Git-gitosis on 4.7 Servers manage when the number of users reaches hundreds of people

Source: Internet
Author: User

4.7 Git-gitosisgitosis on the server

The practice of keeping all users ' public keys in a authorized_keys file can only be combined for a while, and when the number of users reaches the scale of hundreds of people, it can be very painful to manage. Every time you delete a user, you must log in to the server, and this practice lacks the necessary rights management-everyone has full read and write access to all projects.

Fortunately we can also choose to apply a wide range of gitosis projects. To put it simply, Gitosis is a set authorized_keys of scripts to manage files and implement simple connection limits. Interestingly, it's not the Web program that's used to add users and set permissions, but just a special Git repository. You just have to set it up in this particular warehouse and push it to the server, and Gitosis will change the running strategy, sounds cool, right?

Gitosis installation is not a fool, but it is not too difficult. It's easiest to set up with a Linux server-in the following example, we use a server with an Ubuntu 8.10 system.

Gitosis's work relies on some Python tools, so first install Python's setuptools package, called Python-setuptools on Ubuntu:

$ apt-get install python-setuptools

Next, clone and install from the Gitosis Project home page:

$ git clone https://github.com/tv42/gitosis.git$ cd gitosis$ sudo python setup.py install

This installs several tools for gitosis to use. The default gitosis will be /home/git used as the root directory to store all the Git repositories, which is fine, but we have already put the project repository in it /opt/git , so for the sake of convenience, we can make a symbolic connection and go directly to the past without reconfiguring:

$ ln -s /opt/git /home/git/repositories

Gitosis will help us manage the user's public key, so rename the current control file back up so that it can be added later and ready for Gitosis to manage the authorized_keys files automatically:

$ mv /home/git/.ssh/authorized_keys /home/git/.ssh/ak.bak

Next, if you have previously git changed the user's login shell to a git-shell command, restore the login shell of the ' git ' user first. After you've changed, you still can't sign in with the account: because the authorized_keys file is gone. ), but don't worry, this will be given to gitosis. So now open the /etc/passwd file and put this line:

git:x:1000:1000::/home/git:/usr/bin/git-shell

Change back to:

git:x:1000:1000::/home/git:/bin/sh

OK, now it's time to initialize the gitosis. You can use your own public key to execute gitosis-init the command, if the public key is not on the server, first temporarily copy one copy:

$ sudo -H -u git gitosis-init < /tmp/id_dsa.pubInitialized empty Git repository in /opt/git/gitosis-admin.git/Reinitialized existing Git repository in /opt/git/gitosis-admin.git/

This allows the owner of the public key to modify the particular Git repository used to configure Gitosis. Next, you need to manually add executable permissions to the script in the repository post-update :

$ sudo chmod 755 /opt/git/gitosis-admin.git/hooks/post-update

Basically, it's good. If there is nothing wrong with the setup process, you can now try to SSH into the server with the identity of the owner of the initialized Gitosis public key, and you should see something like this:

$ ssh [email protected]PTY allocation request failed on channel 0ERROR:gitosis.serve.main:Need SSH_ORIGINAL_COMMAND in environment.  Connection to gitserver closed.

Note Gitosis recognized the identity of the user, but because no Git commands were running, it cut the connection. Well, now run an actual Git command-clone Gitosis's control repository:

# 在你本地计算机上$ git clone [email protected]:gitosis-admin.git

This will get a gitosis-admin working directory named two main parts:

$ cd gitosis-admin$ find ../gitosis.conf./keydir./keydir/scott.pub

gitosis.confFiles are control files that are used to set up users, warehouses, and permissions. The keydir directory is where everyone has access to the user's public key-one per person. The keydir file name in it (for example, above scott.pub ) should be different from yours.-gitosis automatically gitosis-init gets the name from the description of the public key trailer that was imported using the script.

Look at gitosis.conf the contents of the file, it should contain only the information related to the clone just now gitosis-admin :

$ cat gitosis.conf[gitosis][group gitosis-admin]members = scottwritable = gitosis-admin

It shows the user scott -the owner of the initialized Gitosis public key-is the only gitosis-admin person who can manage the project.

Now let's add a new project. To do this we will create a mobile new section called the developer of the mobile development team, and the projects they have write permission for. Since ' Scott ' is the only user in the system, we set him as a unique user and allow him to read and write iphone_project new items called:

[group mobile]members = scottwritable = iphone_project

After the modification, commit gitosis-admin the changes and push it to the server to make it effective:

$ git commit -am ‘add iphone_project and mobile group‘[master 8962da8] add iphone_project and mobile group 1 file changed, 4 insertions(+)$ git push origin masterCounting objects: 5, done.Compressing objects: 100% (3/3), done.Writing objects: 100% (3/3), 272 bytes | 0 bytes/s, done.Total 3 (delta 0), reused 0 (delta 0)To [email protected]:gitosis-admin.git   fb27aec..8962da8  master -> master

iphone_projectbefore the first push of data to the server in the new project, you have to set the server address as a remote repository. But you don't have to manually create a bare repository for the project on the server-gitosis will be created automatically the first time you encounter a push:

$ git remote add origin [email protected]:iphone_project.git$ git push origin masterInitialized empty Git repository in /opt/git/iphone_project.git/Counting objects: 3, done.Writing objects: 100% (3/3), 230 bytes | 0 bytes/s, done.Total 3 (delta 0), reused 0 (delta 0)To [email protected]:iphone_project.git * [new branch]      master -> master

Note that there is no need to specify the full path (in fact, if it doesn't work), just a colon plus the project name will-gitosis automatically map you to the actual location.

To work together with friends on a project, you have to re-add their public key. But this time, instead of manually adding the server to the end of the ~/.ssh/authorized_keys file, simply manage the keydir public key files in the directory. The name of the file determines the identity of the gitosis.conf user in. Now we add the public key for John,josie and Jessica:

$ cp /tmp/id_rsa.john.pub keydir/john.pub$ cp /tmp/id_rsa.josie.pub keydir/josie.pub$ cp /tmp/id_rsa.jessica.pub keydir/jessica.pub

Then add them all to the ' mobile ' team and let them have iphone_project read and write access:

[group mobile]members = scott john josie jessicawritable = iphone_project

If you commit and push this change, four users will have both read and write access to the project.

The gitosis also has a simple access control function. If you want John to have read access, you can do this:

[group mobile]members = scott josie jessicawritable = iphone_project[group mobile_ro]members = johnreadonly = iphone_project

Now John can clone and get updates, but Gitosis won't allow him to push any content to the project. Groups like this can be created at will, in any number of ways, and each can contain several different users and projects. You can even specify that a group is a member (prefixed with a group name @ ) and automatically inherits the members of that group:

[group mobile_committers]members = scott josie jessica[group mobile]members   = @mobile_committerswritable  = iphone_project[group mobile_2]members   = @mobile_committers johnwritable  = another_iphone_project

If you encounter an unexpected problem, try to loglevel=DEBUG add [gitosis] the paragraph (note: Set the log as the debug level, logging more detailed information about the operation. )。 If you accidentally mistake the configuration, lose the push permissions, you can also manually modify the server /home/git/.gitosis.conf file-gitosis is actually read from the file information. When it gets pushed data, it will save the new gitosis.conf to that path. So if you edit the file manually, it will remain until the next time you gitosis-admin push the new version of the configuration content.

Git-gitosis on 4.7 Servers manage when the number of users reaches hundreds of people

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.