Tag Archive: gitosis


So… I am a little very frustrated at gitosis. But first things first…

Yesterday I’ve been finishing the configuration on my new laptop. Installing some software and such. I will post a report on that later. This afternoon, I’ve been backupping my old laptop. I took an imagine of the Windows partition, and made a tarball of the linux root file system. Earlier I’ve already made a backup of the home partition.

So, I can start opening the old laptop, and remove all the dust from it. When that’s done, it will be completely reinstalled. Actually, I was thinking about just putting a copy of the root file system from my new laptop on the old one, and then just make two required modifications: setting the hostname and creating a new fstab (as it’s UUID based)

But that’s not what my frustrations are about. This afternoon, I wanted to work on my OAuth WordPress plugin. Still a few things to be done before it can be released. Well… in order to work on my source I need to access the git. I am using gitosis to manage access to my repository. Therefore I need to add the SSH public key from my new laptop into it’s access control list. Since all my computers are in the gitosis system, I logged into my raspberry pi server, and attempted to add the said key.

[andre@rpi-server keydir]$ git push
Counting objects: 5, done.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 338 bytes | 0 bytes/s, done.
Total 3 (delta 1), reused 0 (delta 0)
remote: WARNING:gitosis.ssh:Unsafe SSH username in keyfile: 'andre@8570w.pub'
To gitosis@blaatschaap.be:gitosis-admin.git
   345de48..f110208  master -> master

Unsafe SSH username, and the key is not added. What the fuck. I started googling, and it suggested the “username” gitosis complains about is the past part of the keyfile. (This is just an arbitrary string, a comment, to identify the key to a user looking at the string, and it not used by the machine.)

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbkYGFFpgrYZKy2eJIdSIebvuqaBhW96owRD7WT5MgwUXVtv76NeTJHgoZbUM7/zex+DV4tZwxkTZMQ8yXUmmqdrjYdHSlkxekcE7uvX0Xul0sRywm/Qfbdlu/DQeuTorhY5zb/Zx6TNXR+zw5KKlTPbnTEIXDwqh9kpenQR0auWL24/UQjoC9hTZavxY3cQlMEABGyfyTx7xnxQFZZGZ7h5x+OOWraXY6eYw2eHV53M+eSEIqFJz3LTD4tSl4svWNHTMz7EEfKpO5FmGjwJKIz8RYQiutCmz4bfziIbZvGYJGnUl/u/UlgtdkxaMjvPkZCmnWB+nqtLre2RFKQOWz andre@8570w

But even changing that to, for example andre@hpnew.blaatschaap.be or whatever I tried. (Trying a FQDN formatted hostname as last attempt) Everything I tried, it kept complaining. As last resort I simply disabled the checking for the name. This is done in /usr/share/pyshared/gitosis/ssh.py
I have replaced

def isSafeUsername(user):
    match = _ACCEPTABLE_USER_RE.match(user)
    return (match is not None)

by

def isSafeUsername(user):
    return (True)

So, my key would be accepted regardless this “username”. But really, I’ve tried anything… I don’t get it.

Well… looking at what _ACCEPTABLE_USER_RE.match(user) is:

_ACCEPTABLE_USER_RE = re.compile(r'^[a-zA-Z][a-zA-Z0-9_.-]*(@[a-zA-Z][a-zA-Z0-9.-]*)?$')

I am not familiar with python, but, it looks like a regluar expression saying the hostname should start with a letter, which was not the case for my hostname. But, I’ve tried many variants, including plenty that should just pass this little test. So… I don’t get the problem, and I’ve been pulling my hair out. Well… I just disabled the silly little test and got access to my reposiroty.

The crazy thing is, I’ve not only added my laptop, but also another ssh account at my server, which I use for development, right in the shell, which got accepted without a complaint. Really…. what the fuck.

Update: ran this test, and expected, hpnew.blaatschaap.be is accepted just fine by this test.

andre@blaatschaap:~$ cat test.py 
import re

_ACCEPTABLE_USER_RE = re.compile(r'^[a-zA-Z][a-zA-Z0-9_.-]*(@[a-zA-Z][a-zA-Z0-9.-]*)?$')

def isSafeUsername(user):
    match = _ACCEPTABLE_USER_RE.match(user)
    return (match is not None)


if isSafeUsername("andre@blaatschaap.be"):
    print "ok"
else:
    print "nak"

if isSafeUsername("andre@hpnew.blaatschaap.be"):
    print "ok"
else:
    print "nak"

if isSafeUsername("andre@8570w"):
    print "ok"
else:
    print "nak"

andre@blaatschaap:~$ python test.py 
ok
ok
nak

Therefore I wonder, is this “username” it complains about something else? Encoded in the base64 string? I thought that was the key only….

I remember having trouble to get this working. After installing gitosis…. how to get the damn thing working.

