These options tell gitolite to allow the user to set these values in
`gitolite.conf`, which in turn will be propagated to each
repositories git config.
<aname="_gitolite_conf"></a>
#### gitolite.conf
For the purposes of example, we assume that we have two groups accessing each repository: engineering and operations. So, our `gitolite.conf` file will look something like this:
Under OpenSuSE 11.4, Apache runs as user `wwwrun` group `www` (see `/etc/apache2/uid.conf`). But wait! How can Apache running as `wwwrun` commit to git repositories, which are owned by `git`?
<aname="_suexec"></a>
#### suexec
Enter SuExec. This is an apache module that allows apache to run
under the auspicious of a different user. For this to work, we need
to do some setup ahead of time. First, we need to make sure the
`suexec` program has the right permissions:
# OpenSuSE 11.4 puts the suexec program under /usr/sbin/suexec2
$ chgrp www /usr/sbin/suexec2
$ chmod 4750 /usr/sbin/suexec2
# Verify permissions
$ ls -al /usr/sbin/suexec2
-rwsr-x--- 1 root www 14944 Feb 18 20:53 /usr/sbin/suexec2
Next, we need to create a wrapper script for the suexec program and
place that under the correct directory. To find out the where to
place the wrapper script, do the following:
$ /usr/sbin/suexec2 -V
-D AP_DOC_ROOT="/srv/www"
-D AP_GID_MIN=96
-D AP_HTTPD_USER="wwwrun"
-D AP_LOG_EXEC="/var/log/apache2/suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=96
-D AP_USERDIR_SUFFIX="public_html"
The variable we are interested in is `AP_DOC_ROOT` which is
`/srv/www`. So, we place the wrapper script in
`/srv/www/bin/gitolite-suexec-wrapper.sh` with the following contents:
#!/bin/bash
#
# Wrapper for gl-auth-command
#
USER=$1
export GIT_PROJECT_ROOT="/srv/git/projects"
export GITOLITE_HTTP_HOME="/srv/git"
# OpenSuSE gitolite RPM places gl-auth-command in /usr/bin
exec /usr/bin/gl-auth-command $USER
# End
_For security purposes, this file MUST exist under `/srv/www`!_
Finally, make sure Apache loads the suexec module. Under OpenSuSE,
this would mean adding "suexec" to `APACHE_MODULES` in
`/etc/sysconfig/apache2`.
<aname="_Gitweb"></a>
#### Gitweb
As gitweb will now be run under the `git` user, all files must be
under `/srv/www` as well.
# Under OpenSuSe, git-web installs in /usr/share/gitweb
$ cp -r /usr/share/gitweb /srv/www
$ chown -R git.git /srv/www/gitweb
Do not forget to point `$projectroot` in `/etc/gitweb.conf` to
`/srv/git/projects`!
<aname="_Virtual_Host"></a>
#### Virtual Host
Configure your virtual host as follows:
<VirtualHostgit.example.com:80>
ServerName git.example.com
ServerAlias git
# By default, use gitweb
DocumentRoot /srv/www/gitweb
# Suexec setup
SuexecUserGroup git git
# Set up appropriate GIT environments
SetEnv GIT_PROJECT_ROOT /srv/git/projects
SetEnv GIT_HTTP_EXPORT_ALL
# Set up appropriate gitolite environment
SetEnv GITOLITE_HTTP_HOME /srv/git
# To serve gitweb at the same url, use a ScriptAliasMatch to
# only those URLs that git http-backend can handle, and
# forward the rest to gitweb:
ScriptAliasMatch \
"(?x)^/(.*/(HEAD | \
info/refs | \
objects/(info/[^/]+ | \
[0-9a-f]{2}/[0-9a-f]{38} | \
pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
git-(upload|receive)-pack))$" \
/srv/www/bin/gitolite-suexec-wrapper.sh/$1
# Make sure we can execute gitweb okay
<Directory"/srv/www/gitweb">
Options ExecCGI
AllowOverride None
AddHandler cgi-script .cgi
DirectoryIndex gitweb.cgi
Order allow,deny
Allow from all
</Directory>
# We need gl-auth-command executable
<Directory"/srv/www/gitbin">
<Files"gitolite-suexec-wrapper.sh">
Order allow,deny
Allow from all
</Files>
</Directory>
# Set up authentication to taste
<Location/>
AuthType Basic
AuthName "Private Git Access"
Require valid-user
AuthUserFile /srv/git/passfile
</Location>
</VirtualHost>
<aname="_VALIDATION"></a>
### VALIDATION
Once apache has been restarted, verify your configuration:
