gitolite-gitweb-http-backend
You've been tasked with rolling out gitolite and git-web in your corporate environment and your requirements are as follows:
Note that these instructions are geared toward OpenSuSE 11.4. Feel free to modify the examples below to your environment.
The following assumptions are made for the purposes of example:
/srv/git
and are owned by the git
userwwwrun:www
will be used as the web serverThe repositories can be cloned from the following URLs:
HTTP authentication is handled via a local htpasswd file
Install gitolite via your package management tools. Under OpenSuSE, this will
install repositories in /srv/git
. Follow the instructions found
[here][install] for initial set up.
You will need to tell gitolite.rc about some additional keys that will
be needed for each repository. Make sure the following config option
is set in /srv/git/.gitolite.rc
:
$GL_GITCONFIG_KEYS = "gitweb.url receive.denyNonFastforwards receive.denyDeletes";
These options tell gitolite to allow the user to set these values in
gitolite.conf
, which in turn will be propagated to each
repositories git config.
For the purposes of example, we assume that we have two groups accessing each repository: engineering and operations. So, our gitolite.conf
file will look something like this:
#
# Group Definitions
#
@engineering = daniel erik alex jose mark
@operations = james chris long bora dmitriy
@gladmin = james chris
#
# Repository Definitions
#
# Note that we give access to the daemon user, thus enabling
# git-daemon-export-ok (see
# https://github.com/sitaramc/gitolite/blob/pu/doc/2-admin.mkd#gwd)
repo gitolite-admin
RW = @sysops daemon
R = @all
repo engineering
RW = @engineering @gladmin daemon
R = @all
config gitweb.url = git@git.example.com:engineering
config receive.denyNonFastforwards = true
config receive.denyDeletes = true
repo operations
RW = @operations @engineering @gladmin daemon
R = @all
config gitweb.url = git@git.example.com:operations
config receive.denyNonFastforwards = true
config receive.denyDeletes = true
repo @all
R = daemon gitweb
# additional configuration ...
Save, commit, and push your changes to the gitolite-admin repo as described [here][conf].
Under OpenSuSE 11.4, Apache runs as user wwwrun
group www
(see /etc/apache2/uid.conf
). But wait! How can Apache running as wwwrun
commit to git repositories, which are owned by git
?
Enter SuExec. This is an apache module that allows apache to run
under the auspicious of a different user. For this to work, we need
to do some setup ahead of time. First, we need to make sure the
suexec
program has the right permissions:
# OpenSuSE 11.4 puts the suexec program under /usr/sbin/suexec2
$ chgrp www /usr/sbin/suexec2
$ chmod 4750 /usr/sbin/suexec2
# Verify permissions
$ ls -al /usr/sbin/suexec2
-rwsr-x--- 1 root www 14944 Feb 18 20:53 /usr/sbin/suexec2
Next, we need to create a wrapper script for the suexec program and place that under the correct directory. To find out the where to place the wrapper script, do the following:
$ /usr/sbin/suexec2 -V
-D AP_DOC_ROOT="/srv/www"
-D AP_GID_MIN=96
-D AP_HTTPD_USER="wwwrun"
-D AP_LOG_EXEC="/var/log/apache2/suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=96
-D AP_USERDIR_SUFFIX="public_html"
The variable we are interested in is AP_DOC_ROOT
which is
/srv/www
. So, we place the wrapper script in
/srv/www/bin/gitolite-suexec-wrapper.sh
with the following contents:
#!/bin/bash
#
# Wrapper for gl-auth-command
#
USER=$1
export GIT_PROJECT_ROOT="/srv/git/projects"
export GITOLITE_HTTP_HOME="/srv/git"
# OpenSuSE gitolite RPM places gl-auth-command in /usr/bin
exec /usr/bin/gl-auth-command $USER
# End
For security purposes, this file MUST exist under /srv/www
!
Finally, make sure Apache loads the suexec module. Under OpenSuSE,
this would mean adding "suexec" to APACHE_MODULES
in
/etc/sysconfig/apache2
.
As gitweb will now be run under the git
user, all files must be
under /srv/www
as well.
# Under OpenSuSe, git-web installs in /usr/share/gitweb
$ cp -r /usr/share/gitweb /srv/www
$ chown -R git.git /srv/www/gitweb
Do not forget to point $projectroot
in /etc/gitweb.conf
to
/srv/git/projects
!
Configure your virtual host as follows:
<VirtualHost git.example.com:80>
ServerName git.example.com
ServerAlias git
# By default, use gitweb
DocumentRoot /srv/www/gitweb
# Suexec setup
SuexecUserGroup git git
# Set up appropriate GIT environments
SetEnv GIT_PROJECT_ROOT /srv/git/projects
SetEnv GIT_HTTP_EXPORT_ALL
# Set up appropriate gitolite environment
SetEnv GITOLITE_HTTP_HOME /srv/git
# To serve gitweb at the same url, use a ScriptAliasMatch to
# only those URLs that git http-backend can handle, and
# forward the rest to gitweb:
ScriptAliasMatch \
"(?x)^/(.*/(HEAD | \
info/refs | \
objects/(info/[^/]+ | \
[0-9a-f]{2}/[0-9a-f]{38} | \
pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
git-(upload|receive)-pack))$" \
/srv/www/bin/gitolite-suexec-wrapper.sh/$1
# Make sure we can execute gitweb okay
<Directory "/srv/www/gitweb">
Options ExecCGI
AllowOverride None
AddHandler cgi-script .cgi
DirectoryIndex gitweb.cgi
Order allow,deny
Allow from all
</Directory>
# We need gl-auth-command executable
<Directory "/srv/www/gitbin">
<Files "gitolite-suexec-wrapper.sh">
Order allow,deny
Allow from all
</Files>
</Directory>
# Set up authentication to taste
<Location />
AuthType Basic
AuthName "Private Git Access"
Require valid-user
AuthUserFile /srv/git/passfile
</Location>
</VirtualHost>
Once apache has been restarted, verify your configuration:
Christopher M. Fuhrman << cfuhrman at panix dot com >>