After seeing a presentation from Linus Torvalds I decided to read more about git. After looking into git more a I have decided to slowly move to git. New projects will be using git instead of subversion and I will move some existing projects over to git when I get the chance.
The first question that arises in such a case is how to deploy it. Of course, there are free solutions available such as github, but this some disadvantages for me. First of all, the access will be slower compared to a solution that I host at home, and second, I also have private repositories and these are really private so I really don’t want them to be hosted on github (even if github protects the data). Apart from this, the distributed nature of git would allow me anyway to easily put source code for an open source project on github, should one of my projects ever become popular.
So the question remains on how to host it at home. Of course, I have my current infrastructure already consisting of a linux server running apache. Looking at the options for exposing GIT, there are several solutions:
Remote access through ssh.
remote access through apache using webdav
|apache smart http
remote access using apache with CGI based solution (basically using HTTP as transport for git).
In the above table, the phrase “trusting a client” means trusting the client software. Allowing a client full control over the modification of the repository files is risky. There could be clients with bugs or clients using different versions of git and there could even be malicious clients that could corrupt a repository. This risk is not present with the native git and smart http approaches.
As is clear from the above, ssh is the most problematic of all. On the other end, git is the most efficient but lacks the requires security and requires me to open up yet another port on the firewall and run yet another service. Because of these reasons I decided on an HTTP based setup. In fact, I experimented early on with the webdav based approach simply because I didn’t find the smart http approach which is relatively new. The setup however did show that HTTP webdav is much slower than the smart http setup. In fact, I think smart http is also faster than subversion when pushing changes.
The setup of smart HTTP is quite easy, basically it is a CGI based approach where HTTP requests are delegated to a CGI helper program which does the work. In effect, this is the git protocol over HTTP. Standard apache features are used to implement authentication and authorization. The smart HTTP approach is described already quite well here and here, but I encountered some issues and would like to clarify what I did to get it working.
These are the steps I took to get it working on opensuse 11.3:
- Setup the user accounts and groups that you need to authenticate against using htpasswd and put it in a file /etc/apache2/conf.d/git.passwd
- Make sure that the cgi, alias, and env modules are enabled by checking the APACHE_MODULES setting in /etc/sysconfig/apache2.
- Now we are going to edit the apache configuration file for the (virtual) domain we are using. In this example, I assume we have /data/git/public hosting public repositories (anonymous read and authenticated write) and /data/git/private hosting private repositories (authenticated read and write). Also the git repositories are going to be exposed under a /git context root.
- by default export all repositories that are found
This can also be configured on a per repository basis, see the git-http-backend page for details.
- Configure the CGI program used to handle requests for git.
ScriptAlias /git/ /usr/lib/git/git-http-backend/
This directive had me quite puzzled because the apache documentation mentions that the second ScriptAlias argument should be a directory, but in this case it is an executable and it works.
- Set the root directory where git repositories reside
SetEnv GIT_PROJECT_ROOT /data/git
- By default, the git-http-backend allows push for authenticated
users and this directive tells the backend when a user is authenticated.
I had to google a lot to find this one because it is not mentioned in the documentation. Without this, I had to configure “http.receivepack” to “true” for every repository to allow “git push”.
- General CGI configuration allowing the execution of the CGI programs. This is more or less self explanatory
<Directory "/usr/lib/git/"> AllowOverride None Options +ExecCGI -Includes Order allow,deny Allow from all </Directory>
- Next is the configuration of the public repositories
<LocationMatch "^/git/public/.*/git-receive-pack$"> AuthType Basic AuthName "Public Git Repositories on wamblee.org" AuthUserFile /etc/apache2/conf.d/git.passwd Require valid-user </LocationMatch>
This requires an authenticated user for every push request. See the apache documentation for the various options such as requiring the user to belong to a group. In my setup, I simply use one global git.passwd file and any authenticated user has access to any repository.
- Finally, there is the setup of the private repositories, which requires a valid user for any URL.
<LocationMatch "^/git/private/.*$"> AuthType Basic AuthName "Private Git Repositories on wamblee.org" AuthUserFile /etc/apache2/conf.d/git.passwd Require valid-user </LocationMatch>
In this case I could have also used a “Location” element instead of “LocationMatch”.
- Finally restart apache using
or (“force-reload”) and try it out.
- by default export all repositories that are found
Hope this helps others setting up their git servers on linux. In my experience this setup is quite fast for both push and pull. I am currently working on one project that you can access by doing
git clone https://wamblee.org/git/public/xmlrouter
A gitweb interface for browsing the public repositories is here.
Have a lot of fun!