Gitolite installation with gitweb and anongit in Gentoo and Debian

Introduction

My second howto article is again about a Version Control System, but this time for Git. My previous article about setting up SVN (and expanding it with a Gorg installation for easier management of Gentoo translations) was describing a way to have virtual SVN users without giving them shell access to the box. In this article I’m going to describe in detail how to install gitolite, a really cool software, which works on top of git, and provides a centralized administration of ACL and git repositories management (any gitosis user should migrate to gitolite ASAP, gitosis project is dead). All the needed config files are in a private git repository, called gitolite-admin, so even the gitolite administrators shouldn’t have shell access (how cool is that?). The official website is here, which also contains Installation and Administration instructions. The guide below is going to be too distro specific, I hope it will be helpful. A big thank you to Christian Ruppert (Gentoo sysadmin) for his precious help.

The Debian way

It took me a while to install it on the Debian server, as I am too unfamiliar with the distro (and maybe too familiar to the gentoo-way things are done, which confuses me even more when trying to find configs and stuff). The Debian server I maintain hosts my college’s Linux Team website and related things to that. It runs Lenny, and since there is no .deb package for Lenny, I chose to manually use the .deb file from Squeeze (the other possible solution would be to install it with the apt-pinning method for testing). This package depends on non-Lenny git and other packages, so I had to use the Lenny-backports branch for them. A small update, gitolite is now available in lenny-backports as well, which simplifies things a bit, so I’m going to describe it that way. According to the backports webpage, the packages are secure and can get regular updates as well.

First we install lenny-backports following the instructions here. Then we install the following packages:

apt-get -t lenny-backports install gitweb git-daemon-run gitolite

The git-daemon-run package will install a gitlog and a gitdaemon user, and gitolite will install a gitolite user (which can be changed). In order to proceed with the gitolite installation, I assume you already own a public ssh key. Upload that to the server, for example in /tmp/id_dsa.pub and hit the following command:

sudo -H -u gitolite gl-setup /tmp/id_dsa.pub

The config file of gitolite will show up. The default configs are usually fine, but there are plenty of comments in case you would like to tweak it a bit. The only line I changed was:

$REPO_UMASK = 0027;         # gets you 'rwxr-x---'

…in order to make the contents of the repos inaccessible to other shell users. Now, /var/lib/gitolite should contain the .gitolite.rc config file and the repositories/ dir with the gitolite-admin and a testing repo. Logs (by default) are stored under /var/lib/gitolite/.gitolite/logs/.

Next stop: gitweb. The apache conf is already installed in /etc/apache2/conf.d/gitweb, the actual config file can be found in /etc/gitweb.conf. A sample:

# path to git projects (.git)
$projectroot = "/var/lib/gitolite/repositories";
# directory to use for temp files
#$git_temp = "/tmp";
# target of the home link on top of all pages
$home_link_str = "linuxteam";
$site_name = "Linux Team Git Repositories";
# html text to include at home page
#$home_text = "index.html";
# file with project list; by default, simply scan the projectroot dir.
$projects_list = "/var/lib/gitolite/projects.list";
# stylesheet to use
$stylesheet = "/gitweb/gitweb.css";
# logo to use
$logo = "/gitweb/git-logo.png";
# the 'favicon'
$favicon = "/gitweb/git-favicon.png";
# This lets it make the URLs you see in the header
@git_base_url_list = ( 'git://linuxteam.cs.teilar.gr', 'git+ssh://git@linuxteam.cs.teilar.gr' );
# This prevents gitweb to show hidden repositories
$export_ok = "git-daemon-export-ok";
$strict_export = 1;

If you didn’t give any read permissions in others, you’ll need to add the www-data user in gitolite group, else gitweb won’t be able to access the repositories.

usermod -a -G gitolite www-data

Last stop: git daemon for anonymous access. gitolite.conf prevents gitosis and gitweb access for everyone. Again, if others don’t have read permissions on the repositories dir, the gitdaemon user has to be added in the gitolite group. You may need to tweak the config file a bit, which is located at /etc/sv/git-daemon/run:

