X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/89dcdd013aef473cef6f2b94bfcd2308b60a55d4..fc6b3cd79ba9e07810330d0d47a0ab89ad8857f7:/doc/install/install-arv-git-httpd.html.textile.liquid
diff --git a/doc/install/install-arv-git-httpd.html.textile.liquid b/doc/install/install-arv-git-httpd.html.textile.liquid
index 0abe03942f..b758903256 100644
--- a/doc/install/install-arv-git-httpd.html.textile.liquid
+++ b/doc/install/install-arv-git-httpd.html.textile.liquid
@@ -3,76 +3,54 @@ layout: default
navsection: installguide
title: Install the Git server
...
+{% comment %}
+Copyright (C) The Arvados Authors. All rights reserved.
-Arvados allows users to create their own private and public git repositories, and clone/push them using SSH and HTTPS.
+SPDX-License-Identifier: CC-BY-SA-3.0
+{% endcomment %}
-The git hosting setup involves three components.
-* The "arvados-git-sync.rb" script polls the API server for the current list of repositories, creates bare repositories, and updates the local permission cache used by gitolite.
-* Gitolite provides SSH access.
-* arvados-git-http provides HTTPS access.
-
-It is not strictly necessary to deploy _both_ SSH and HTTPS access, but we recommend deploying both:
-* SSH is a more appropriate way to authenticate from a user's workstation because it does not require managing tokens on the client side;
-* HTTPS is a more appropriate way to authenticate from a shell VM because it does not depend on SSH agent forwarding (SSH clients' agent forwarding features tend to behave as if the remote machine is fully trusted).
-
-The HTTPS instructions given below will not work if you skip the SSH setup steps.
-
-h2. Set up DNS
-
-By convention, we use the following hostname for the git service:
-
-
-git.uuid_prefix.your.domain
-
-gitserver:~$ cd /var/www/arvados-api/current
-gitserver:/var/www/arvados-api/current$ sudo -u www-data RAILS_ENV=production `which rvm-exec` default bundle exec ./script/create_superuser_token.rb
-zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
-
-gitserver:~$ cd /var/www/arvados-api/current
-gitserver:/var/www/arvados-api/current$ sudo -u www-data RAILS_ENV=production bundle exec ./script/create_superuser_token.rb
-zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
-
gitserver:~$ sudo apt-get install git openssh-server
+
# yum install git perl-Data-Dumper openssh-server
gitserver:~$ sudo yum install git perl-Data-Dumper openssh-server
+
# apt-get --no-install-recommends install git openssh-server
git@[...]:username/reponame.git
).
@@ -98,16 +76,17 @@ git@gitserver:~$ rm .ssh/authorized_keys
-h2. Install gitolite
+h2(#gitolite). Install gitolite
-Check "https://github.com/sitaramc/gitolite/tags":https://github.com/sitaramc/gitolite/tags for the latest stable version (_e.g.,_ @v3.6.3@).
+Check "https://github.com/sitaramc/gitolite/tags":https://github.com/sitaramc/gitolite/tags for the latest stable version. This guide was tested with @v3.6.11@. _Versions below 3.0 are missing some features needed by Arvados, and should not be used._
Download and install the version you selected.
git@gitserver:~$ echo 'PATH=$HOME/bin:$PATH' >.profile
-git@gitserver:~$ source .profile
-git@gitserver:~$ git clone --branch v3.6.3 git://github.com/sitaramc/gitolite
+
$ sudo -u git -i bash
+git@gitserver:~$ echo 'PATH=$HOME/bin:$PATH' >.profile
+git@gitserver:~$ . .profile
+git@gitserver:~$ git clone --branch v3.6.11 https://github.com/sitaramc/gitolite
...
Note: checking out '5d24ae666bfd2fa9093d67c840eb8d686992083f'.
...
@@ -121,6 +100,8 @@ WARNING: /var/lib/arvados/git/.ssh/authorized_keys missing; creating a new one
+ UMASK => 022,
+
production:
gitolite_url: /var/lib/arvados/git/repositories/gitolite-admin.git
gitolite_tmp: /var/lib/arvados/git
- arvados_api_host: uuid_prefix.example.com
+ arvados_api_host: ClusterID.example.com
arvados_api_token: "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"
arvados_api_host_insecure: false
gitolite_arvados_git_user_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7aBIDAAgMQN16Pg6eHmvc+D+6TljwCGr4YGUBphSdVb25UyBCeAEgzqRiqy0IjQR2BLtSirXr+1SJAcQfBgI/jwR7FG+YIzJ4ND9JFEfcpq20FvWnMMQ6XD3y3xrZ1/h/RdBNwy4QCqjiXuxDpDB7VNP9/oeAzoATPZGhqjPfNS+RRVEQpC6BzZdsR+S838E53URguBOf9yrPwdHvosZn7VC0akeWQerHqaBIpSfDMtaM4+9s1Gdsz0iP85rtj/6U/K/XOuv2CZsuVZZ52nu3soHnEX2nx2IaXMS3L8Z+lfOXB2T6EaJgXF7Z9ME5K1tx9TSNTRcYCiKztXLNLSbp git@gitserver"
+$ sudo chown git:git /var/www/arvados-api/current/config/arvados-clients.yml +$ sudo chmod og-rwx /var/www/arvados-api/current/config/arvados-clients.yml ++ +h3. Test configuration + +notextile.
$ sudo -u git -i bash -c 'cd /var/www/arvados-api/current && bin/bundle exec script/arvados-git-sync.rb production'
+
h3. Enable the synchronization script
The API server package includes a script that retrieves the current set of repository names and permissions from the API, writes them to @arvadosaliases.pl@ in a format usable by gitolite, and triggers gitolite hooks which create new empty repositories if needed. This script should run every 2 to 5 minutes.