Edit the gitosis-admin/gitosis.conf file:

[repo example]
owner = andre@hp

[group mygroup]
members= andre@blaatkonijn andre@hp
writable = example

and commit it

[andre@hplaptop gitosis-admin]$ git commit -a -m "added example repo"
[andre@hplaptop gitosis-admin]$ git push

On the server,

[git@rpi-server repositories]$ mkdir example.git
[git@rpi-server repositories]$ cd example.git
[git@rpi-server example.git]$ git init --bare --shared

On the client:

[andre@hplaptop git-ehv.blaatschaap.be]$ git clone git@ehv.blaatschaap.be:example
Cloning into 'example'...
warning: You appear to have cloned an empty repository.
[andre@hplaptop git-ehv.blaatschaap.be]$ cd example
[andre@hplaptop example]$ cp ~/example/* .
[andre@hplaptop example]$ git commit -a -m "initial commit"
[master (root-commit) fb33879] initial commit
 4 files changed, 326 insertions(+)
 create mode 100644 test.css
 create mode 100644 test.css~
 create mode 100644 test.html
 create mode 100644 test.html~

So far so good, but there are some additional command required before it is actually usable. I have been searching this for hours when I first set up my gitosis. Last may I wrote I still had to blog about setting up gitosis, but it seems, I haven’t done so, until now, now I’ve set up another gitosis installation. I said back then, I am behind with stuff I am supported to blog about, and it seems, that’s still the case. For example, I still haven’t written about certain USB problems I have been experiencing. Anyhow…. let’s look at git again. The missing link is:

[andre@hplaptop example]$ git branch example
[andre@hplaptop example]$ git checkout example
Switched to branch 'example'
[andre@hplaptop example]$ git push origin example

My server Pi, well… it still needs some server stuff to be installed. Installing git has been forever on my TODO list. One of the things that are supposed to be handles by this git server is nightly backups of my dedicated server, which hosts this blog among a number of other sites. Originally, my BeagleBoard was supposed to have this role, but due its instabilities, I have never set it us as a git server. At some point in time, Eileen wanted to set up a server at her place, and asked me to help her with configuring it. So I asked if I could have some space on that server for backup purposes. Unfortunately, that machine was unstable as well, so it shut down as well.

To manage git, we’re going to use gitosis. The very same way as is done on my dedicated server (at ovh). But we’re going to use a different configuration. The ovh server exports all repositories, while here we’re going to set up private repositories. But we also want to have the possibility to have public repositories. We will also configure gitweb to have a nice interface to those public repositories.

This configuration is performed on a Raspberry Pi running ArchLinuxARM. However, this guide could be applied to regular ArchLinux on i386 or x86_64 as well.

Let’s get started, shall we?

[andre@rpi-server ~]$ yaourt -S gitosis-git

We have to create set the home directory for the git user manually:

[root@rpi-server home]# mkdir /srv/gitosis
[root@rpi-server home]# usermod -d /srv/gitosis/ git

Since we’re hosting this on a raspberry pi, and don’t want to store the repository on the SD Card, we’re going to apply the same method as we’re dong during the setup of the NFS shares: We add the following line to our fstab

/home/gitosis   /srv/gitosis    none    bind    0   0

Which basically means we mount the /home/gitosis directory to /srv/gitosis. Of course we could simple have made a symlink as well. Anyhow, let’s continue.
***** TODO **** use a symlink after all???

[root@rpi-server home]# mkdir /srv/gitosis
[root@rpi-server home]# mkdir /user/gitosis
[root@rpi-server home]# mkdir /srv/gitosis
[root@rpi-server home]# chown git:git /srv/gitosis
[root@rpi-server home]# chown git:git /home/gitosis/
[root@rpi-server home]# mount /srv/gitosis

Now, I am going to initialise gitosis. I will do this as the git user. So, I su to root and then to git, like this:

[andre@hplaptop ~]$ su
Wachtwoord: 
[root@hplaptop andre]# su git
[git@hplaptop andre]$ cd
[git@hplaptop /]$ 

I have placed a file in the home folder containing my public key. I will try to initialise gitosis using this key:

[git@rpi-server gitosis]$ gitosis-init < andre\@hp.pub 
fatal: unable to access '/home/andre/.config/git/config': Permission denied
Traceback (most recent call last):
  File "/usr/bin/gitosis-init", line 9, in 
    load_entry_point('gitosis==0.2', 'console_scripts', 'gitosis-init')()
  File "/usr/lib/python2.7/site-packages/gitosis/app.py", line 24, in run
    return app.main()
  File "/usr/lib/python2.7/site-packages/gitosis/app.py", line 38, in main
    self.handle_args(parser, cfg, options, args)
  File "/usr/lib/python2.7/site-packages/gitosis/init.py", line 136, in handle_args
    user=user,
  File "/usr/lib/python2.7/site-packages/gitosis/init.py", line 75, in init_admin_repository
    template=resource_filename('gitosis.templates', 'admin')
  File "/usr/lib/python2.7/site-packages/gitosis/repository.py", line 54, in init
    raise GitInitError('exit status %d' % returncode)
gitosis.repository.GitInitError: exit status 128

Apparently, it tries to access file in my (andre) home directory, while its running as git. It shouldn’t know about me, right? Well….

