two months too late for towel day... but "dont-panic"!
gl-emergency-addkey replaced by totally new gl-dont-panic, which does more (including recovering from a botched push, not just lost keys), is cleaner, and works for all install methods
This commit is contained in:
parent
fbb9dafbd1
commit
4fa5442daa
|
@ -428,8 +428,8 @@ first place, so the simplest way is to enable it from the server side only.
|
||||||
|
|
||||||
If you lost the admin key, and need to re-establish ownership of the
|
If you lost the admin key, and need to re-establish ownership of the
|
||||||
gitolite-admin repository with a fresh key, take a look at the
|
gitolite-admin repository with a fresh key, take a look at the
|
||||||
`src/gl-emergency-addkey` program. You will need shell access to the server
|
`src/gl-dont-panic` program. You will need shell access to the server of
|
||||||
of course. Run it without arguments to get instructions.
|
course. Run it without arguments to get instructions.
|
||||||
|
|
||||||
<a name="simulating_ssh_copy_id"></a>
|
<a name="simulating_ssh_copy_id"></a>
|
||||||
|
|
||||||
|
|
96
src/gl-dont-panic
Executable file
96
src/gl-dont-panic
Executable file
|
@ -0,0 +1,96 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
usage() {
|
||||||
|
cat <<EOF
|
||||||
|
First: DON'T PANIC
|
||||||
|
NOTE: This advice pertains to gitolite specific issues. If you don't
|
||||||
|
have ANY access to the server at all, it is OK to panic.
|
||||||
|
|
||||||
|
Step 1: prepare
|
||||||
|
|
||||||
|
- copy this program to your gitolite server
|
||||||
|
- if you lost your admin key, create a new keypair on your workstation
|
||||||
|
and copy the pub part of this new key also to the server
|
||||||
|
- rename it to whatever your gitolite admin username is, with a .pub
|
||||||
|
extension. (Example, I would call it "sitaram.pub")
|
||||||
|
|
||||||
|
Step 2: use one of the fixes below (on the server)
|
||||||
|
|
||||||
|
- (FIX #1: REWINDING BAD ADMIN COMMITS) if your last commit(s) to the
|
||||||
|
gitolite-admin repo pushed a very bad config and you want to rewind it
|
||||||
|
to a known good state, run this:
|
||||||
|
./gl-dont-panic rewind
|
||||||
|
(this doesn't actually rewind; it creates a new commit that has
|
||||||
|
the same state as the last good commit, which has the same effect)
|
||||||
|
|
||||||
|
- (FIX #2: PUSHING A NEW ADMIN KEY) if you lost your admin key, run this
|
||||||
|
with the new pubkey:
|
||||||
|
./gl-dont-panic sitaram.pub
|
||||||
|
|
||||||
|
Step 3: completing the fix (on your workstation)
|
||||||
|
|
||||||
|
- do a 'git pull' on the gitolite admin clone or make a fresh clone
|
||||||
|
EOF
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
if [ -z "$1" ]
|
||||||
|
then
|
||||||
|
usage
|
||||||
|
fi
|
||||||
|
|
||||||
|
# ------------------------------------------------------------------------
|
||||||
|
# arg check
|
||||||
|
die() { echo "$@"; exit 1; }
|
||||||
|
cd $HOME # if he didn't *start* there, it's his bloody fault
|
||||||
|
[ -f "$1" ] || [ "$1" = "rewind" ] || die "need a valid file or 'rewind'"
|
||||||
|
if [ "$1" = "rewind" ]
|
||||||
|
then
|
||||||
|
:
|
||||||
|
else
|
||||||
|
bn1=`basename $1`;
|
||||||
|
admin_name=`basename $1 .pub`;
|
||||||
|
[ "$bn1" = "$admin_name" ] && die "filename needs to end in '.pub'"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# ------------------------------------------------------------------------
|
||||||
|
# setup stuff
|
||||||
|
REPO_BASE=$( cd $HOME; perl -e 'do ".gitolite.rc"; print $REPO_BASE' )
|
||||||
|
GL_BINDIR=$( cd $HOME; perl -ne 'print($1), exit if /^command="(.*?)\/gl-auth-command /' < $HOME/.ssh/authorized_keys)
|
||||||
|
GL_ADMINDIR=$(cd $HOME; perl -e 'do ".gitolite.rc"; print $GL_ADMINDIR')
|
||||||
|
export REPO_BASE
|
||||||
|
export GL_BINDIR
|
||||||
|
export GL_ADMINDIR
|
||||||
|
|
||||||
|
TEMPDIR=$(mktemp -d)
|
||||||
|
export TEMPDIR
|
||||||
|
trap "/bin/rm -rf $TEMPDIR" 0
|
||||||
|
|
||||||
|
# ------------------------------------------------------------------------
|
||||||
|
# rewind the admin repo
|
||||||
|
if [ "$1" = "rewind" ]
|
||||||
|
then
|
||||||
|
git clone $REPO_BASE/gitolite-admin.git $TEMPDIR
|
||||||
|
cd $TEMPDIR
|
||||||
|
|
||||||
|
echo printing the previous 9 commits to the config; echo
|
||||||
|
git log --date=relative --format="%h %ar%x09%s" | perl -pe 'print "$.\t"'
|
||||||
|
echo; read -p 'please enter how many commits you want to rewind: ' n
|
||||||
|
good=`git rev-parse --short HEAD~$n`
|
||||||
|
|
||||||
|
git checkout -f $good .
