deac/gitolite
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

(really big config) 2 new rc variables

Browse source 
...to prevent auto-creation of repos from config, and to prevent
processing of ssh keys.  Also doc update
This commit is contained in:
Sitaram Chamarty 2010-07-23 17:03:21 +05:30
parent 988934dec1
commit 0d0e7e5d72
3 changed files with 61 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
conf/example.gitolite.rc
View file

@ -89,6 +89,8 @@ $GIT_PATH="";
$GL_BIG_CONFIG = 0; $GL_BIG_CONFIG = 0;
$GL_NO_DAEMON_NO_GITWEB = 0; $GL_NO_DAEMON_NO_GITWEB = 0;
$GL_NO_CREATE_REPOS = 0;
$GL_NO_SETUP_AUTHKEYS = 0;
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# SECURITY SENSITIVE SETTINGS # SECURITY SENSITIVE SETTINGS

42
doc/big-config.mkd
View file

@ -4,7 +4,7 @@ In this document:
* <a href="#when_why_do_we_need_it_">when/why do we need it?</a> * <a href="#when_why_do_we_need_it_">when/why do we need it?</a>
* <a href="#how_do_we_use_it_">how do we use it?</a> * <a href="#how_do_we_use_it_">how do we use it?</a>
* <a href="#summary_of_settings_in_RC_file">summary of settings in RC file</a> * <a href="#other_optimisations">other optimisations</a>
* <a href="#what_are_the_downsides_">what are the downsides?</a> * <a href="#what_are_the_downsides_">what are the downsides?</a>
* <a href="#extra_coolness_usergroups_and_LDAP_similar_tools">(extra coolness) usergroups and LDAP/similar tools</a> * <a href="#extra_coolness_usergroups_and_LDAP_similar_tools">(extra coolness) usergroups and LDAP/similar tools</a>
@ -107,8 +107,9 @@ Just set
$GL_BIG_CONFIG = 1; $GL_BIG_CONFIG = 1;
in the `~/.gitolite.rc` file on the server. When you do that, and push this in the `~/.gitolite.rc` file on the server (see next section for more
configuration, the compiled file looks like this: variables). When you do that, and push this configuration, the compiled file
looks like this:
%repos = ( %repos = (
'@wbr' => { '@wbr' => {
@ -142,23 +143,38 @@ configuration, the compiled file looks like this:
That's a lot smaller, and allows orders of magintude more repos and groups to That's a lot smaller, and allows orders of magintude more repos and groups to
be supported. be supported.
<a name="summary_of_settings_in_RC_file"></a> <a name="other_optimisations"></a>
### summary of settings in RC file ### other optimisations
The default RC file contains the following lines: The default RC file contains the following lines (we've already discussed the
first one):
$GL_BIG_CONFIG = 0; $GL_BIG_CONFIG = 0;
$GL_NO_DAEMON_NO_GITWEB = 0; $GL_NO_DAEMON_NO_GITWEB = 0;
$GL_NO_CREATE_REPOS = 0;
$GL_NO_SETUP_AUTHKEYS = 0;
The first setting means that by default, big-config is off; you can change it `GL_NO_DAEMON_NO_GITWEB` is a very useful optimisation that you *must* enable
to 1 to enable it. if you *do* have a large number of repositories, and do *not* use gitolite's
support for gitweb or git-daemon access (see "[easier to specify gitweb
description and gitweb/daemon access][gw]" for details). This will save a lot
of time when you push the gitolite-admin repo with changes. This variable
also control whether "git config" lines (such as `config hooks.emailprefix =
"[gitolite]"`) will be processed or not.
The second is a very useful optimisation that you *must* enable if you *do* Setting this is relatively harmless to a normal installation, unlike the next
have a large number of repositories, and do *not* use gitolite's support for two variables :-) `GL_NO_CREATE_REPOS` and `GL_NO_SETUP_AUTHKEYS` are meant
gitweb or git-daemon access (see "[easier to specify gitweb description and for installations where some backend system already exists that does all the
gitweb/daemon access][gw]" for details). This will save a lot of time when actual repo creation, and all the authentication setup (ssh auth keys),
you push the gitolite-admin repo with changes. respectively.
Summary: Please **leave those two variables alone** unless you're initials are
"JK" ;-)
Also note that using all 3 of the `GL_NO_*` variables will result in
*everything* after the config compile being skipped. In other words, gitolite
is being used **only** for its access control language.
[gw]: http://github.com/sitaramc/gitolite/blob/pu/doc/3-faq-tips-etc.mkd#gitweb [gw]: http://github.com/sitaramc/gitolite/blob/pu/doc/3-faq-tips-etc.mkd#gitweb

