I don't use git-daemon; I use https://packages.debian.org/bookworm/klaus (and
ssh).
I found this bug because src:git is one of the most popular packages to have a
"missing" systemd unit.
I tested something similar to what Andreas suggested, but it did not work for
me.
I have attached both ahead-of-time and on-demand units that work for me, at
least enough that after
git clone --bare https://github.com/curl/curl /var/lib/git/curl.git
touch /var/lib/git/git-daemon-export-ok
touch /var/lib/git/curl.git/git-daemon-export-ok
I can do a clone through the git daemon, using
git clone git://localhost/git/curl.git && rm -rf curl
I partly cribbed from the units supplied here:
rsync://mirror.internode.on.net/archlinux/pool/packages/git-2.41.0-1-x86_64.pkg.tar.zst
Note that I have not supplied a
/lib/systemd/system-preset/50-git-daemon-sysvinit.preset because
Debian doesn't use those properly, but to mimic
/etc/default/git-daemon being disabled by default, it would be something like
# This is the non-inetd version; it isn't used by default.
mask git-daemon.service
# This is the inetd version. It is opt-in by default.
disable git-daemon.socket
However a more logical approach would be to just add this to all three units:
ConditionPathExists=/var/lib/git
PS: I did not bother to go through "systemd-analyze security" to harden these
units, either.
That would be the logical next step.
On Tue 04 Feb 2020 22:50:51 +0100, Andreas Henriksson wrote:
> Package: git-daemon-sysvinit
> Version: 1:2.25.0-1
> Severity: normal
>
> Dear Maintainer,
>
> Please consider adding a native systemd service masking the already
> shipped init scripts (fixes lintian tag[1] in subject).
>
> I'm attaching my attempt at writing a service file based on
> looking at the init script. Note that it's completely untested.
> Things to note about the service file:
> - does not reinvent start/enable of services[2], like done in init
> script. (As discussed in #652355 already.)
> - EnvironmentFile=... takes a file with key=value syntax, but the
> shipped default /etc/default/git-daemon file has a comment stating
> it's a posix script snippet....
> - Might be further improved with eg. security hardening[3] etc.
>
> Please feel free to ask for additional assistance with this issue. I'm
> happy to help if you provide the testing and review (since I don't
> personally use the git-daemon-sysvinit).
>
> Regards,
> Andreas Henriksson
>
>
> [1]:
> https://lintian.debian.org/tags/missing-systemd-service-for-init.d-script.html
> [2]:
> https://lintian.debian.org/tags/init.d-script-should-always-start-service.html
> [3]:
> https://lintian.debian.org/tags/systemd-service-file-missing-hardening-features.html
> [Unit]
> Description=git-daemon service
> After=network.target
>
> [Service]
> Type=forking
> PIDFile=/run/git-daemon.pid
> Environment=GIT_DAEMON_BASE_PATH=/var/lib
> Environment=GIT_DAEMON_DIRECTORY=/var/lib/git
> Environment=GIT_DAEMON_OPTIONS=
> Environment=GIT_DAEMON_USER=gitdaemon
> EnvironmentFile=-/etc/default/git-daemon
> ExecStart=/usr/lib/git-core/git-daemon --user=$GIT_DAEMON_USER
> --pid-file=/run/git-daemon.pid --detach --reuseaddr --verbose
> $GIT_DAEMON_OPTIONS --base-path=$GIT_DAEMON_BASE_PATH $GIT_DAEMON_DIRECTORY
>
> [Install]
> WantedBy=multi-user.target
[Unit]
Documentation=man:git-daemon(1)
[Socket]
ListenStream=9418
Accept=yes
[Install]
WantedBy=sockets.target
# This is "inetd-style" activated by git-daemon.socket.
# You want EITHER git-daemon.service OR git-daemon.socket + git-daemon@.service.
[Unit]
Documentation=man:git-daemon(1)
[Service]
User=gitdaemon
ExecStart=git daemon --inetd --verbose --base-path=/var/lib /var/lib/git
StandardInput=socket
StandardOutput=inherit
StandardError=journal
ProtectSystem=full
ProtectHome=on
PrivateDevices=on
NoNewPrivileges=on
[Install]
Also=git-daemon.socket
# I initially tried using EnvironmentFile= and variables, but
# git-daemon requires "--foo=$BAR" not "--foo $BAR", and
# I could not convince systemd to expand that out.
# Hard-coding everything works.
[Unit]
Documentation=man:git-daemon(1)
[Service]
Type=forking
User=gitdaemon
ExecStart=git daemon --detach --reuseaddr --verbose --base-path=/var/lib
/var/lib/git
[Install]
WantedBy=multi-user.target
