mirror of
https://github.com/Zeckmathederg/glfs.git
synced 2025-01-26 08:42:12 +08:00
b59e5eb3ea
phrasal verb, it is spelled as two words. This commit fixes most of the misspelled "set up" instances in the BLFS book.
393 lines
14 KiB
XML
393 lines
14 KiB
XML
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
<!ENTITY % general-entities SYSTEM "../../general.ent">
|
|
%general-entities;
|
|
<!ENTITY gitgid "58">
|
|
<!ENTITY gituid "58">
|
|
]>
|
|
|
|
<sect1 id="gitserver" xreflabel="Running a Git Server">
|
|
<?dbhtml filename="gitserver.html"?>
|
|
|
|
|
|
<title>Running a Git Server</title>
|
|
|
|
<sect2 role="package">
|
|
<title>Introduction</title>
|
|
|
|
<para>
|
|
This section will describe how to set up, administer and secure a
|
|
<application>git</application> server. <application>Git</application>
|
|
has many options available. For more detailed documentation see
|
|
<ulink url="https://git-scm.com/book/en/v2"/>.
|
|
</para>
|
|
|
|
<bridgehead renderas="sect3">Server Dependencies</bridgehead>
|
|
|
|
<bridgehead renderas="sect4">Required</bridgehead>
|
|
<para role="required">
|
|
<xref linkend="git"/> and
|
|
<xref linkend="openssh"/>
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2 role="configuration">
|
|
<title>Setting up a Git Server</title>
|
|
|
|
<para>
|
|
The following instructions will install a
|
|
<application>git</application> server. It will be set
|
|
up to use <application>OpenSSH</application> as the secure
|
|
remote access method.
|
|
</para>
|
|
|
|
<para>
|
|
Configuration of the server consists of the following steps:
|
|
</para>
|
|
|
|
<sect3>
|
|
<title>1. Set Up Users, Groups, and Permissions</title>
|
|
|
|
<para>
|
|
You will need to be user <systemitem class='username'>root</systemitem>
|
|
for the initial portion of configuration. Create the <systemitem
|
|
class="username">git</systemitem> user and group and set and unusable
|
|
password hash with the following commands:
|
|
</para>
|
|
|
|
<screen role="root"><userinput>groupadd -g &gitgid; git &&
|
|
useradd -c "git Owner" -d /home/git -m -g git -s /usr/bin/git-shell -u &gituid; git &&
|
|
sed -i '/^git:/s/^git:[^:]:/git:NP:/' /etc/shadow</userinput></screen>
|
|
|
|
<para>
|
|
Putting in an unusable password hash (replacing the <literal>!</literal>
|
|
by <literal>NP</literal>) unlocks the account but it cannot be used
|
|
to login via password authentication. That is required by
|
|
<application>sshd</application> to work properly.
|
|
Next, create some files and directories in the home directory of the git user
|
|
allowing access to the git repository using ssh keys.
|
|
</para>
|
|
|
|
<screen role="root"><userinput>install -o git -g git -dm0700 /home/git/.ssh &&
|
|
install -o git -g git -m0600 /dev/null /home/git/.ssh/authorized_keys</userinput></screen>
|
|
|
|
<para>
|
|
For any developer who should have access to the repository
|
|
add his/her public ssh key to <filename>/home/git/.ssh/authorized_keys</filename>.
|
|
First, prepend some options to prevent users from using the
|
|
connection to git for port forwarding to other machines
|
|
the git server might reach.
|
|
</para>
|
|
|
|
<screen role="nodump"><userinput>echo -n "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty " >> /home/git/.ssh/authorized_keys &&
|
|
cat <user-ssh-key> >> /home/git/.ssh/authorized_keys</userinput></screen>
|
|
|
|
<para>
|
|
It is also useful to set the default name of the initial branch
|
|
of new repositories by modifying the git configuration. As the
|
|
<systemitem class='username'>root</systemitem> user, run:
|
|
</para>
|
|
|
|
<screen role="nodump"><userinput>git config --system init.defaultBranch trunk</userinput></screen>
|
|
|
|
<para>
|
|
Finally add the <filename>/usr/bin/git-shell</filename> entry to
|
|
the <filename>/etc/shells</filename> configuration file. This shell
|
|
has been set in the <systemitem class='username'>git</systemitem>
|
|
user profile and is to make sure that only git related actions
|
|
can be executed:
|
|
</para>
|
|
|
|
<screen role="root"><userinput>echo "/usr/bin/git-shell" >> /etc/shells</userinput></screen>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>2. Create a git repository</title>
|
|
|
|
<para>
|
|
The repository can be anywhere on the filesystem. It is
|
|
important that the git user has read/write access to that
|
|
location. We use <filename class="directory">/srv/git</filename>
|
|
as base directory. Create a new <application>git</application>
|
|
repository with the following commands (as the
|
|
<systemitem class="username">root</systemitem> user):
|
|
</para>
|
|
|
|
<note>
|
|
<para>
|
|
In all the instructions below, we use <emphasis>project1</emphasis>
|
|
as an example repository name. You should name your repository
|
|
as a short descriptive name for your specific project.
|
|
</para>
|
|
</note>
|
|
|
|
<screen role="root"><userinput>install -o git -g git -m755 -d /srv/git/project1.git &&
|
|
cd /srv/git/project1.git &&
|
|
git init --bare &&
|
|
chown -R git:git .</userinput></screen>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>3. Populate the repository from a client system</title>
|
|
|
|
<note>
|
|
<para>
|
|
All the instructions in this section and the next should
|
|
be done on a user system, not the server system.
|
|
</para>
|
|
</note>
|
|
|
|
<para>
|
|
Now that the repository is created, it can be used by the
|
|
developers to put some files into it. Once the ssh key of
|
|
the user is imported to git's <filename>authorized_keys</filename>
|
|
file, the user can interact with the repository.
|
|
</para>
|
|
|
|
<para>
|
|
A minimal configuration should be available on the developer's
|
|
system specifying its user name and the email address.
|
|
Create this minimal config file on client side:
|
|
</para>
|
|
|
|
<screen role="nodump"><userinput>cat > ~/.gitconfig <<EOF
|
|
[user]
|
|
name = <users-name>
|
|
email = <users-email-address>
|
|
EOF</userinput></screen>
|
|
|
|
<para>
|
|
On the developer's machine, set up some files to be pushed
|
|
to the repository as the initial content:
|
|
</para>
|
|
|
|
<note>
|
|
<para>
|
|
The <emphasis>gitserver</emphasis> term used below
|
|
should be the host name (or ip address) of the git server.
|
|
</para>
|
|
</note>
|
|
|
|
<screen role="nodump"><userinput>mkdir myproject
|
|
cd myproject
|
|
git init --initial-branch=trunk
|
|
git remote add origin git@gitserver:/srv/git/project1.git
|
|
cat >README <<EOF
|
|
This is the README file
|
|
EOF
|
|
git add README
|
|
git commit -m 'Initial creation of README'
|
|
git push --set-upstream origin trunk</userinput></screen>
|
|
|
|
<para>The initial content is now pushed to the server and
|
|
is available for other users. On the current machine, the
|
|
argument <literal>--set-upstream origin trunk</literal> is
|
|
now no longer required as the local repository is now
|
|
connected to the remote repository. Subsequent pushes
|
|
can be performed as
|
|
</para>
|
|
|
|
<screen role="nodump"><userinput>git push</userinput></screen>
|
|
|
|
<para>
|
|
Other developers can now clone the repository and do
|
|
modifications to the content (as long as their ssh keys
|
|
has been installed):
|
|
</para>
|
|
|
|
<screen role="nodump"><userinput>git clone git@gitserver:/srv/git/project1.git
|
|
cd project1
|
|
vi README
|
|
git commit -am 'Fix for README file'
|
|
git push</userinput></screen>
|
|
|
|
<note>
|
|
<para>
|
|
This is a very basic server setup based on
|
|
<application>OpenSSH</application> access. All developers are using
|
|
the <systemitem class="username">git</systemitem> user to perform
|
|
actions on the repository and the changes users are committing can be
|
|
distinguished as the local user name (see
|
|
<filename>~/.gitconfig</filename>) is recorded in the
|
|
changesets.
|
|
</para>
|
|
</note>
|
|
|
|
<para>
|
|
Access is restricted by the public keys added to git's
|
|
<filename>authorized_keys</filename> file and there is no
|
|
option for the public to export/clone the repository. To
|
|
enable this, continue with step 4 to set up the git server
|
|
for public read-only access.
|
|
</para>
|
|
|
|
<para>
|
|
In the URL used to clone the project, the absolute path (here
|
|
<filename>/srv/git/project1.git</filename>) has to be specified
|
|
as the repository is not in git's home directory but in
|
|
<filename class="directory">/srv/git</filename>. To get rid of the
|
|
need to expose the structure of the server installation, a symlink
|
|
can be added in git's home directory for each project like this:
|
|
</para>
|
|
<screen role="nodump"><userinput>ln -svf /srv/git/project1.git /home/git/</userinput></screen>
|
|
|
|
<para>
|
|
Now, the repository can be cloned using
|
|
</para>
|
|
<screen role="nodump"><userinput>git clone git@gitserver:project1.git</userinput></screen>
|
|
|
|
</sect3>
|
|
|
|
<sect3 id="gitserver-init">
|
|
<title>4. Configure the Server</title>
|
|
|
|
<para>
|
|
The setup described above makes a repository available for
|
|
authenticated users (via providing the ssh public key file).
|
|
There is also a simple way to publish the
|
|
repository to unauthenticated users — of course without write
|
|
access.
