Author: bdubbs
Date: Tue Jan 5 19:41:15 2021
New Revision: 24074
Log:
Tweaks and wording for git server
Modified:
trunk/BOOK/general/prog/gitserver.xml
trunk/BOOK/postlfs/security/iptables.xml
Modified: trunk/BOOK/general/prog/gitserver.xml
==============================================================================
--- trunk/BOOK/general/prog/gitserver.xml Tue Jan 5 12:21:30 2021
(r24073)
+++ trunk/BOOK/general/prog/gitserver.xml Tue Jan 5 19:41:15 2021
(r24074)
@@ -7,7 +7,7 @@
<!ENTITY gituid "58">
]>
-<sect1 id="gitserver" xreflabel="Running a git Server">
+<sect1 id="gitserver" xreflabel="Running a Git Server">
<?dbhtml filename="gitserver.html"?>
<sect1info>
@@ -15,19 +15,19 @@
<date>$Date$</date>
</sect1info>
- <title>Running a git Server</title>
+ <title>Running a Git Server</title>
<sect2 role="package">
- <title>Running a git Server</title>
+ <title>Introduction</title>
<para>
- This section will describe how to set up, administer and secure
- a <application>git</application> server. It is recommended to
- have a look to the <ulink url="https://git-scm.com/book/en/v2";>git-scm
documentation</ulink>
- as <application>git</application> has many options to set.
+ This section will describe how to set up, administer and secure a
+ <application>git</application> server. <application>Git</application>
+ has many options available. For more detailed documentation see
+ <ulink url="https://git-scm.com/book/en/v2"/>.
</para>
- <bridgehead renderas="sect3">git Server Dependencies</bridgehead>
+ <bridgehead renderas="sect3">Server Dependencies</bridgehead>
<bridgehead renderas="sect4">Required</bridgehead>
<para role="required">
@@ -38,38 +38,35 @@
</sect2>
<sect2 role="configuration">
- <title>Setting up a git Server.</title>
+ <title>Setting up a Git Server.</title>
<para>
The following instructions will install a
- <application>git</application> server, which will be set
+ <application>git</application> server. It will be set
up to use <application>OpenSSH</application> as the secure
remote access method.
</para>
<para>
- Configuration of the <application>git</application> server
- consists of the following steps:
+ Configuration of the server consists of the following steps:
</para>
<sect3>
<title>1. Setup Users, Groups, and Permissions</title>
<para>
- You'll need to be user
- <systemitem class='username'>root</systemitem> for the
- initial portion of configuration. Create the <systemitem
- class="username">git</systemitem> user and group with the
- following commands:
+ You will need to be user <systemitem class='username'>root</systemitem>
+ for the initial portion of configuration. Create the <systemitem
+ class="username">git</systemitem> user and group with the following
+ commands:
</para>
<screen role="root"><userinput>groupadd -g &gitgid; git &&
useradd -c "git Owner" -d /home/git -m -g git -s /usr/bin/git-shell -u
&gituid; git</userinput></screen>
<para>
- Create some files and directories in the home directory
- of the git user. The current approach is to allow access
- to the git repository using ssh keys.
+ Create some files and directories in the home directory of the git user
+ allowing access to the git repository using ssh keys.
</para>
<screen role="root"><userinput>install -o git -g git -dm0700 /home/git/.ssh
&&
@@ -78,14 +75,14 @@
<para>
For any developer who should have access to the repository
- add his/hers public ssh key to
<filename>/home/git/.ssh/authorized_keys</filename>.
- Prepending some options to prevent users to use the
+ add his/her public ssh key to
<filename>/home/git/.ssh/authorized_keys</filename>.
+ First, prepend some options to prevent users to use the
connection to git for port forwarding to other machines
the git server might reach.
</para>
<screen role="nodump"><userinput>echo -n
"no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty " >>
/home/git/.ssh/authorized_keys &&
-cat users-ssh-key >> /home/git/.ssh/authorized_keys</userinput></screen>
+cat <user-ssh-key> >>
/home/git/.ssh/authorized_keys</userinput></screen>
</sect3>
@@ -93,8 +90,7 @@
<title>2. Create a git repository.</title>
<para>
- The repository can be but has not to be in git users home
- directory - it can be anywhere on the filesystem. It is
+ The repository can be anywhere on the filesystem. It is
important that the git user has read/write access to that
location. We use <filename class="directory">/srv/git</filename>
as base directory. Create a new <application>git</application>
@@ -102,9 +98,9 @@
<systemitem class="username">root</systemitem> user):
</para>
-<screen role="root"><userinput>install -o git -g git -m0755 -d
/srv/git/project1.git &&
-cd /srv/git/project1.git &&
-git init --bare &&
+<screen role="root"><userinput>install -o git -g git -m755 -d
/srv/git/project1.git &&
+cd /srv/git/project1.git &&
+git init --bare &&
chown -R git:git .</userinput></screen>
<para>
@@ -115,8 +111,8 @@
</para>
<para>
- A minimal configuration should be available on developers
- machine specifying its user name and the email address.
+ A minimal configuration should be available on the developer's
+ dudyrm specifying its user name and the email address.
Create this minimal config file on client side:
</para>
@@ -126,24 +122,25 @@
email = <users-email-address>
EOF</userinput></screen>
- <para>On the developers machine, setup some files to be pushed
+ <para>
+ On the developer's machine, setup some files to be pushed
to the repository as the initial content:
</para>
<screen role="nodump"><userinput>mkdir myproject
cd myproject
-git init
+git init --initial-branch=main
git remote add origin git@gitserver:/srv/git/project1.git
cat >README <<EOF
This is the README file
EOF
git add README
git commit -m 'Initial creation of README'
-git push --set-upstream origin master</userinput></screen>
+git push --set-upstream origin main</userinput></screen>
<para>The initial content is now pushed to the server and
is available for other users. On the current machine, the
- argument <literal>--set-upstream origin master</literal> is
+ argument <literal>--set-upstream origin main</literal> is
now no longer required as the local repository is now
connected to the remote repository. Subsequent pushes
can be performed as
@@ -165,16 +162,17 @@
<note>
<para>
- This is a very basic server setup based on
<application>OpenSSH</application>
- access. All developers are using the <systemitem
- class="username">git</systemitem> user to perform actions
- on the repository and the changes users are commiting can
- be distiguished as the local user name (see
+ This is a very basic server setup based on
+ <application>OpenSSH</application> access. All developers are using
+ the <systemitem class="username">git</systemitem> user to perform
+ actions on the repository and the changes users are commiting can be
+ distiguished as the local user name (see
<filename>~/.gitconfig</filename>) is recorded in the
changesets.</para>
</note>
- <para>Access is restricted by the public keys added to git's
+ <para>
+ Access is restricted by the public keys added to git's
<filename>authorized_keys</filename> file and there is no
option for the public to export/clone the repository. To
enable this, continue with step 3 to setup the git server.
@@ -188,12 +186,12 @@
<para>
The setup described above makes a repository available for
authenticated users (via providing the ssh public key file).
- There is also a quite simple server to publish the
+ There is also a quite simple way to publish the
repository to unauthenticated users - of course without write
access.
</para>
<para>
- The combination of access via ssh (for authenticated users) and
+ The compination of access via ssh (for authenticated users) and
the export of repositories to unauthenticated users via the
daemon is in most cases enough for a development site.
</para>
@@ -206,36 +204,124 @@
</para>
</note>
- </sect3>
-
- <sect3 id="gitserver-init">
- <title>4. Starting the Server</title>
-
- <para revision="sysv">
- To start the server at boot time, install the git-daemon
- bootscript included in the <xref linkend="bootscripts"/> package:
+ <para>
+ As user <systemitem class='username'>root</systemitem> do:
</para>
- <para revision="systemd">
- To start the server at boot time, install the
- <filename>git-daemon.service</filename> unit from the
- <xref linkend="systemd-units"/> package:
- </para>
+<screen role="root" revision="sysv"><userinput>cat >
/etc/rc.d/init.d/git-daemon <<"EOF"
+#!/bin/sh
+########################################################################
+# Begin /etc/rc.d/init.d/git-daemon
+#
+# Description : Start/Stop git as a daemon
+#
+# Authors :
+#
+# Version : LFS 10.0
+#
+# Notes :
+#
+########################################################################
+
+### BEGIN INIT INFO
+# Provides: git-daemon
+# Required-Start: network
+# Should-Start:
+# Required-Stop:
+# Should-Stop:
+# Default-Start:
+# Default-Stop:
+# Short-Description: git as daemon
+# Description:
+# X-LFS-Provided-By:
+### END INIT INFO
+
+. /lib/lsb/init-functions
+
+GIT_BIN="/usr/bin/git"
+DFT_REPO_DIR="/srv/git/"
+PID_FILE="/run/git-daemon.pid"
+
+case "${1}" in
+ start)
+ log_info_msg "Starting git-daemon ..."