[git@rpi-server gitosis]$ set | grep andre
MAIL=/var/mail/andre
XDG_CACHE_HOME=/home/andre/.cache
XDG_CONFIG_HOME=/home/andre/.config
XDG_DATA_HOME=/home/andre/.local/share

So, there is still a reference to my config directory in the enviorement, lets unset this shit and continue:

[git@rpi-server gitosis]$ unset XDG_CACHE_HOME
[git@rpi-server gitosis]$ unset XDG_CONFIG_HOME
[git@rpi-server gitosis]$ unset XDG_DATA_HOME

Now, we can initialise gitosis:

[git@rpi-server gitosis]$ gitosis-init < andre\@hp.pub 
Initialized empty Git repository in /srv/gitosis/repositories/gitosis-admin.git/
Reinitialized existing Git repository in /srv/gitosis/repositories/gitosis-admin.git/

Now, we're going to install and configure the web server:

[andre@rpi-server ~]$ yaourt -S apache

We're going to do the mount bind again

/home/http   /srv/http    none    bind    0   0
[root@rpi-server ~]# mkdir /home/http
[root@rpi-server ~]# mount /srv/http/
[root@rpi-server ~]# chown http:http /srv/http/
[root@rpi-server ~]# chmod g+w /srv/http/

I'm going to add myself to the http group.

[root@rpi-server http]# groupmems -a andre -g http

As I've mentioned before, I wish to host gitweb as well. Gitweb is in the git package, so it's already installed, just making a symlink is enough, which I can do as myself, as I am in the group http. I've also downloaded the "unknown" folder from my ovh server, which is the page that displays the "domain not served as this server" page in case an unknown vhost is requested. I will move this as well:

[andre@rpi-server ~]$ ln -s /usr/share/gitweb /srv/http/gitweb
[andre@rpi-server ~]$ mv unknown /srv/http

As the fact I am putting my "unknown vhost" page on this server, it will be supporting vhosts. If a requested domain doesn't match any VirtualHost in the apache config file, it will serve the first entry in the config file, therefore we will edit the config file /etc/httpd/conf/extra/httpd-vhosts.conf and put the following in

NameVirtualHost *:80

<VirtualHost *:80>
    DocumentRoot "/srv/http/unknown"
    ErrorLog "/var/log/httpd/unknown-error_log"
    CustomLog "/var/log/httpd/unknown-access_log" combined
</VirtualHost>

However, Virtual Hosts aren't enabled yet. We need to edit the main config file in order to include the vhosts config file. We need to open /etc/httpd/conf/httpd.conf and uncomment the virtual hosts line:

# Virtual hosts
Include conf/extra/httpd-vhosts.conf

The "unkown vhost" page is written in php, so we're also going to install php:

[andre@rpi-server ~]$ yaourt -S php-apache 

And add it to the apache main configuration file again: we need to load the library, and include the configuration file:

LoadModule php5_module modules/libphp5.so
Include conf/extra/php5_module.conf

We also have to add something for the gitweb configuration to the config file

<Directory "/srv/http/gitweb">
   DirectoryIndex gitweb.cgi
   Allow from all
   AllowOverride all
   Order allow,deny
   Options ExecCGI
   <Files gitweb.cgi>
   SetHandler cgi-script
   </Files>
   SetEnv  GITWEB_CONFIG  /etc/conf.d/gitweb.conf
</Directory>

To finish the configuration, we're going to add an actual virtual host to the config, which also serves the gitweb. So we're going to edit the vhosts config again:

<VirtualHost *:80>
    ServerName ehv.blaatschaap.be
    Alias /gitweb "/srv/http/gitweb" 
    DocumentRoot /srv/http/blaatschaap.be/ehv
    ErrorLog "/var/log/httpd/blaatschaap.be-ehv-error_log"
    CustomLog "/var/log/httpd/blaatschaap.be-ehv-access_log" combined
    <Directory /var/www/gitweb>
       Options ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch
       AllowOverride All
       order allow,deny
       Allow from all
       AddHandler cgi-script cgi
       DirectoryIndex gitweb.cgi
   </Directory>
</VirtualHost>

Now, this part of the server is configured. What still has to be done is putting the backup repository so far on the Pi server, and adjusting the script on the ovh server to make backups to this server.

Also, pretty soon I will be getting a new OVH server, as they're offering much better specs for the same price, and I am going to convert to Debian for a server. ArchLinux is great for desktops, but the changed in a rolling distribution such as ArchLinux are not convinient for a machine that's supposed to be always up. Especially the transition from sysvinit to systemd is giving me a headache, as sysvinitscripts are no longer supported... and I am a bit uncomfortable about chaging stuff in the boot loader as I don't have any serial console or anything. If it reboots, I just have to wait till it comes up, if it doesn't.... bad luck.

Besides, I am hosting a few sites for third parties. In order to keep overview, and offer my users a convenient interface I am considering usingISPconfig on my new server. As I have paid for the current server till 15 April, I should have finished the transition by then. I have paid till April since I have renewed my contract just one day before the VAT was increased from 19% to 21%. Anyhow. I plan to order the new server in February, so I have plenty of time for testing.