|
||||||
|
git commit -m "emergency revert to $good"
|
||||||
|
GL_BYPASS_UPDATE_HOOK=1 git push
|
||||||
|
|
||||||
|
exit $?
|
||||||
|
fi
|
||||||
|
|
||||||
|
# ------------------------------------------------------------------------
|
||||||
|
# add/overwrite a key ($1)
|
||||||
|
git clone $REPO_BASE/gitolite-admin.git $TEMPDIR
|
||||||
|
cp $1 $TEMPDIR/keydir
|
||||||
|
cd $TEMPDIR
|
||||||
|
git add keydir
|
||||||
|
git commit -m "emergency add/update $admin_name key (from $1)"
|
||||||
|
GL_BYPASS_UPDATE_HOOK=1 git push
|
||||||
|
exit $?
|
|
@ -1,59 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
# Use this to re-establish gitolite admin access when admin key(s) are lost.
|
|
||||||
|
|
||||||
# RUN THIS ON THE SERVER, NOT THE CLIENT! (so you need shell access to the
|
|
||||||
# server; even with password is fine)
|
|
||||||
|
|
||||||
# HOW TO USE (substitute your admin name for "sitaram" below)
|
|
||||||
# - make yourself a new keypair on your workstation
|
|
||||||
# - copy the pubkey to the server, call it "sitaram.pub" and put it in $HOME
|
|
||||||
# - run this command:
|
|
||||||
# ~/.gitolite/src/gl-emergency-addkey sitaram emergency sitaram.pub
|
|
||||||
|
|
||||||
# this will add a new key called sitaram@emergency.pub. Since the "userid"
|
|
||||||
# that key pertains to is "sitaram", whoever has the private key for this now
|
|
||||||
# has the same rights as "sitaram"
|
|
||||||
|
|
||||||
# WARNING: ABSOLUTELY NO ARGUMENT CHECKING DONE
|
|
||||||
# WARNING: NEWER GITS ONLY ON SERVER SIDE (for now)
|
|
||||||
|
|
||||||
# ENDHELP
|
|
||||||
|
|
||||||
# we can't use this program unless it was installed using gl-easy-install
|
|
||||||
GL_PACKAGE_CONF=$( cd; perl -e 'do ".gitolite.rc"; print $GL_PACKAGE_CONF' )
|
|
||||||
if [ -n "$GL_PACKAGE_CONF" ]
|
|
||||||
then
|
|
||||||
cat <<EOF
|
|
||||||
This is not a "from-client method" install; you cannot add an emergency
|
|
||||||
key using this program.
|
|
||||||
|
|
||||||
Please do the following (change "sitaram" below to whatever your admin
|
|
||||||
username is):
|
|
||||||
|
|
||||||
- get your *new* public key to the server
|
|
||||||
- call it "sitaram.pub"; put it in \$HOME
|
|
||||||
- run "gl-setup \$HOME/sitaram.pub"
|
|
||||||
EOF
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ -z "$1" ] && { perl -pe "s(\\\$0)($0); last if /ENDHELP/" < $0; exit 1; }
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
cd
|
|
||||||
|
|
||||||
REPO_BASE=$( perl -e 'do ".gitolite.rc"; print $REPO_BASE' )
|
|
||||||
GL_ADMINDIR=$(perl -e 'do ".gitolite.rc"; print $GL_ADMINDIR')
|
|
||||||
|
|
||||||
cd; cd $GL_ADMINDIR/keydir; pwd
|
|
||||||
cp -v $3 $1@$2.pub
|
|
||||||
|
|
||||||
cd; cd $REPO_BASE/gitolite-admin.git; pwd
|
|
||||||
# XXX FIXME TODO -- fix this to work with older gits also
|
|
||||||
GIT_WORK_TREE=$GL_ADMINDIR git add keydir
|
|
||||||
GIT_WORK_TREE=$GL_ADMINDIR git commit -m "emergency add $1@$2.pub"
|
|
||||||
|
|
||||||
cd $GL_ADMINDIR
|
|
||||||
src/gl-compile-conf
|
|
|
@ -103,7 +103,7 @@ if ( -d "gitolite-admin.git/hooks" ) {
|
||||||
}
|
}
|
||||||
|
|
||||||
# fixup program renames
|
# fixup program renames
|
||||||
for my $oldname qw(pta-hook.sh conf-convert.pl 00-easy-install.sh 99-emergency-addkey.sh install.pl update-hook.pl hooks/update ga-post-update-hook VERSION) {
|
for my $oldname qw(pta-hook.sh conf-convert.pl 00-easy-install.sh 99-emergency-addkey.sh gl-emergency-addkey install.pl update-hook.pl hooks/update ga-post-update-hook VERSION) {
|
||||||
unlink "$GL_ADMINDIR/src/$oldname";
|
unlink "$GL_ADMINDIR/src/$oldname";
|
||||||
unlink "$ENV{HOME}/gitolite-install/src/$oldname";
|
unlink "$ENV{HOME}/gitolite-install/src/$oldname";
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue