two months too late for towel day... but "dont-panic"!

gl-emergency-addkey replaced by totally new gl-dont-panic, which does
more (including recovering from a botched push, not just lost keys), is
cleaner, and works for all install methods
This commit is contained in:
Sitaram Chamarty 2010-07-25 03:23:59 +05:30
parent fbb9dafbd1
commit 4fa5442daa
4 changed files with 99 additions and 62 deletions

View file

@ -428,8 +428,8 @@ first place, so the simplest way is to enable it from the server side only.
If you lost the admin key, and need to re-establish ownership of the If you lost the admin key, and need to re-establish ownership of the
gitolite-admin repository with a fresh key, take a look at the gitolite-admin repository with a fresh key, take a look at the
`src/gl-emergency-addkey` program. You will need shell access to the server `src/gl-dont-panic` program. You will need shell access to the server of
of course. Run it without arguments to get instructions. course. Run it without arguments to get instructions.
<a name="simulating_ssh_copy_id"></a> <a name="simulating_ssh_copy_id"></a>

96
src/gl-dont-panic Executable file
View file

@ -0,0 +1,96 @@
#!/bin/sh
usage() {
cat <<EOF
First: DON'T PANIC
NOTE: This advice pertains to gitolite specific issues. If you don't
have ANY access to the server at all, it is OK to panic.
Step 1: prepare
- copy this program to your gitolite server
- if you lost your admin key, create a new keypair on your workstation
and copy the pub part of this new key also to the server
- rename it to whatever your gitolite admin username is, with a .pub
extension. (Example, I would call it "sitaram.pub")
Step 2: use one of the fixes below (on the server)
- (FIX #1: REWINDING BAD ADMIN COMMITS) if your last commit(s) to the
gitolite-admin repo pushed a very bad config and you want to rewind it
to a known good state, run this:
./gl-dont-panic rewind
(this doesn't actually rewind; it creates a new commit that has
the same state as the last good commit, which has the same effect)
- (FIX #2: PUSHING A NEW ADMIN KEY) if you lost your admin key, run this
with the new pubkey:
./gl-dont-panic sitaram.pub
Step 3: completing the fix (on your workstation)
- do a 'git pull' on the gitolite admin clone or make a fresh clone
EOF
exit 1
}
if [ -z "$1" ]
then
usage
fi
# ------------------------------------------------------------------------
# arg check
die() { echo "$@"; exit 1; }
cd $HOME # if he didn't *start* there, it's his bloody fault
[ -f "$1" ] || [ "$1" = "rewind" ] || die "need a valid file or 'rewind'"
if [ "$1" = "rewind" ]
then
:
else
bn1=`basename $1`;
admin_name=`basename $1 .pub`;
[ "$bn1" = "$admin_name" ] && die "filename needs to end in '.pub'"
fi
# ------------------------------------------------------------------------
# setup stuff
REPO_BASE=$( cd $HOME; perl -e 'do ".gitolite.rc"; print $REPO_BASE' )
GL_BINDIR=$( cd $HOME; perl -ne 'print($1), exit if /^command="(.*?)\/gl-auth-command /' < $HOME/.ssh/authorized_keys)
GL_ADMINDIR=$(cd $HOME; perl -e 'do ".gitolite.rc"; print $GL_ADMINDIR')
export REPO_BASE
export GL_BINDIR
export GL_ADMINDIR
TEMPDIR=$(mktemp -d)
export TEMPDIR
trap "/bin/rm -rf $TEMPDIR" 0
# ------------------------------------------------------------------------
# rewind the admin repo
if [ "$1" = "rewind" ]
then
git clone $REPO_BASE/gitolite-admin.git $TEMPDIR
cd $TEMPDIR
echo printing the previous 9 commits to the config; echo
git log --date=relative --format="%h %ar%x09%s" | perl -pe 'print "$.\t"'
echo; read -p 'please enter how many commits you want to rewind: ' n
good=`git rev-parse --short HEAD~$n`
git checkout -f $good .
git commit -m "emergency revert to $good"
GL_BYPASS_UPDATE_HOOK=1 git push
exit $?
fi
# ------------------------------------------------------------------------
# add/overwrite a key ($1)
git clone $REPO_BASE/gitolite-admin.git $TEMPDIR
cp $1 $TEMPDIR/keydir
cd $TEMPDIR
git add keydir
git commit -m "emergency add/update $admin_name key (from $1)"
GL_BYPASS_UPDATE_HOOK=1 git push
exit $?

View file

@ -1,59 +0,0 @@
#!/bin/sh
# Use this to re-establish gitolite admin access when admin key(s) are lost.
# RUN THIS ON THE SERVER, NOT THE CLIENT! (so you need shell access to the
# server; even with password is fine)
# HOW TO USE (substitute your admin name for "sitaram" below)
# - make yourself a new keypair on your workstation
# - copy the pubkey to the server, call it "sitaram.pub" and put it in $HOME
# - run this command:
# ~/.gitolite/src/gl-emergency-addkey sitaram emergency sitaram.pub
# this will add a new key called sitaram@emergency.pub. Since the "userid"
# that key pertains to is "sitaram", whoever has the private key for this now
# has the same rights as "sitaram"
# WARNING: ABSOLUTELY NO ARGUMENT CHECKING DONE
# WARNING: NEWER GITS ONLY ON SERVER SIDE (for now)
# ENDHELP
# we can't use this program unless it was installed using gl-easy-install
GL_PACKAGE_CONF=$( cd; perl -e 'do ".gitolite.rc"; print $GL_PACKAGE_CONF' )
if [ -n "$GL_PACKAGE_CONF" ]
then
cat <<EOF
This is not a "from-client method" install; you cannot add an emergency
key using this program.
Please do the following (change "sitaram" below to whatever your admin
username is):
- get your *new* public key to the server
- call it "sitaram.pub"; put it in \$HOME
- run "gl-setup \$HOME/sitaram.pub"
EOF
exit 1
fi
[ -z "$1" ] && { perl -pe "s(\\\$0)($0); last if /ENDHELP/" < $0; exit 1; }
set -e
cd
REPO_BASE=$( perl -e 'do ".gitolite.rc"; print $REPO_BASE' )
GL_ADMINDIR=$(perl -e 'do ".gitolite.rc"; print $GL_ADMINDIR')
cd; cd $GL_ADMINDIR/keydir; pwd
cp -v $3 $1@$2.pub
cd; cd $REPO_BASE/gitolite-admin.git; pwd
# XXX FIXME TODO -- fix this to work with older gits also
GIT_WORK_TREE=$GL_ADMINDIR git add keydir
GIT_WORK_TREE=$GL_ADMINDIR git commit -m "emergency add $1@$2.pub"
cd $GL_ADMINDIR
src/gl-compile-conf

View file

@ -103,7 +103,7 @@ if ( -d "gitolite-admin.git/hooks" ) {
} }
# fixup program renames # fixup program renames
for my $oldname qw(pta-hook.sh conf-convert.pl 00-easy-install.sh 99-emergency-addkey.sh install.pl update-hook.pl hooks/update ga-post-update-hook VERSION) { for my $oldname qw(pta-hook.sh conf-convert.pl 00-easy-install.sh 99-emergency-addkey.sh gl-emergency-addkey install.pl update-hook.pl hooks/update ga-post-update-hook VERSION) {
unlink "$GL_ADMINDIR/src/$oldname"; unlink "$GL_ADMINDIR/src/$oldname";
unlink "$ENV{HOME}/gitolite-install/src/$oldname"; unlink "$ENV{HOME}/gitolite-install/src/$oldname";
} }