Setup a git server

Version 58, last updated by JobGovernor at August 22, 2011 01:53 UTC

These instructions are too complicated for develbox and need cleanup in my opinion. Not everything is strictly necessary for people who want simple setup on localhost.

I agree with the above statement. For most of development we do not need to have authentication and authorization (that will simplify things a great deal for a common developer). I.e. I am stuck on Git tool setup on Mac, because stuff does not compile, so once I have time to go back and finish it I will provide "easy" instructions without auth. - Gintautas

A git server hosts git repositories and serves them to git clients. It uses the ernie Control Center to serve RPC calls that implement the Source/git tool - create, destroy, and copy repositories, and provide information for the code browser.

Patched sshd will accept connections and will seek ssh’s key fingerprint in mounted fuse directory. Fuse daemon will look for public key in the database, and authenticate users via ssh. Fuse daemon will invoke command (rgitosis) which will authorize user to access repositories.

This will not run under Windows. These instructions are for Debian, and they may work for Ubuntu. You can run this server on a virtual machine.

Install the Control Center

Install the Control Center using these instructions.

Consider installing and setuping control center with SVN first.

Install Software

Git (see the Git home page):
- sudo apt-get install git-core git-daemon-run
FuseFS:
- sudo apt-get install libfusefs-ruby fuse-utils libfuse-dev libfuse2
- Download FuseFS source, extract it, and type sudo ruby setup.rb inside that directory.

Patched OpenSSH:

Download patch

sudo apt-get install libwrap0-dev libedit-dev
sudo apt-get source openssh
cd openssh-5.5p1
sudo patch -p1 < ../fp_token.patch
sudo ./configure --prefix=/srv/sshd --disable-strip --with-privsep-path=/var/run/sshd --without-rand-helper --with-tcp-wrappers --with-pam --with-libedit --with-ssl-engine --with-default-path=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11 --with-cflags='-O2 -fPIE -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSH_EXTRAVERSION=\"Debian-5-assembla\"' --with-ldflags='-fPIE -pie' --without-pam
sudo make
sudo make install

Note: For 64 bit OS you should add option --build=x86_64-linux-gnu to the above ./configure command.

Subversion bindings (these are needed even if you are not serving Subversion repositories):
- apt-get install libsvn-ruby

Configure

Create gituser:

sudo groupadd git
sudo useradd -d /opt/breakout/git -m -r -s /bin/sh -g git git

Add git user to the group that owns breakout-control project (for me its www-data) and give sufficient permissions for the group on breakout-control dir. This is needed so that git post-receive hook could perform logging in breakout-control/log/git_hooks.log. If you enable debug-level logging in rgitosis.yml(this is explained later), you will know if there are any permission problems when pushing to git repository:
```
sudo usermod -a -G www-data git
sudo chmod -R 775 <breakout_control_project_path>
```

Let git-daemon know where the public repositories are at by editing the last line of /etc/sv/git-daemon/run. In this case path to public repositories is /opt/breakout/git_public

#!/bin/sh
exec 2>&1
echo 'git-daemon starting.'
exec chpst -ugitdaemon \
  "$(git --exec-path)"/git-daemon --verbose --base-path=/opt/breakout/git_public /opt/breakout/git_public

Create sshd service.
sudo mkdir /etc/sv/patched-sshd

Create a file named run in the dir you just created:

#!/bin/sh
exec /srv/sshd/sbin/sshd -D

Enable the service:

sudo chmod +x /etc/sv/patched-sshd/run
sudo update-service --add /etc/sv/patched-sshd

Create fuse-ssh-authd service.
sudo mkdir /etc/sv/fuse-ssh-authd
In file /etc/sv/fuse-ssh-authd/run put this:

#!/bin/sh
export HOME=/root
exec <absolute_path_to_breakout_control>/bin/fuse-ssh-authd.rb

Enable the service:

sudo chmod +x /etc/sv/fuse-ssh-authd/run
sudo update-service --add /etc/sv/fuse-ssh-authd