#!/bin/sh
exec 2>&1
echo 'git-daemon starting.'
exec chpst -ugitdaemon 
  "$(git --exec-path)"/git-daemon --verbose --base-path=/var/lib/gitolite/repositories

In my case, the above config wasn’t working, and after some search I found the following problem:

linuxteam ~ # id gitdaemon
uid=108(gitdaemon) gid=65534(nogroup) groups=65534(nogroup),110(gitolite)
linuxteam ~ # chpst -ugitdaemon id
uid=108(gitdaemon) gid=65534(nogroup) groups=65534(nogroup)

In order to get it working, I had to remove the chpst -ugitdaemon part from the command. I didn’t do an extensive search on it, any help is appreciated. The service should be started, and put in autostart, but there was no init script, and the service was controlled with the sv command:

sv start git-daemon

No idea how this works, and I couldn’t find enough documentation for it, but the process starts automatically on boot. Any help will be appreciated here as well. And that’s all we had to do on the server side, you can now continue with the Client Side part.

The Gentoo way

(Text duplication to follow :) )

EDIT: The following text has been updated a bit to catch up with recent changes

For Gentoo, things are a bit different. The git daemon and gitweb are inside the dev-vcs/git package, following upstream. At the moment there is no gitolite ebuild, but there is a dev-vcs/gitolite-gentoo one that contains two patches, one accepted by upstream and I don’t know the stauts of the other :P The ebuild is perfectly safe to use, or you could wait a few days for Ramereth to upload a vanilla one. EDIT: There is dev-vcs/gitolite in tree for some time, please use that instead. The gentoo overlays are moving from gitosis to gitolite this week, too. Anyway, let’s begin: first the installation:

emerge -av gitolite

A gitolite git user will be created, with /var/lib/gitolite being the home folder, but no gitdaemon will be created, which should be done manually:

useradd -g git -G git -s /sbin/nologin -d /dev/null gitdaemon

In order to proceed with the gitolite installation, I assume you already own a public ssh key. Upload that to the server, for example in /tmp/id_dsa.pub and hit the following command:

sudo -H -u git gl-setup /tmp/id_dsa.pub

The config file of gitolite will show up. The default configs are usually fine, but there are plenty of comments in case you would like to tweak it a bit. The only line I changed was:

$REPO_UMASK = 0027;         # gets you 'rwxr-x---'

…in order to make the contents of the repos inaccessible to other shell users. Now, /var/lib/gitolite should contain the .gitolite.rc config file and the repositories/ dir with the gitolite-admin and a testing repo. Logs (by default) are stored under /var/lib/gitolite/.gitolite/logs/.

Next stop: gitweb. You should create a vhost file for apache, here is the <Directory> part of mine:

        AllowOverride All
        Options +FollowSymLinks +ExecCGI
        Order allow,deny
        Allow from all
        DirectoryIndex gitweb.cgi
        SetEnv GITWEB_CONFIG "/etc/git/config.pl"
        AddHandler cgi-script .cgi

…and a sample /etc/git/config.pl file, the config file for gitweb (err, I erased the comments, check the above debian config, pretty much the vars are the same):

$projectroot = '/var/lib/gitolite/repositories/';
$site_name = "Gentoo Greek Community Git Repos";
$fallback_encoding = 'utf-8';
$projects_list = '/var/lib/gitolite/projects.list';
@git_base_url_list = ( 'git://git.gentoo-el.org' , 'git+ssh://git@git.gentoo-el.org' );
$home_link_str = 'gentoo-el';
$export_ok = "git-daemon-export-ok";
$strict_export = 1;

If you didn’t give any read permissions in others, you’ll need to add the apache user in gitolite group, else gitweb won’t be able to access the repositories.

usermod -a -G git apache

Last stop: git daemon for anonymous access. gitolite.conf prevents gitosis and gitweb access for everyone. Again, if others don’t have read permissions on the repositories dir, the gitdaemon user has to be added in the gitolite group. Open the /etc/conf.d/git-daemon file, and do the following changes:

GITDAEMON_OPTS="--syslog --verbose --base-path=/var/lib/gitolite/repositories"
GIT_USER="gitdaemon"
GIT_GROUP="git"

…and start the service and add it in the default runlevel:

/etc/init.d/git-daemon start
rc-update add git-daemon default

That’s all folks.

Client Side

Your new shiny gitolite installation should be ready. To test:

git clone git@yourserver.com:gitolite-admin.git

No, I won’t give you any hints about the gitolite.conf file. Sitaram Chamarty (upstream developer) has too much documentation about this and not only. One last note, in Gentoo we added a gitolite vim syntax ebuild, app-vim/gitolite-syntax (or enable the vim-syntax USE flag in gitolite ebuild). No idea about a deb package though.

=-=-=-=-=
Powered by Blogilo

14 Responses to Gitolite installation with gitweb and anongit in Gentoo and Debian

  1. Ostin says:

    Gentoo:
    useradd -g gitolite -G gitolite -s /sbin/nologin -d /dev/null gitdaemon
    useradd: gitolite group doesn’t exist

    Simple create group? or it is bug? or group has specific GID, etc…?

    Reply
  2. tampakrap says:

    No, the guide is right. The dev-vcs/gitolte-gentoo ebuild creates the gitolite user and group, so I used that group for the gitdaemon user as well. Even if you do not use the ebuild but install gitolite manually (eg directly from source), you should create a git or gitolite user (and group).

    Reply
  3. tomkap says:

    Nice. Very useful. I’ll try it.

    Reply
  4. Lujeni says:

    Can you explain your gitolite’s configuration pls?
    Kinds Regards

    Reply
  5. Christopher Wilson says:

    Instead of removing “chpst -ugitdaemon” from /etc/sv/git-daemon/run, if you change it to “chpst -ugitdaemon:gitolite” that worked for me (assuming that the gitolite group has read access to the repos).

    When you remove the chpst line, git-daemon runs as root:
    $ ps-ef | grep gitolite
    root 1116 703 0 09:45 ? 00:00:00 /usr/lib/git-core/git-daemon –verbose –base-path=/var/lib/gitolite/repositories

    Adding the :gitolite changes it to run as gitdaemon:
    $ ps-ef | grep gitolite
    106 1128 703 0 09:48 ? 00:00:00 /usr/lib/git-core/git-daemon –verbose –base-path=/var/lib/gitolite/repositories

    Reply
  6. maxime says:

    Now gitolite-gentoo require that the public ssh key contain 3 extra lines :
    # git-realname:
    # git-email:
    # git-username:

    Else gl-setup will skip the key and you will not be allowed clone the admin repo.

    You will get :
    Skipping ‘/var/lib/gitolite/.gitolite/keydir/….pub’ due to missed required variables: git-email, git-realname, git-username

    Reply
  7. tampakrap says:

    indeed, but you don’t need gitolite-gentoo now that there is a vanilla gitolite ebuild in tree. gitolite-gentoo contains patches targeted to gentoo infrastructure (mainly http://git.overlays.gentoo.org)

    Reply
  8. Pingback: Repositorio de c√≥digo con Git y Gitolite en Debian « JavAguirre.net

  9. Chris says:

    Good inspiration, next step is gitweb for me. Here is an example if you’re on windows:
    how-to-install-and-setup-a-git-repository-server-using-gitolite-on-linux-ubuntu-with-windows-clients-using-msysgit/

    Reply
  10. Ed W says:

    Latest git ebuild has renamed the new git user/group to be just “git”. Therefore s/gitolite/git/ in the various useradd/sudo commands above.

    Perhaps you would be kind enough to update the article for those who just want to mindlessly cut’n'paste?

    Reply
  11. dimitri says:

    maybe with

    chpst -ugitdaemon:gitolite id

    bye
    D

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>