35
src/gl-compile-conf
View file

@ -52,7 +52,7 @@ $Data::Dumper::Sortkeys = 1;
open STDOUT, ">", "/dev/null" if (@ARGV and shift eq '-q'); open STDOUT, ">", "/dev/null" if (@ARGV and shift eq '-q');
# these are set by the "rc" file # these are set by the "rc" file
our ($GL_ADMINDIR, $GL_CONF, $GL_KEYDIR, $GL_CONF_COMPILED, $REPO_BASE, $REPO_UMASK, $PROJECTS_LIST, $GIT_PATH, $GL_WILDREPOS, $GL_GITCONFIG_KEYS, $GL_PACKAGE_HOOKS, $GL_BIG_CONFIG, $GL_NO_DAEMON_NO_GITWEB); our ($GL_ADMINDIR, $GL_CONF, $GL_KEYDIR, $GL_CONF_COMPILED, $REPO_BASE, $REPO_UMASK, $PROJECTS_LIST, $GIT_PATH, $GL_WILDREPOS, $GL_GITCONFIG_KEYS, $GL_PACKAGE_HOOKS, $GL_BIG_CONFIG, $GL_NO_DAEMON_NO_GITWEB, $GL_NO_CREATE_REPOS, $GL_NO_SETUP_AUTHKEYS);
# and these are set by gitolite.pm # and these are set by gitolite.pm
our ($REPONAME_PATT, $REPOPATT_PATT, $USERNAME_PATT, $AUTH_COMMAND, $AUTH_OPTIONS, $ABRT, $WARN); our ($REPONAME_PATT, $REPOPATT_PATT, $USERNAME_PATT, $AUTH_COMMAND, $AUTH_OPTIONS, $ABRT, $WARN);
@ -395,12 +395,15 @@ print $compiled_fh Data::Dumper->Dump([\%groups], [qw(*groups)]) if $GL_BIG_CONF
close $compiled_fh or die "$ABRT close compiled-conf failed: $!\n"; close $compiled_fh or die "$ABRT close compiled-conf failed: $!\n";
# ---------------------------------------------------------------------------- # ----------------------------------------------------------------------------
# any new repos to be created? # (that ends the config file compiler and write)
# ---------------------------------------------------------------------------- # ----------------------------------------------------------------------------
# modern gits allow cloning from an empty repo, so we just create it # ----------------------------------------------------------------------------
# what's the git version?
# ----------------------------------------------------------------------------
# we don't like stuff older than 1.6.2
# but it turns out not everyone has "modern" gits :)
my $git_version = `git --version`; my $git_version = `git --version`;
die " die "
*** ERROR *** *** ERROR ***
@ -418,11 +421,22 @@ die "\n\t\t***** AAARGH! *****\n" .
"\tthe newer features, please upgrade.\n" "\tthe newer features, please upgrade.\n"
if $git_version < 10602; # that's 1.6.2 to you if $git_version < 10602; # that's 1.6.2 to you
# ----------------------------------------------------------------------------
# the rest of this program can be "switched off"; see doc/big-config.mkd for
# details.
# ----------------------------------------------------------------------------
# ----------------------------------------------------------------------------
# any new repos to be created?
# ----------------------------------------------------------------------------
# repo-base needs to be an absolute path for this loop to work right # repo-base needs to be an absolute path for this loop to work right
# so if it was not already absolute, prefix $HOME. # so if it was not already absolute, prefix $HOME.
my $repo_base_abs = ( $REPO_BASE =~ m(^/) ? $REPO_BASE : "$ENV{HOME}/$REPO_BASE" ); my $repo_base_abs = ( $REPO_BASE =~ m(^/) ? $REPO_BASE : "$ENV{HOME}/$REPO_BASE" );
{ unless ($GL_NO_CREATE_REPOS) {
wrap_chdir("$repo_base_abs"); wrap_chdir("$repo_base_abs");
# autocreate repos. Start with the ones that are normal repos in %repos # autocreate repos. Start with the ones that are normal repos in %repos
@ -460,6 +474,10 @@ my $repo_base_abs = ( $REPO_BASE =~ m(^/) ? $REPO_BASE : "$ENV{HOME}/$REPO_BASE"
# update repo configurations # update repo configurations
# ---------------------------------------------------------------------------- # ----------------------------------------------------------------------------
# no gating required for this. If you don't have any "config" lines it won't
# run anyway. An example of a config line could be:
# config hooks.emailprefix = "[foo]"
for my $repo (keys %repo_config) { for my $repo (keys %repo_config) {
wrap_chdir("$repo_base_abs/$repo.git"); wrap_chdir("$repo_base_abs/$repo.git");
while ( my ($key, $value) = each(%{ $repo_config{$repo} }) ) { while ( my ($key, $value) = each(%{ $repo_config{$repo} }) ) {
@ -540,6 +558,9 @@ unless ($GL_NO_DAEMON_NO_GITWEB) {
# "compile" ssh authorized_keys # "compile" ssh authorized_keys
# ---------------------------------------------------------------------------- # ----------------------------------------------------------------------------
# NOTE: for now we assume that setting up authkeys is the LAST thing we do!
exit 0 if $GL_NO_SETUP_AUTHKEYS;
my $authkeys_fh = wrap_open( "<", $ENV{HOME} . "/.ssh/authorized_keys", my $authkeys_fh = wrap_open( "<", $ENV{HOME} . "/.ssh/authorized_keys",
"\tFor security reasons, gitolite will not *create* this file if it does\n" . "\tFor security reasons, gitolite will not *create* this file if it does\n" .
"\tnot already exist. Please see the \"admin\" document for details\n"); "\tnot already exist. Please see the \"admin\" document for details\n");
@ -620,3 +641,7 @@ system("cat $ENV{HOME}/.ssh/authorized_keys > $ENV{HOME}/.ssh/old_authkeys");
system("cat $ENV{HOME}/.ssh/new_authkeys > $ENV{HOME}/.ssh/authorized_keys") system("cat $ENV{HOME}/.ssh/new_authkeys > $ENV{HOME}/.ssh/authorized_keys")
and die "couldn't write authkeys file\n"; and die "couldn't write authkeys file\n";
system("rm $ENV{HOME}/.ssh/new_authkeys"); system("rm $ENV{HOME}/.ssh/new_authkeys");
# NOTE: if you're adding code here that is unrelated to setting up authkeys,
# remember that control may not reach here if a sysadm has set
# GL_NO_SETUP_AUTHKEYS in the rc file.