From 0d0e7e5d72cec6e839716207a7d33b777cc9754b Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Fri, 23 Jul 2010 17:03:21 +0530 Subject: [PATCH] (really big config) 2 new rc variables ...to prevent auto-creation of repos from config, and to prevent processing of ssh keys. Also doc update --- conf/example.gitolite.rc | 2 ++ doc/big-config.mkd | 42 +++++++++++++++++++++++++++------------- src/gl-compile-conf | 35 ++++++++++++++++++++++++++++----- 3 files changed, 61 insertions(+), 18 deletions(-) diff --git a/conf/example.gitolite.rc b/conf/example.gitolite.rc index 24e52a5..272d618 100644 --- a/conf/example.gitolite.rc +++ b/conf/example.gitolite.rc @@ -89,6 +89,8 @@ $GIT_PATH=""; $GL_BIG_CONFIG = 0; $GL_NO_DAEMON_NO_GITWEB = 0; +$GL_NO_CREATE_REPOS = 0; +$GL_NO_SETUP_AUTHKEYS = 0; # ---------------------------------------------------------------------- # SECURITY SENSITIVE SETTINGS diff --git a/doc/big-config.mkd b/doc/big-config.mkd index 278c152..c70b866 100644 --- a/doc/big-config.mkd +++ b/doc/big-config.mkd @@ -4,7 +4,7 @@ In this document: * when/why do we need it? * how do we use it? - * summary of settings in RC file + * other optimisations * what are the downsides? * (extra coolness) usergroups and LDAP/similar tools @@ -107,8 +107,9 @@ Just set $GL_BIG_CONFIG = 1; -in the `~/.gitolite.rc` file on the server. When you do that, and push this -configuration, the compiled file looks like this: +in the `~/.gitolite.rc` file on the server (see next section for more +variables). When you do that, and push this configuration, the compiled file +looks like this: %repos = ( '@wbr' => { @@ -142,23 +143,38 @@ configuration, the compiled file looks like this: That's a lot smaller, and allows orders of magintude more repos and groups to be supported. - + -### summary of settings in RC file +### other optimisations -The default RC file contains the following lines: +The default RC file contains the following lines (we've already discussed the +first one): $GL_BIG_CONFIG = 0; $GL_NO_DAEMON_NO_GITWEB = 0; + $GL_NO_CREATE_REPOS = 0; + $GL_NO_SETUP_AUTHKEYS = 0; -The first setting means that by default, big-config is off; you can change it -to 1 to enable it. +`GL_NO_DAEMON_NO_GITWEB` is a very useful optimisation that you *must* enable +if you *do* have a large number of repositories, and do *not* use gitolite's +support for gitweb or git-daemon access (see "[easier to specify gitweb +description and gitweb/daemon access][gw]" for details). This will save a lot +of time when you push the gitolite-admin repo with changes. This variable +also control whether "git config" lines (such as `config hooks.emailprefix = +"[gitolite]"`) will be processed or not. -The second is a very useful optimisation that you *must* enable if you *do* -have a large number of repositories, and do *not* use gitolite's support for -gitweb or git-daemon access (see "[easier to specify gitweb description and -gitweb/daemon access][gw]" for details). This will save a lot of time when -you push the gitolite-admin repo with changes. +Setting this is relatively harmless to a normal installation, unlike the next +two variables :-) `GL_NO_CREATE_REPOS` and `GL_NO_SETUP_AUTHKEYS` are meant +for installations where some backend system already exists that does all the +actual repo creation, and all the authentication setup (ssh auth keys), +respectively. + +Summary: Please **leave those two variables alone** unless you're initials are +"JK" ;-) + +Also note that using all 3 of the `GL_NO_*` variables will result in +*everything* after the config compile being skipped. In other words, gitolite +is being used **only** for its access control language. [gw]: http://github.com/sitaramc/gitolite/blob/pu/doc/3-faq-tips-etc.mkd#gitweb diff --git a/src/gl-compile-conf b/src/gl-compile-conf index f0b27fa..d9577c8 100755 --- a/src/gl-compile-conf +++ b/src/gl-compile-conf @@ -52,7 +52,7 @@ $Data::Dumper::Sortkeys = 1; open STDOUT, ">", "/dev/null" if (@ARGV and shift eq '-q'); # these are set by the "rc" file -our ($GL_ADMINDIR, $GL_CONF, $GL_KEYDIR, $GL_CONF_COMPILED, $REPO_BASE, $REPO_UMASK, $PROJECTS_LIST, $GIT_PATH, $GL_WILDREPOS, $GL_GITCONFIG_KEYS, $GL_PACKAGE_HOOKS, $GL_BIG_CONFIG, $GL_NO_DAEMON_NO_GITWEB); +our ($GL_ADMINDIR, $GL_CONF, $GL_KEYDIR, $GL_CONF_COMPILED, $REPO_BASE, $REPO_UMASK, $PROJECTS_LIST, $GIT_PATH, $GL_WILDREPOS, $GL_GITCONFIG_KEYS, $GL_PACKAGE_HOOKS, $GL_BIG_CONFIG, $GL_NO_DAEMON_NO_GITWEB, $GL_NO_CREATE_REPOS, $GL_NO_SETUP_AUTHKEYS); # and these are set by gitolite.pm our ($REPONAME_PATT, $REPOPATT_PATT, $USERNAME_PATT, $AUTH_COMMAND, $AUTH_OPTIONS, $ABRT, $WARN); @@ -395,12 +395,15 @@ print $compiled_fh Data::Dumper->Dump([\%groups], [qw(*groups)]) if $GL_BIG_CONF close $compiled_fh or die "$ABRT close compiled-conf failed: $!\n"; # ---------------------------------------------------------------------------- -# any new repos to be created? +# (that ends the config file compiler and write) # ---------------------------------------------------------------------------- -# modern gits allow cloning from an empty repo, so we just create it +# ---------------------------------------------------------------------------- +# what's the git version? +# ---------------------------------------------------------------------------- + +# we don't like stuff older than 1.6.2 -# but it turns out not everyone has "modern" gits :) my $git_version = `git --version`; die " *** ERROR *** @@ -418,11 +421,22 @@ die "\n\t\t***** AAARGH! *****\n" . "\tthe newer features, please upgrade.\n" if $git_version < 10602; # that's 1.6.2 to you + + +# ---------------------------------------------------------------------------- +# the rest of this program can be "switched off"; see doc/big-config.mkd for +# details. +# ---------------------------------------------------------------------------- + +# ---------------------------------------------------------------------------- +# any new repos to be created? +# ---------------------------------------------------------------------------- + # repo-base needs to be an absolute path for this loop to work right # so if it was not already absolute, prefix $HOME. my $repo_base_abs = ( $REPO_BASE =~ m(^/) ? $REPO_BASE : "$ENV{HOME}/$REPO_BASE" ); -{ +unless ($GL_NO_CREATE_REPOS) { wrap_chdir("$repo_base_abs"); # autocreate repos. Start with the ones that are normal repos in %repos @@ -460,6 +474,10 @@ my $repo_base_abs = ( $REPO_BASE =~ m(^/) ? $REPO_BASE : "$ENV{HOME}/$REPO_BASE" # update repo configurations # ---------------------------------------------------------------------------- +# no gating required for this. If you don't have any "config" lines it won't +# run anyway. An example of a config line could be: +# config hooks.emailprefix = "[foo]" + for my $repo (keys %repo_config) { wrap_chdir("$repo_base_abs/$repo.git"); while ( my ($key, $value) = each(%{ $repo_config{$repo} }) ) { @@ -540,6 +558,9 @@ unless ($GL_NO_DAEMON_NO_GITWEB) { # "compile" ssh authorized_keys # ---------------------------------------------------------------------------- +# NOTE: for now we assume that setting up authkeys is the LAST thing we do! +exit 0 if $GL_NO_SETUP_AUTHKEYS; + my $authkeys_fh = wrap_open( "<", $ENV{HOME} . "/.ssh/authorized_keys", "\tFor security reasons, gitolite will not *create* this file if it does\n" . "\tnot already exist. Please see the \"admin\" document for details\n"); @@ -620,3 +641,7 @@ system("cat $ENV{HOME}/.ssh/authorized_keys > $ENV{HOME}/.ssh/old_authkeys"); system("cat $ENV{HOME}/.ssh/new_authkeys > $ENV{HOME}/.ssh/authorized_keys") and die "couldn't write authkeys file\n"; system("rm $ENV{HOME}/.ssh/new_authkeys"); + +# NOTE: if you're adding code here that is unrelated to setting up authkeys, +# remember that control may not reach here if a sysadm has set +# GL_NO_SETUP_AUTHKEYS in the rc file.