User Tools

Site Tools


git_configuration

Git Configuration

The NCEAS GitHub organizational account should be used as our main means to share new projects that are willing to have everything be public, but we also keep a copy on NCEAS servers by setting up an automated pull from GitHub.

For projects that are too large for GitHub, or for which they want their repo to be private, the main repo would be on the NCEAS servers, and people would push to that.

GitHub Repository Configuration with NCEAS Sync

coming soon

Git Repository Configuration on NCEAS Servers

This document describes the proposed and partially constructed structure of a Git based code repository at NCEAS. These git repositories would likely live alongside the svn repositories that we now support, although maybe at some time current SVN repositories could be migrated to git if the time warranted. The current implementation allows only private repositories that are accessible via LDAP login by the members of the nceas-staff LDAP group. Future improvements would be to optionally allow anonymous read access (see below for details).

Current Git repo URL: https://code.nceas.ucsb.edu/git/*

Configuration overview

Git repositories are served over https using Apache with git-http-backend to deliver the content from saturn.nceas.ucsb.edu. Git repositories for nceas are currently located in /var/gitrepos/. Any repository added to this directory will be accessible as long as it is both readable and writable by the web user (www-data). Repositories should be created as bare git repositories, using git init –bare. When configuring to clone from such a repository, you need to include your username in the URL so that git knows who you are. For example, on your local client you might use:

    git clone https://jones@code.nceas.ucsb.edu/git/myrepo.git

Authentication and authorization

Authentication is handled using LDAP. Accounts are drawn only from the 'ou=Account,dc=ecoinformatics,dc=org' tree, which means accounts are shared with SVN, plone, and other systems at NCEAS. Currently, access is only granted to members of the cn=nceas-staff LDAP group.

Authorization is handled using HTTP Basic authorization over an SSL connection with AUthLDAP as the authentication provider in Apache. This is configured in the 'LocationMatch' directive of the Apache configuration file for each virtual host. This access needs to be protected by SSL so that username/passwords are passed encrypted. Here's the relevant portion of the Apache configuration file:

    SetEnv GIT_PROJECT_ROOT /var/gitrepos
    SetEnv GIT_HTTP_EXPORT_ALL
    ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
    <LocationMatch "^/git//.*">
        AuthBasicProvider ldap
        AuthType basic
        AuthName "GIT NCEAS access"
        AuthLDAPURL ldap://ldap.ecoinformatics.org/ou=Account,dc=ecoinformatics,dc=org?uid?sub?(objectClass=*)
        AuthLDAPGroupAttributeIsDN on
        Require ldap-group cn=nceas-staff,dc=ecoinformatics,dc=org
    </LocationMatch>
 

An alternative is to only try to protect write access, leaving anonymous read access enabled. I attempted to configure this as:

  <LocationMatch "^/git/.*/git-receive-pack$">

but this did not work fully – anonymous pull and clone requests worked fine, but push requests were not successful because authentication was not properly invoked. More experimentation is needed here. See http://git.661346.n2.nabble.com/git-http-backend-and-Authenticated-Pushes-td4703506.html.

Quick Setup

Server Side

  • navigate to saturn:/var/gitrepos
  • navigate to correct dir to create a new repo dir (repos permissions are based on previous dir)
    • cd nceas-staff
      sudo mkdir newrepo.git
      cd newrepo.git
  • create a new git repo
    • sudo git init --bare
  • fix permissions
    • cd ..
      sudo chgrp -R www-data newrepo.git
      sudo chmod -R g+w newrepo.git
  • If creating a new top-level git dir, Add the Apache config settings below to /etc/apache2/sites-enabled/code.nceas.ucsb.edu-ssl.conf, modify as needed for both path and permissions
    •     <LocationMatch "^/git/CHANGETHISDIR/.*">
              AuthBasicProvider ldap
              AuthType basic
              AuthName "GIT NCEAS access"
              AuthLDAPURL ldap://ldap.ecoinformatics.org/ou=Account,dc=ecoinformatics,dc=org?uid?sub?(objectClass=*)
              AuthLDAPGroupAttributeIsDN on
              Require ldap-group cn=CHANGETHISGROUPNAME,ou=Groups,dc=ecoinformatics,dc=org
          </LocationMatch>
       
    • reload Apache
      sudo service apache2 restart
    • Create an LDAP group and add users
  • Add the repo in Redmine (use the full path)
  • /var/gitrepos/nceas-staff/newrepo.git

Local machine

From the local machine terminal:

  • Clone the repository to the local:
       git clone https://user@code.nceas.ucsb.edu/git/nceas-staff/newrepo.git
  • Create the master branch by adding a welcome text file. Add this file to the git tracking and commit:
       git add welcomeToGit.txt
       git commit -m "initial commit message"
  • Push your files to the redmine for the first time:
       git push -u origin master

Alternative approach: Gitolite

An alternate to using Apache to serve the Git repositories is to use Gitolite, which handles access control using ssh keys that are used to dispatch to a single shared account. Some experimentation with a gitolite configuration has been done as well, which is located in /var/git on saturn. The main issue with gitolite is not being able to share accounts that have been configured in LDAP, and having to manually manage potentially hundreds of user ssh keys to control access.

Gitolite is being used on Saturn in /var/git for biengeo, environmental-layers, and TRN.

git_configuration.txt · Last modified: 2015/06/19 11:13 by brun