My Gitolite

Running Gitolite on My Cloud

In my previous post, I explained how to turn your My Cloud into a Git server. In that setup, I was able to support multiple users, but all users would have access to all my repositories. Which is not really what I wanted.

I really wanted to have finegrained access control to my Git repositories. I'm using git for almost anything, and even though I don't mind sharing, I don't feel like giving everybody access to all my data.

I did try to figure out how to add fine-grained access control all by myself. But it just seemed too complicated. Then I considered running some Git-frontend on top of my barebones git repositories, but I was neither sure it would actually run on a My Cloud instance, nor considered it be really desirable to spend that many CPU cycles on something I'd hardly ever use.

Gitolite

But then I ran into Gitolite.

Gitolite allows you to setup git hosting on a central server, with fine-grained access control and many more powerful features.

Digging a little deeper, it appeared that these were the only requirements:

  • any unix system
  • sh
  • git 1.6.6 or later
  • perl 5.8.8 or later
  • openssh 5.0 or later
  • a dedicated userid to host the repos (in this document, we assume it is "git", but it can be anything; substitute accordingly)
  • this user id does NOT currently have any ssh pubkey-based access
  • ideally, this user id has shell access ONLY by "su - git" from some other userid on the same server (this ensure minimal confusion for ssh newbies!)

It seemed I was able to check all of the boxes. So today I gave it a shot. Turns out it works like a charm.

How to install it

I basically followed the installation guidelines here, and just had to make a few changes before the installation worked:

Change authorized_keys

First of all, in my previous setup, I had all the trusted users in my authorized_keys file. Gitolite doesn't like that, and if you still have that during the installation, it will warn you about it.

Read access to /dev/random and /dev/urandom

SSH is checking the validity of your public key during the installation. However, the git user doesn't have access to the devices required by the process checking for validity, and the installation will fail because of it.

All you need to do is make sure everybody has at least read access to these devices:

chmod o+r /dev/random /dev/urandom

Move repositories

My repositories used to live in /usr/shar/git. However, Gitolite expects them to be in the repositories subdirectory of git user's home directory. All I had to do is move my repositories there.

Add access rules

Gitolite does not have a web console or anything. In order to add permissions, you need to clone the gitolite-admin repository, add public keys to that repository and change some configuration files. As soon as you push your changes, users will be able to access their files again. But this time, they will only be able to access the repositories for which you granted them access.

Happy!

I'm really happy with the result. I wanted something that is minimal, easy to grasp and easy to install. It turns out Gitolite is all of that.

Update Tuesday 22 September 2015

Yesterday, I tried to run the enter setup again. Apparently I installed everything in a directory that is getting whiped after a restart – a litte inconvenient for something you hope to preserver forever.

So instead of wherever I installed it before, I wanted the repositories on a share, assuming that the My Cloud Mirror will never delete a share spontaneously.

I (re)created a git user in the web console of the My Cloud, added the git user to/etc/ssh/sshd_config, installed gitolite, restarted the SSH daemon and tried to checkout the admin directory:

git clone git@cloudy:gitolite-admin

Instead of what I hoped to get, it asked for my password. I couldn't really figure out why. I checked the client SSH debugging output, but that didn't give away any clues. Then I tried to get the SSH daemon to log to a file. Couldn't find out how to do it, until I found this post again, through Google. (Amazing how little survives in your memory. Glad that Google indexes my mind.)

Anyhow, when I got the SSH daemon to log its output again, it appeared that the share I'm using (/shares/git) didn't have the proper permissions. It granted everyone and the universe access. (Would be nice to know why, Western Digital.)

So the only thing I had to do is change the permissions. That was it.

Another gotcha I didn't quite get before is that you probaly want to change the name of your public key into something that has your name, with .pub appended. If you don't, then inside the gitolite config, you will be forced to refer to yourself by the name id_rsa. (That is, if your key was named id_rsa.pub.)