X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/821cb42d42976ec6f750e0b0b191ccc36cbad295..e663d52fd17d989ad4be1a34413c21537cbe957e:/doc/install/install-arv-git-httpd.html.textile.liquid
diff --git a/doc/install/install-arv-git-httpd.html.textile.liquid b/doc/install/install-arv-git-httpd.html.textile.liquid
index d853ac7c65..2a4d103c7b 100644
--- a/doc/install/install-arv-git-httpd.html.textile.liquid
+++ b/doc/install/install-arv-git-httpd.html.textile.liquid
@@ -3,6 +3,11 @@ layout: default
navsection: installguide
title: Install the Git server
...
+{% comment %}
+Copyright (C) The Arvados Authors. All rights reserved.
+
+SPDX-License-Identifier: CC-BY-SA-3.0
+{% endcomment %}
Arvados allows users to create their own private and public git repositories, and clone/push them using SSH and HTTPS.
@@ -34,23 +39,10 @@ DNS and network configuration should be set up so port 443 reaches your HTTPS pr
h2. Generate an API token
-On the API server, if you are using RVM:
-
-
-gitserver:~$ cd /var/www/arvados-api/current
-gitserver:/var/www/arvados-api/current$ sudo -u www-data RAILS_ENV=production `which rvm-exec` default bundle exec ./script/create_superuser_token.rb
-zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
-
-
-
-If you are not using RVM:
-
-
-gitserver:~$ cd /var/www/arvados-api/current
-gitserver:/var/www/arvados-api/current$ sudo -u www-data RAILS_ENV=production bundle exec ./script/create_superuser_token.rb
-zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
-
-
+{% assign railshost = "gitserver" %}
+{% assign railscmd = "bundle exec ./script/create_superuser_token.rb" %}
+{% assign railsout = "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz" %}
+Use the following command to generate an API token. {% include 'install_rails_command' %}
Copy that token; you'll need it in a minute.
@@ -70,9 +62,11 @@ On Red Hat-based systems:
+{% include 'install_git' %}
+
h2. Create a "git" user and a storage directory
-Gitolite and some additional scripts will be installed in @/var/lib/arvados/git@, which means hosted repository data will be stored in @/var/lib/arvados/git/repositories@. If you choose to install gitolite in a different location, make sure to update the @git_repositories_dir@ entry in your API server's @config/application.yml@ file accordingly: for example, if you install gitolite at @/data/gitolite@ then your @git_repositories_dir@ will be @/data/gitolite/repositories@.
+Gitolite and some additional scripts will be installed in @/var/lib/arvados/git@, which means hosted repository data will be stored in @/var/lib/arvados/git/repositories@. If you choose to install gitolite in a different location, make sure to update the @git_repositories_dir@ entry in your API server's @application.yml@ file accordingly: for example, if you install gitolite at @/data/gitolite@ then your @git_repositories_dir@ will be @/data/gitolite/repositories@.
A new UNIX account called "git" will own the files. This makes git URLs look familiar to users (git@[...]:username/reponame.git).
@@ -85,7 +79,7 @@ gitserver:~$ sudo chown -R git:git ~git
-The git user needs its own SSH key. (It must be able to run @ssh git@localhost@ from scripts.)
+The git user needs its own SSH key. (It must be able to run ssh git@localhost from scripts.)
gitserver:~$ sudo -u git -i bash
@@ -100,14 +94,14 @@ git@gitserver:~$ rm .ssh/authorized_keys
h2. Install gitolite
-Check https://github.com/sitaramc/gitolite/tags for the latest stable version (_e.g.,_ @v3.6.3@).
+Check "https://github.com/sitaramc/gitolite/tags":https://github.com/sitaramc/gitolite/tags for the latest stable version. This guide was tested with @v3.6.4@. _Versions below 3.0 are missing some features needed by Arvados, and should not be used._
Download and install the version you selected.
git@gitserver:~$ echo 'PATH=$HOME/bin:$PATH' >.profile
git@gitserver:~$ source .profile
-git@gitserver:~$ git clone --branch v3.6.3 git://github.com/sitaramc/gitolite
+git@gitserver:~$ git clone --branch v3.6.4 https://github.com/sitaramc/gitolite
...
Note: checking out '5d24ae666bfd2fa9093d67c840eb8d686992083f'.
...
@@ -121,6 +115,8 @@ WARNING: /var/lib/arvados/git/.ssh/authorized_keys missing; creating a new one
+_If this didn't go well, more detail about installing gitolite, and information about how it works, can be found on the "gitolite home page":http://gitolite.com/._
+
Clone the gitolite-admin repository. The arvados-git-sync.rb script works by editing the files in this working directory and pushing them to gitolite. Here we make sure "git push" won't produce any errors or warnings.
@@ -140,7 +136,7 @@ Everything up-to-date
-h2. Configure gitolite
+h3. Configure gitolite
Configure gitolite to look up a repository name like @username/reponame.git@ and find the appropriate bare repository storage directory.
@@ -163,6 +159,13 @@ Add the following lines inside the section that begins @%RC = (@:
+Inside that section, adjust the 'UMASK' setting to @022@, to ensure the API server has permission to read repositories:
+
+
+ UMASK => 022,
+
+
+
Uncomment the 'Alias' line in the section that begins @ENABLE => [@:
@@ -188,9 +191,9 @@ Create a configuration file @/var/www/arvados-api/current/config/arvados-clients
-h2. Enable the synchronization script
+h3. Enable the synchronization script
-The API server package includes a script that retrieves the current set of repository names and permissions from the API, writes names and permissions to @arvadosaliases.pl@ in a format usable by gitolite, and creates new empty repositories if needed. This script should run every 2 to 5 minutes.
