33963391a5
the duplicate pubkey problem and the need to document it was highlighted by Ilari ...damn I spend more time on ssh than on git it seems to me :(
155 lines
6 KiB
Plaintext
155 lines
6 KiB
Plaintext
### pre-requisites
|
|
|
|
One of the big needs I'm trying to fill here is people who do not have root
|
|
access, permissions to create other userids, etc. This could be a typical
|
|
hosting provider type of thing, or -- in a corporate setting -- a very tightly
|
|
controlled server.
|
|
|
|
Gitosis-lite requires these:
|
|
|
|
* git itself, the more recent the better
|
|
* perl, typically installed with git, since git sort of needs it; any
|
|
version that includes `Data::Dumper`[1] will do.
|
|
* one user account on the server, with password access [2]
|
|
|
|
### quickinstall
|
|
|
|
I assume all the files pertaining to this software are untarred and available
|
|
in the current directory.
|
|
|
|
A quick install, taking all the defaults, can be done with the following
|
|
commands; just copy and paste them into your shell:
|
|
|
|
# this one is fixed to the location shown
|
|
cp example.gitosis-lite.rc ~/.gitosis-lite.rc
|
|
|
|
# the destinations below are defaults; if you change the paths in the "rc"
|
|
# file above, these destinations also must change accordingly
|
|
|
|
# mkdir $REPO_BASE, $GL_ADMINDIR, and $GL_KEYDIR
|
|
mkdir ~/repositories
|
|
mkdir ~/.gitosis-lite
|
|
mkdir ~/.gitosis-lite/keydir
|
|
|
|
# copy sample conf to $GL_CONF
|
|
cp example.conf ~/.gitosis-lite/gitosis-lite.conf
|
|
|
|
# copy the 3 programs to $GL_ADMINDIR
|
|
cp update-hook.pl ~/.gitosis-lite
|
|
cp gl-auth-command ~/.gitosis-lite
|
|
cp gl-compile-conf ~/.gitosis-lite
|
|
|
|
# optional; copy the documents also (if you untarred the package into a
|
|
# temporary directory and need to get rid of it)
|
|
cp INSTALL README.markdown ~/.gitosis-lite
|
|
|
|
### install notes
|
|
|
|
* At present the location of `~/.gitosis-lite.rc` is fixed (maybe later I'll
|
|
change it to a "git config" variable).
|
|
|
|
If you edit it and change any paths, be sure to keep the perl syntax --
|
|
you *don't* have to know perl to do so, it's fairly easy to guess in this
|
|
limited case. And of course, make sure you adjust the commands shown
|
|
above to suit the new locations
|
|
|
|
* the config file is (by default) at `~/.gitosis-lite/gitosis-lite.conf`.
|
|
Edit the file as you wish. The comments in the file ought to be clear
|
|
enough but let me know if not
|
|
|
|
* if you want to bring in existing (bare, server) repos into gitosis-lite,
|
|
this should work:
|
|
* backup the repo, then move it to `$BASE_REPO`
|
|
* copy `$GL_ADMINDIR/update-hook.pl` to `[reponame].git/hooks/update` --
|
|
if you don't do this, per branch restrictions will not work
|
|
* then update the keys and the config file and "compile"
|
|
|
|
### administer
|
|
|
|
* ask each user who will get access to send you a public key. See other
|
|
sources (for example
|
|
[here](http://sitaramc.github.com/0-installing/2-access-gitosis.html#generating_a_public_key))
|
|
for how to do this
|
|
* for each "user" in `$GL_CONF`, copy their public key to a file called
|
|
"user.pub" in `$GL_KEYDIR`
|
|
* edit the config file (`$GL_CONF`) to add the new users in whatever way you
|
|
like
|
|
* backup your `~/.ssh/authorized_keys` file if you feel nervous :-)
|
|
* cd to `$GL_ADMINDIR` and run `./gl-compile-conf`
|
|
|
|
#### optional -- if you want to be doubly sure
|
|
|
|
It should all work, but the first couple of times you may want to check these
|
|
|
|
* check the outputs
|
|
|
|
* `~/.ssh/authorized_keys` should contain one line for each "user" pub
|
|
key added, between two "marker" lines (which you should please please
|
|
not remove!). The line should contain a "command=" pointing to a
|
|
`$GL_ADMINDIR/gl-auth-command` file, then some sshd restrictions, the
|
|
key, etc.
|
|
* `$GL_CONF_COMPILED` (default
|
|
`~/.gitosis-lite/gitosis-lite.conf-compiled.pm`) should contain an
|
|
expanded list of the access control rules. It may look a little long,
|
|
but it's fairly intuitive!
|
|
|
|
* if the run threw up any "initialising empty repo" messages, check the
|
|
individual repos (inside `$REPO_BASE`) if you wish. Especially make sure
|
|
the `$REPO_BASE/[reponame].git/hooks/update` got copied OK and is
|
|
executable
|
|
|
|
### run
|
|
|
|
Just use it as normal. Every new repo mentioned has been created already, so
|
|
(as long as your clients are using git > 1.6.2), you can just clone it.
|
|
|
|
And once in a while, if you're feeling particularly BOFH-ish, take a look at
|
|
`$GL_ADMINDIR/log` :-)
|
|
|
|
### errors, warnings, etc
|
|
|
|
* when you clone an empty repo, git seems to complain about the remote
|
|
hanging up or something. I have no idea what that is, but it doesn't seem
|
|
to hurt anything. This happens even in normal git, not just gitosis-lite.
|
|
|
|
----
|
|
|
|
Footnotes:
|
|
|
|
[1] Actually, due to the way gitosis-lite is architected, you can manage
|
|
without `Data::Dumper` on the server if you have no choice. Only
|
|
`gl-compile-conf` needs it, so just run that on some other machine and copy
|
|
the two output files across. Cumbersome but doable... the advantage of
|
|
separating all the hard work into a manually-run piece :)
|
|
|
|
[2] If you have *only* pubkey access, and **no** password access, then your
|
|
pubkey is already in the server's `~/.ssh/authorized_keys`. If you also need
|
|
to access git as a developer (clone, push, etc), do *not* submit this same
|
|
pubkey to gitosis-lite -- it won't work.
|
|
|
|
Instead, create a different keypair for your "developer" role (by, e.g.,
|
|
`ssh-keygen -t rsa -f ~/.ssh/gitdev`), then give `~/.ssh/gitdev.pub` to
|
|
gitosis-lite as "yourname.pub", just like you would do for any other user.
|
|
|
|
Then you create a suitable `~/.ssh/config` to use the correct key
|
|
automatically, something like this:
|
|
|
|
host gitadm
|
|
hostname my.server
|
|
user my_userid_on_server
|
|
|
|
host gitdev
|
|
hostname my.server
|
|
user my_userid_on_server
|
|
identityfile ~/.ssh/gitdev
|
|
|
|
From now on, `ssh gitadm` will get you a command line on the server, to do
|
|
gitosis-lite admin and other work. And your repository URLs would look like
|
|
`gitdev:reponame.git`. Very, very, simple...
|
|
|
|
And as with gitosis, there's more "ssh" magic than "git" magic here :-)
|
|
|
|
----
|
|
|
|
gitosis-lite is released under the GPL v2 license. See COPYING for details
|