4.7 Git-gitosisgitosis on the server
The practice of keeping all users ' public keys in a authorized_keys file can only be combined for a while, and when the number of users reaches the scale of hundreds of people, it can be very painful to manage. Every time you delete a user, you must log in to the server, and this practice lacks the necessary rights management-everyone has full read and write access to all projects.
Fortunately we can also choose to apply a wide range of gitosis projects. To put it simply, Gitosis is a set authorized_keys of scripts to manage files and implement simple connection limits. Interestingly, it's not the Web program that's used to add users and set permissions, but just a special Git repository. You just have to set it up in this particular warehouse and push it to the server, and Gitosis will change the running strategy, sounds cool, right?
Gitosis installation is not a fool, but it is not too difficult. It's easiest to set up with a Linux server-in the following example, we use a server with an Ubuntu 8.10 system.
Gitosis's work relies on some Python tools, so first install Python's setuptools package, called Python-setuptools on Ubuntu:
$ apt-get install python-setuptools
Next, clone and install from the Gitosis Project home page:
$ git clone https://github.com/tv42/gitosis.git$ cd gitosis$ sudo python setup.py install
This installs several tools for gitosis to use. The default gitosis will be /home/git used as the root directory to store all the Git repositories, which is fine, but we have already put the project repository in it /opt/git , so for the sake of convenience, we can make a symbolic connection and go directly to the past without reconfiguring:
$ ln -s /opt/git /home/git/repositories
Gitosis will help us manage the user's public key, so rename the current control file back up so that it can be added later and ready for Gitosis to manage the authorized_keys files automatically:
$ mv /home/git/.ssh/authorized_keys /home/git/.ssh/ak.bak
Next, if you have previously git changed the user's login shell to a git-shell command, restore the login shell of the ' git ' user first. After you've changed, you still can't sign in with the account: because the authorized_keys file is gone. ), but don't worry, this will be given to gitosis. So now open the /etc/passwd file and put this line:
git:x:1000:1000::/home/git:/usr/bin/git-shell
Change back to:
git:x:1000:1000::/home/git:/bin/sh
OK, now it's time to initialize the gitosis. You can use your own public key to execute gitosis-init the command, if the public key is not on the server, first temporarily copy one copy:
$ sudo -H -u git gitosis-init < /tmp/id_dsa.pubInitialized empty Git repository in /opt/git/gitosis-admin.git/Reinitialized existing Git repository in /opt/git/gitosis-admin.git/
This allows the owner of the public key to modify the particular Git repository used to configure Gitosis. Next, you need to manually add executable permissions to the script in the repository post-update :
$ sudo chmod 755 /opt/git/gitosis-admin.git/hooks/post-update
Basically, it's good. If there is nothing wrong with the setup process, you can now try to SSH into the server with the identity of the owner of the initialized Gitosis public key, and you should see something like this:
$ ssh [email protected]PTY allocation request failed on channel 0ERROR:gitosis.serve.main:Need SSH_ORIGINAL_COMMAND in environment. Connection to gitserver closed.
Note Gitosis recognized the identity of the user, but because no Git commands were running, it cut the connection. Well, now run an actual Git command-clone Gitosis's control repository:
# 在你本地计算机上$ git clone [email protected]:gitosis-admin.git
This will get a gitosis-admin working directory named two main parts:
$ cd gitosis-admin$ find ../gitosis.conf./keydir./keydir/scott.pub
gitosis.confFiles are control files that are used to set up users, warehouses, and permissions. The keydir directory is where everyone has access to the user's public key-one per person. The keydir file name in it (for example, above scott.pub ) should be different from yours.-gitosis automatically gitosis-init gets the name from the description of the public key trailer that was imported using the script.
Look at gitosis.conf the contents of the file, it should contain only the information related to the clone just now gitosis-admin :
$ cat gitosis.conf[gitosis][group gitosis-admin]members = scottwritable = gitosis-admin
It shows the user scott -the owner of the initialized Gitosis public key-is the only gitosis-admin person who can manage the project.
Now let's add a new project. To do this we will create a mobile new section called the developer of the mobile development team, and the projects they have write permission for. Since ' Scott ' is the only user in the system, we set him as a unique user and allow him to read and write iphone_project new items called:
[group mobile]members = scottwritable = iphone_project
After the modification, commit gitosis-admin the changes and push it to the server to make it effective:
$ git commit -am ‘add iphone_project and mobile group‘[master 8962da8] add iphone_project and mobile group 1 file changed, 4 insertions(+)$ git push origin masterCounting objects: 5, done.Compressing objects: 100% (3/3), done.Writing objects: 100% (3/3), 272 bytes | 0 bytes/s, done.Total 3 (delta 0), reused 0 (delta 0)To [email protected]:gitosis-admin.git fb27aec..8962da8 master -> master
iphone_projectbefore the first push of data to the server in the new project, you have to set the server address as a remote repository. But you don't have to manually create a bare repository for the project on the server-gitosis will be created automatically the first time you encounter a push:
$ git remote add origin [email protected]:iphone_project.git$ git push origin masterInitialized empty Git repository in /opt/git/iphone_project.git/Counting objects: 3, done.Writing objects: 100% (3/3), 230 bytes | 0 bytes/s, done.Total 3 (delta 0), reused 0 (delta 0)To [email protected]:iphone_project.git * [new branch] master -> master
Note that there is no need to specify the full path (in fact, if it doesn't work), just a colon plus the project name will-gitosis automatically map you to the actual location.
To work together with friends on a project, you have to re-add their public key. But this time, instead of manually adding the server to the end of the ~/.ssh/authorized_keys file, simply manage the keydir public key files in the directory. The name of the file determines the identity of the gitosis.conf user in. Now we add the public key for John,josie and Jessica:
$ cp /tmp/id_rsa.john.pub keydir/john.pub$ cp /tmp/id_rsa.josie.pub keydir/josie.pub$ cp /tmp/id_rsa.jessica.pub keydir/jessica.pub
Then add them all to the ' mobile ' team and let them have iphone_project read and write access:
[group mobile]members = scott john josie jessicawritable = iphone_project
If you commit and push this change, four users will have both read and write access to the project.
The gitosis also has a simple access control function. If you want John to have read access, you can do this:
[group mobile]members = scott josie jessicawritable = iphone_project[group mobile_ro]members = johnreadonly = iphone_project
Now John can clone and get updates, but Gitosis won't allow him to push any content to the project. Groups like this can be created at will, in any number of ways, and each can contain several different users and projects. You can even specify that a group is a member (prefixed with a group name @ ) and automatically inherits the members of that group:
[group mobile_committers]members = scott josie jessica[group mobile]members = @mobile_committerswritable = iphone_project[group mobile_2]members = @mobile_committers johnwritable = another_iphone_project
If you encounter an unexpected problem, try to loglevel=DEBUG add [gitosis] the paragraph (note: Set the log as the debug level, logging more detailed information about the operation. )。 If you accidentally mistake the configuration, lose the push permissions, you can also manually modify the server /home/git/.gitosis.conf file-gitosis is actually read from the file information. When it gets pushed data, it will save the new gitosis.conf to that path. So if you edit the file manually, it will remain until the next time you gitosis-admin push the new version of the configuration content.
Git-gitosis on 4.7 Servers manage when the number of users reaches hundreds of people