+The API server package includes a script that retrieves the current set of repository names and permissions from the API, writes them to @arvadosaliases.pl@ in a format usable by gitolite, and triggers gitolite hooks which create new empty repositories if needed. This script should run every 2 to 5 minutes.
If you are using RVM, create @/etc/cron.d/arvados-git-sync@ with the following content:
@@ -206,6 +209,17 @@ Otherwise, create @/etc/cron.d/arvados-git-sync@ with the following content:
+h3. Configure the API server to advertise the correct SSH URLs
+
+In your API server's @application.yml@ file, add the following entry:
+
+
+git_repo_ssh_base: "git@git.uuid_prefix.your.domain:"
+
+
+
+Make sure to include the trailing colon.
+
h2. Install the arvados-git-httpd package
This is needed only for HTTPS access.
@@ -223,6 +237,7 @@ On Red Hat-based systems:
~$ sudo yum install git arvados-git-httpd
+~$ sudo systemctl enable arvados-git-httpd
@@ -230,10 +245,9 @@ Verify that @arvados-git-httpd@ and @git-http-backend@ can be run:
~$ arvados-git-httpd -h
-Usage of arvados-git-httpd:
- -address="0.0.0.0:80": Address to listen on, "host:port".
- -git-command="/usr/bin/git": Path to git executable. Each authenticated request will execute this program with a single argument, "http-backend".
- -repo-root="/path/to/cwd": Path to git repositories.
+[...]
+Usage: arvados-git-httpd [-config path/to/arvados/git-httpd.yml]
+[...]
~$ git http-backend
Status: 500 Internal Server Error
Expires: Fri, 01 Jan 1980 00:00:00 GMT
@@ -246,27 +260,29 @@ fatal: No REQUEST_METHOD from server
h3. Enable arvados-git-httpd
-Install "runit":http://smarden.org/runit/ (if it's not already installed) and configure it to run arvados-git-httpd. Update the API host to match your site.
+{% include 'notebox_begin' %}
+
+The arvados-git-httpd package includes configuration files for systemd. If you're using a different init system, you'll need to configure a service to start and stop an @arvados-git-httpd@ process as desired.
+
+{% include 'notebox_end' %}
+
+Create the configuration file @/etc/arvados/git-httpd/git-httpd.yml@. Run @arvados-git-httpd -h@ to learn more about configuration entries.
+
+
+Client:
+ APIHost: uuid_prefix.your.domain
+ Insecure: false
+GitCommand: /var/lib/arvados/git/gitolite/src/gitolite-shell
+GitoliteHome: /var/lib/arvados/git
+Listen: :9001
+RepoRoot: /var/lib/arvados/git/repositories
+
+
+
+Restart the systemd service to ensure the new configuration is used.
-~$ sudo apt-get install runit
-~$ cd /etc/sv
-/etc/sv$ sudo mkdir arvados-git-httpd; cd arvados-git-httpd
-/etc/sv/arvados-git-httpd$ sudo mkdir log
-/etc/sv/arvados-git-httpd$ sudo sh -c 'cat >log/run' <<'EOF'
-#!/bin/sh
-mkdir -p main
-chown git:git main
-exec chpst -u git:git svlogd -tt main
-EOF
-/etc/sv/arvados-git-httpd$ sudo sh -c 'cat >run' <<'EOF'
-#!/bin/sh
-export ARVADOS_API_HOST=uuid_prefix.your.domain
-export GITOLITE_HTTP_HOME=/var/lib/arvados/git
-export PATH="$PATH:/var/lib/arvados/git/bin"
-exec chpst -u git:git arvados-git-httpd -address=:9001 -git-command="$(which git)" -repo-root=/var/lib/arvados/git/repositories 2>&1
-EOF
-/etc/sv/arvados-git-httpd$ sudo chmod +x run log/run
+~$ sudo systemctl restart arvados-git-httpd
@@ -276,31 +292,49 @@ The arvados-git-httpd service will be accessible from anywhere on the internet,
This is best achieved by putting a reverse proxy with SSL support in front of arvados-git-httpd, running on port 443 and passing requests to @arvados-git-httpd@ on port 9001 (or whichever port you used in your run script).
+Add the following configuration to the @http@ section of your Nginx configuration:
+
-http {
- upstream arvados-git-httpd {
- server localhost:9001;
- }
- server {
- listen *:443 ssl;
- server_name git.uuid_prefix.example.com;
- ssl_certificate /root/git.uuid_prefix.example.com.crt;
- ssl_certificate_key /root/git.uuid_prefix.example.com.key;
- location / {
- proxy_pass http://arvados-git-httpd;
- proxy_set_header X-Forwarded-For $remote_addr;
- }
+
+upstream arvados-git-httpd {
+ server 127.0.0.1:9001;
+}
+server {
+ listen [your public IP address]:443 ssl;
+ server_name git.uuid_prefix.your.domain;
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
+
+ ssl on;
+ ssl_certificate /YOUR/PATH/TO/cert.pem;
+ ssl_certificate_key /YOUR/PATH/TO/cert.key;
+
+ # The server needs to accept potentially large refpacks from push clients.
+ client_max_body_size 50m;
+
+ location / {
+ proxy_pass http://arvados-git-httpd;
}
}
-
-h3. Tell the API server about the arvados-git-httpd service
+h3. Configure the API server to advertise the correct HTTPS URLs
+
+In your API server's @application.yml@ file, add the following entry:
+
+
+git_repo_https_base: https://git.uuid_prefix.your.domain/
+
+
+
+Make sure to include the trailing slash.
+
+h2. Restart Nginx
-In your API server's @config/application.yml@ file, add the following entry:
+Restart Nginx to make the Nginx and API server configuration changes take effect.
-git_http_base: git.uuid_prefix.your.domain
+gitserver:~$ sudo nginx -s reload