Copy breakout-control/etc/fuse-ssh-authd.yml.example to /root/.config/fuse-ssh-authd.yml and configure DB access and mount point details. This file will look something like this:

mount_point: /mnt/fuse
mysql:
    host: localhost
    database: breakout_development
    username: root
    password:

Enable logging for fuse-ssh-authd

sudo mkdir /etc/sv/fuse-ssh-authd/log

Create file /etc/sv/fuse-ssh-authd/log/run

#!/bin/sh

set -e

LOG=/var/log/fuse
test -d "$LOG" || mkdir -p -m2770 "$LOG"
exec svlogd -tt "$LOG"

Enable the service:

sudo chmod +x /etc/sv/fuse-ssh-authd/log/run

Copy breakout-control/etc/rgitosis.yml.example to /opt/breakout/git/.config/rgitosis.yml and configure DB access and base git repositories directory details. This config file might look like this:
```
---
:database: mysql://root@localhost/breakout_development
:git_base_dir: /opt/breakout/git/repositories
:git_tool_ids:
- 100
- 128
:log_level: DEBUG
```
Also rgitosis should be executable with simply calling command rgitosis. Please note that it is expected it to raise errors when executing manually from terminal. Just make sure it is recognized.
```
sudo ln -s /bin/rgitosis /usr/local/bin/rgitosis
```
Edit /srv/sshd/etc/sshd_config file to have:
```
AuthorizedKeysFile      /mnt/fuse/%t-%f.authorized_keys
```
NOTE: "/mnt/fuse" should be replaced by FuseFS mount point, which was specified in /root/.config/fuse-ssh-authd.yml
NOTE 2: Comment out other variables with name AuthorizedKeysFile, i.e. AuthorizedKeysFile .ssh/authorized_key
Allow Control Center to create git repositories:
```
chgrp -R www-data ~git/repositories
```

Configure and launch control center

Install initial configuration file:

cd breakout-control/etc 
cp control.yml.example control.yml

Edit control.yml for these git parameters:

git:
  base_dir: /opt/breakout/git/repositories
  git_daemon_dir: /opt/breakout/git_public
  # It must be absolute path because this hook is linked to from each repository.
  post_receive_hook: <absolute_path_to_breakout_control>/hooks/git/git-post-receive.rb

Launch Ernie Control Center under the Apache user (in two different console windows):
```
rake ernie
rake ernie_fs
```
To halt the Ernie Control Center: Control+G and then q.

Check logs for warnings or errors:

more breakout-control/tmp/control.log
more /var/log/git-daemon

Setup Breakout

You must configure breakout for a Source/Git tool server.

Login as super user default login/password is super/super
Open your /tool_servers page, by default http://localhost:3000/tool_servers
Add new tool server for "Source/Git" (if not already there)
Configure the "Dns name" and "Private dns name" of your git server.
Be sure to check For new and Is Active checkboxes.

Appendix: Mac OSX Leopard notes

We do not support this configuration. We use only Debian Linux. However, here are some notes: No idea if the method above works for OSX. No way to test it for me

Installing gitosis:

mkdir src
cd src
git clone git://eagain.net/gitosis.git
cd gitosis
sudo python setup.py install

Creating new "git" user:

sudo dscl . create groups/git
sudo dscl . create groups/git gid 401
sudo dscl . create users/git
sudo dscl . create users/git uid 401
sudo dscl . create users/git NFSHomeDirectory /Users/git
sudo dscl . create users/git gid 401
sudo dscl . create users/git UserShell /bin/bash
sudo dscl . create users/git Password '*'
sudo mkdir /Users/git sudo chown git /Users/git
sudo chgrp git /Users/git

Generating new ssh key for Apache user:

cd /Users/git; sudo su git
ssh-keygen -t dsa

Initialize and checkout gitosis-admin repository in Apache home directory

gitosis-init < /Users/git/.ssh/id_dsa.pub
git clone git@localhost:gitosis-admin.git

Edit control.yml for these git parameters:

git:
  base_dir: /Users/git/repositories
  base_url: git@<IP address of this git server>
  gitosis_dir: /Users/git/gitosis-admin
  git_daemon_dir: /Users/git
  post_receive_hook: hooks/git/git-post-receive.rb