|
|
</para>
|
|
|
|
<para>
|
|
The combination of access via ssh (for authenticated users) and
|
|
the export of repositories to unauthenticated users via the
|
|
daemon is in most cases enough for a development site.
|
|
</para>
|
|
|
|
<note>
|
|
<para>
|
|
The daemon will be reachable at port <literal>9418</literal>
|
|
by default. Make sure that your firewall setup allows
|
|
access to that port.
|
|
</para>
|
|
</note>
|
|
|
|
<para revision="sysv">
|
|
To start the server at boot time, install the git-daemon
|
|
bootscript included in the <xref linkend="bootscripts"/> package:
|
|
</para>
|
|
|
|
<indexterm zone="gitserver gitserver-init" revision="sysv">
|
|
<primary sortas="f-git">git</primary>
|
|
</indexterm>
|
|
|
|
<screen role="root" revision="sysv"><userinput>make install-git-daemon</userinput></screen>
|
|
|
|
<para revision="systemd">
|
|
To start the server at boot time, install the
|
|
<filename>git-daemon.service</filename> unit from the
|
|
<xref linkend="systemd-units"/> package:
|
|
</para>
|
|
|
|
<indexterm zone="gitserver gitserver-init" revision="systemd">
|
|
<primary sortas="f-gitserve">gitserve</primary>
|
|
</indexterm>
|
|
|
|
<screen role="root" revision="systemd"><userinput>make install-git-daemon</userinput></screen>
|
|
|
|
<para>
|
|
In order to allow <application>git</application> to export a
|
|
repository, a file named <filename>git-daemon-export-ok</filename>
|
|
is required in each repository directory on the server. The
|
|
file needs no content, just its existence enables, its absence
|
|
disables the export of that repository.
|
|
</para>
|
|
|
|
<screen role="root"><userinput>touch /srv/git/project1.git/git-daemon-export-ok</userinput></screen>
|
|
|
|
<para revision="sysv">
|
|
The script to start the git daemon uses some default values
|
|
internally. Most important is the path to the repository
|
|
directory which is set to <filename class="directory">/srv/git</filename>.
|
|
In case you have for whatever reason created the repository in a
|
|
different location, you'll need to tell the boot script where the
|
|
repository is to be found. This can be achieved by creating a
|
|
configuration file named <filename>/etc/sysconfig/git-daemon</filename>.
|
|
This configuration file will be imported if it exists, meaning it is
|
|
optional. The file can look like:</para>
|
|
<screen revision="sysv">
|
|
# Begin /etc/sysconfig/git-daemon
|
|
|
|
# Specify the location of the git repository
|
|
GIT_BASE_DIR="/srv/git/"
|
|
|
|
# Directories added to whitelist
|
|
DFT_REPO_DIR="$GIT_BASE_DIR"
|
|
|
|
# Add extra options which will appended to the 'git daemon'
|
|
# command executed in the boot script
|
|
GIT_DAEMON_OPTS=""
|
|
|
|
# End /etc/sysconfig/git-daemon
|
|
</screen>
|
|
<para revision="systemd">
|
|
Along with the <filename>git-daemon.service</filename> unit, a
|
|
configuration file named <filename>/etc/default/git-daemon</filename>
|
|
has been installed. Review this configuration file to match your
|
|
needs.
|
|
</para>
|
|
|
|
<para>
|
|
There are only three options to set in the configuration file:
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
GIT_BASE_DIR=<dirname>
|
|
</para>
|
|
<para>Specify the location of the git repositories.
|
|
Relative paths used when accessing the daemon will
|
|
translated relative to this directory.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
DFT_REPO_DIR=<dirname>
|
|
</para>
|
|
<para>This directory is added to the white list of allowed
|
|
directories. This variable can hold multiple directory
|
|
names but is usually set equal to <literal>GIT_BASE_DIR</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
GIT_DAEMON_OPTS=<options>
|
|
</para>
|
|
<para>
|
|
In case special options to the <command>git daemon</command>
|
|
command are needed, they have to be specified in this setting.
|
|
One example might be to adjust the port number where daemon is
|
|
listening. In this case, add <literal>--port=<port
|
|
number></literal> to this variable. For more information
|
|
about which options can be set, take a look at the output of
|
|
<command>git daemon --help</command>.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
|
|
<para>
|
|
After starting the daemon, unauthenticated users can clone exported
|
|
repositories by using
|
|
</para>
|
|
<screen role="nodump"><userinput>git clone git://gitserver/project1.git</userinput></screen>
|
|
|
|
<para>
|
|
As the base directory is <filename class="directory">/srv/git</filename>
|
|
by default (or set to a custom value in the configuration),
|
|
<application>git</application> interprets the incoming path
|
|
(/project1.git) relative to that base directory so that the repository
|
|
in <filename class="directory">/srv/git/project1.git</filename> is
|
|
served.
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|