Friday, April 15, 2011

Gitolite - Gitweb Installation and Integration

What is Gitolite ?


Gitolite is used to authorize users to read/write to git repositories (or branched/tags..). Gitolite should be installed to server where apache2 (in our case) is installed to serve git repositories.


Here is an excerpt from pro git book (Please see Pro Git book for full article):


Git has started to become very popular in corporate environments, which tend to have some additional requirements in terms of access control. Gitolite was originally created to help with those requirements, but it turns out that it’s equally useful in the open source world: the Fedora Project controls access to their package management repositories (over 10,000 of them!) using gitolite, and this is probably the largest gitolite installation anywhere too.


Gitolite allows you to specify permissions not just by repository, but also by branch or tag names within each repository. That is, you can specify that certain people (or groups of people) can only push certain “refs” (branches or tags) but not others.


Installing Gitolite


Go to folder where apache2 is serving. For example on Ubuntu and Fedora this is generaly /var/www. If it is different on your server; replace directions according to it. Also perhaps location of "git-http-backend" is different in your system ("/usr/libexec/git-core/git-http-backend" is used in following lines.). You need to locate "git-http-backend" on your system and replace it as well. "git-http-backend" comes with "git" installation.


Run following commands: (Do not forget to replace /var/wwww and /usr/libexec/git-core/git-http-backend{color if they are different on your system)


It will be easier if you run these with a super-user (root) and then modify file/folder permissions according to you system. (For example you may want to change ownership of all /var/www to apache or www-data according to your system).


(This is summarized from Gitolite Docs)


cd /var/www
mkdir gitolite-home
export GITOLITE_HTTP_HOME
GITOLITE_HTTP_HOME=/var/www/gitolite-home
PATH=$PATH:$GITOLITE_HTTP_HOME/bin

cd gitolite-home
git clone https://github.com/sitaramc/gitolite.git gitolite-source

cd gitolite-source
GHH=$GITOLITE_HTTP_HOME
mkdir -p              $GHH/bin $GHH/share/gitolite/conf $GHH/share/gitolite/hooks
src/gl-system-install $GHH/bin $GHH/share/gitolite/conf $GHH/share/gitolite/hooks

$ENV{GIT_HTTP_BACKEND} = "/usr/libexec/git-core/git-http-backend";
    # or wherever you have that file; note: NO trailing slash
$ENV{PATH} .= ":$ENV{GITOLITE_HTTP_HOME}/bin";
    # note the ".=" here, not "="

#gitadmin is an user we determined. you can put there anything;
#however our future examples will depend on that.
gl-setup gitadmin

# your user name might be www-data or anything other depending on your system.
# The folder should be readable,writable and executable httpd. 
# This is not realated with gitolite installation.
chown -R apache.apache $GITOLITE_HTTP_HOME

Now we need to update apach2 configuration. It is up to you to put this configuration. In our tests we created a git.conf file and include it in httpd.conf (on some systems it is called apache2.conf):


Please note that if you used path different then /var/www in the directions mentioned before; you need to replace them here as well.


Config for gitolite that must be included in apache2 configuration:
SetEnv GIT_PROJECT_ROOT /var/www/gitolite-home/repositories
SetEnv GIT_HTTP_EXPORT_ALL
    # please see notes below on ssh+http access
ScriptAlias /git/ /var/www/gitolite-home/bin/gl-auth-command/
    # note trailing slash

SetEnv GITOLITE_HTTP_HOME /var/www/gitolite-home

<location /git>
    AuthType Basic
    AuthName "Private Git Access"
    Require valid-user
    AuthUserFile /path/to/some/passwdfile
</Location>

/path/to/some/passwdfile is a standard password file that is generated with htpasswd.

You must at least add an user for "gitadmin" (remember we had run gl-setup with that username before). Please note that this authentication system will be replaced by LDAP later on).


htpasswd -b -c /path/to/some/passwdfile gitadmin secret123
htpasswd -b /path/to/some/passwdfile kaan secret456

After restarting apache2 you should able to checkout from http with git clone http://user:password@server/git/reponame.git

This configuration will force user to login via http auth. mechanism and if user passes validation (enters correct password); his/her user name will be a cgi variable ($GL_USER) and it will be used by gitolite to determine permissions according to it's own config file.

You can immediately checkout *gitolite-admin.git*, change authorization settings (add new users to config; let users/groups new repositories/branches etc. see [Gitolite Configuration|http://progit.org/book/ch4-8.html] for details.), commit and push to activate/flush changes.

Please note that users in gitolite configuration must exists in http auth. mechanism (in our case htpasswd file, for future ldap).


Gitweb Installation and Gitolite Integration


This is pretty easy to setup .

First of all you need the gitweb source. You may already have it try to locate it on your system by command locate "*gitweb*" or clone it from git clone git://git.kernel.org/pub/scm/git/git.git. For ubuntu you can install it via synaptics.

When you locate "gitweb" copy it under "/var/www/gitweb". (Again this may change according to your system).

Include following lines in your apache configuration file. Again the exact file changes according to your system.

<virtualhost *:80>
ServerName gitserver
DocumentRoot /var/www/gitweb
<directory /var/www/gitweb>
Options ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch
AllowOverride All
order allow,deny
Allow from all
AddHandler cgi-script cgi
DirectoryIndex gitweb.cgi
AuthType Basic
AuthName "Private Git Access"
Require valid-user
AuthUserFile /path/to/some/passwdfile
</Directory>
</VirtualHost>

With this setting gitweb uses the same http auth. mechanisim that gitolite uses. They both use "/path/to/some/passwdfile" htpasswd file. If you change httpd auth. (for example to ldap); you need to change both settings for gitolite and gitweb. Now we must ensure that after http auth., gitweb should only list and serve the repositories (or branches/tags) for the user logged in according to gitolite permissions configuration:


Find "gitweb.conf" config file and make sure that project root is showing correct repositories (the repositories where the gitolite is serving).:


Please note that there are two gitweb.conf files. One of them is coming with gitweb; this is what we are referring to now. The other one comes with gitolite installation and we refer it with full path "/var/www/gitolite-home/gitolite-source/contrib/gitweb/gitweb.conf". We will include this in gitweb.conf


$projectroot = "/var/www/gitolite-home/repositories"; 

At the end of same file you must include a configuration that exists in gilolite path (this was already there with gilolite installation). This include will make gitweb to serve repositories only visible to users who has permissions:


Last line of gitweb.conf

require "/var/www/gitolite-home/gitolite-source/contrib/gitweb/gitweb.conf"; 

And you must be sure that:


gl_home is showing right place.}
# HOME of the gitolite user
my $gl_home = $ENV{HOME} = "/var/www/gitolite-home"; 

No comments:

Post a Comment