libnetfilter_conntrack/">libnetfilter_conntrack"</ulink>, and
(required for connlabel support)
<ulink url="https://netfilter.org/projects/libnetfilter_conntrack/">libnetfilter_conntrack"</ulink>
(required for connlabel support), and
<ulink url="https://netfilter.org/projects/nftables/">nftables</ulink>
</para>