+ $GIT_BIN daemon \
+ --detach \
+ --pid-file=$PID_FILE \
+ --user=git \
+ --group=git \
+ --reuseaddr \
+ --base-path=$DFT_REPO_DIR $DFT_REPO_DIR
+ evaluate_retval
+ ;;
+
+ stop)
+ log_info_msg "Stopping git-daemon ..."
+ killproc -p $PID_FILE $GIT_BIN
+ evaluate_retval
+ ;;
+
+ restart)
+ ${0} stop
+ sleep 1
+ ${0} start
+ ;;
+
+ *)
+ echo "Usage: ${0} {start|stop|restart}"
+ exit 1
+ ;;
+esac
- <indexterm zone="gitserver gitserver-init" revision="sysv">
- <primary sortas="f-git">git</primary>
- </indexterm>
+exit 0
-<screen role="root" revision="sysv"><userinput>make
install-git-daemon</userinput></screen>
+# End /etc/rc.d/init.d/git-daemon
+EOF
- <indexterm zone="gitserver gitserver-init" revision="systemd">
- <primary sortas="f-gitserve">gitserve</primary>
- </indexterm>
+chmod 755 /etc/rc.d/init.d/git-daemon
+ln -v -sf ../init.d/git-daemon /etc/rc.d/rc0.d/K29git-daemon
+ln -v -sf ../init.d/git-daemon /etc/rc.d/rc1.d/K29git-daemon
+ln -v -sf ../init.d/git-daemon /etc/rc.d/rc2.d/K29git-daemon
+ln -v -sf ../init.d/git-daemon /etc/rc.d/rc3.d/S50git-daemon
+ln -v -sf ../init.d/git-daemon /etc/rc.d/rc4.d/S50git-daemon
+ln -v -sf ../init.d/git-daemon /etc/rc.d/rc5.d/S50git-daemon
+ln -v -sf ../init.d/git-daemon
/etc/rc.d/rc6.d/K29git-daemon</userinput></screen>
+
+<screen role="root" revision="systemd"><userinput>cat >
/etc/systemd/system/git-daemon.service <<EOF
+[Unit]
+Description=Start Git Daemon
+
+[Service]
+ExecStart=/usr/bin/git daemon --reuseaddr --base-path=/srv/git/ /srv/git/
+
+Restart=always
+RestartSec=500ms
+
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier=git-daemon
-<screen role="root" revision="systemd"><userinput>make
install-git-daemon</userinput></screen>
+User=git
+Group=git
+
+[Install]
+WantedBy=multi-user.target
+EOF</userinput></screen>
+ <para revision="systemd">
+ Enable and start the daemon by executing:
+ </para>
+
+<screen role="root" revision="systemd"><userinput>systemctl enable git-daemon
&&
+systemctl start git-daemon</userinput></screen>
+
+ <para revision="sysv">
+ Start the daemon be executing
+ </para>
+<screen role="root" revision="sysv"><userinput>/etc/rc.d/init.d/git-daemon
start</userinput></screen>
+
<para>
- In order to make <application>git</application> exporting a
+ In order to allow <application>git</application> to export a
repository, a file named <filename>git-daemon-export-ok</filename>
is required in each repository directory on the server. The
file needs no content, just its existance enables, its absence
@@ -244,13 +330,6 @@
<screen role="root"><userinput>touch
/srv/git/project1.git/git-daemon-export-ok</userinput></screen>
- <para>
- Also review the configuration file
- <filename revision="sysv">/etc/sysconfig/git-daemon</filename>
- <filename revision="systemd">/etc/default/git-daemon</filename>
- for valid repository paths.
- </para>
-
</sect3>
</sect2>
Modified: trunk/BOOK/postlfs/security/iptables.xml
==============================================================================
--- trunk/BOOK/postlfs/security/iptables.xml Tue Jan 5 12:21:30 2021
(r24073)
+++ trunk/BOOK/postlfs/security/iptables.xml Tue Jan 5 19:41:15 2021
(r24074)
@@ -80,8 +80,8 @@
(required for Berkely Packet Filter support),
<ulink
url="https://netfilter.org/projects/libnfnetlink/";>libnfnetlink</ulink>
(required for connlabel support),
- <ulink
url="https://netfilter.org/projects/libnetfilter_conntrack/";>libnetfilter_conntrack"</ulink>,
and
- (required for connlabel support)
+ <ulink
url="https://netfilter.org/projects/libnetfilter_conntrack/";>libnetfilter_conntrack"</ulink>
+ (required for connlabel support), and
<ulink url="https://netfilter.org/projects/nftables/";>nftables</ulink>
</para>
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