-If you are using RVM, create @/etc/cron.d/arvados-git-sync@ with the following content:
+Create @/etc/cron.d/arvados-git-sync@ with the following content:
*/5 * * * * git cd /var/www/arvados-api/current && /usr/local/rvm/bin/rvm-exec default bundle exec script/arvados-git-sync.rb production
+*/5 * * * * git cd /var/www/arvados-api/current && bin/bundle exec script/arvados-git-sync.rb production
*/5 * * * * git cd /var/www/arvados-api/current && bundle exec script/arvados-git-sync.rb production
+ Services:
+ GitSSH:
+ ExternalURL: "ssh://git@git.ClusterID.example.com"
+ GitHTTP:
+ ExternalURL: https://git.ClusterID.example.com/
+ InternalURLs:
+ "http://localhost:9001": {}
+ Git:
+ GitCommand: /var/lib/arvados/git/gitolite/src/gitolite-shell
+ GitoliteHome: /var/lib/arvados/git
+ Repositories: /var/lib/arvados/git/repositories
git_repo_ssh_base: git@git.uuid_prefix.your.domain:
-
-upstream arvados-git-httpd {
+ server 127.0.0.1:9001;
+}
+server {
+ listen 443 ssl;
+ server_name git.ClusterID.example.com;
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
-Make sure to include the trailing colon.
+ ssl_certificate /YOUR/PATH/TO/cert.pem;
+ ssl_certificate_key /YOUR/PATH/TO/cert.key;
-h2. Install the arvados-git-httpd package
+ # The server needs to accept potentially large refpacks from push clients.
+ client_max_body_size 128m;
+
+ location / {
+ proxy_pass http://arvados-git-httpd;
+ }
+}
+
+
-This is needed only for HTTPS access.
+h2(#install-packages). Install the arvados-git-httpd package
-The arvados-git-httpd package provides HTTP access, using Arvados authentication tokens instead of passwords. It is intended to be installed on the system where your git repositories are stored, and accessed through a web proxy that provides SSL support.
+The arvados-git-httpd package provides HTTP access, using Arvados authentication tokens instead of passwords. It must be installed on the system where your git repositories are stored.
-On Debian-based systems:
+h3. Centos 7
~$ sudo apt-get install git arvados-git-httpd
+# yum install arvados-git-httpd
~$ sudo yum install git arvados-git-httpd
+# apt-get --no-install-recommends install arvados-git-httpd
~$ arvados-git-httpd -h
-Usage of arvados-git-httpd:
- -address="0.0.0.0:80": Address to listen on, "host:port".
- -git-command="/usr/bin/git": Path to git executable. Each authenticated request will execute this program with a single argument, "http-backend".
- -repo-root="/path/to/cwd": Path to git repositories.
-~$ git http-backend
-Status: 500 Internal Server Error
-Expires: Fri, 01 Jan 1980 00:00:00 GMT
-Pragma: no-cache
-Cache-Control: no-cache, max-age=0, must-revalidate
-
-fatal: No REQUEST_METHOD from server
+# systemctl restart nginx arvados-controller
~$ sudo apt-get install runit
-~$ cd /etc/sv
-/etc/sv$ sudo mkdir arvados-git-httpd; cd arvados-git-httpd
-/etc/sv/arvados-git-httpd$ sudo mkdir log
-/etc/sv/arvados-git-httpd$ sudo sh -c 'cat >log/run' <<'EOF'
-#!/bin/sh
-mkdir -p main
-chown git:git main
-exec chpst -u git:git svlogd -tt main
-EOF
-/etc/sv/arvados-git-httpd$ sudo sh -c 'cat >run' <<'EOF'
-#!/bin/sh
-export ARVADOS_API_HOST=uuid_prefix.your.domain
-export GITOLITE_HTTP_HOME=/var/lib/arvados/git
-export PATH="$PATH:/var/lib/arvados/git/bin"
-exec chpst -u git:git arvados-git-httpd -address=:9001 -git-command="$(which git)" -repo-root=/var/lib/arvados/git/repositories 2>&1
-EOF
-/etc/sv/arvados-git-httpd$ sudo chmod +x run log/run
-
-~$ arv --format=uuid repository create --repository '{"name":"myusername/testrepo"}'
+
-h3. Set up a reverse proxy to provide SSL service
+The arvados-git-sync cron job will notice the new repository record and create a repository on disk. Because it is on a timer (default 5 minutes) you may have to wait a minute or two for it to show up.
-The arvados-git-httpd service will be accessible from anywhere on the internet, so we recommend using SSL.
+h3. SSH
-This is best achieved by putting a reverse proxy with SSL support in front of arvados-git-httpd, running on port 443 and passing requests to @arvados-git-httpd@ on port 9001 (or whichever port you used in your run script).
+Before you do this, go to Workbench and choose *SSH Keys* from the menu, and upload your public key. Arvados uses the public key to identify you when you access the git repo.
-upstream arvados-git-httpd {
- server 127.0.0.1:9001;
-}
-server {
- listen [your public IP address]:443 ssl;
- server_name git.uuid_prefix.your.domain;
-
- ssl on;
- ssl_certificate /YOUR/PATH/TO/cert.pem;
- ssl_certificate_key /YOUR/PATH/TO/cert.key;
-
- location / {
- proxy_pass http://arvados-git-httpd;
- proxy_redirect off;
- proxy_connect_timeout 90s;
- proxy_read_timeout 300s;
-
- proxy_set_header X-Forwarded-Proto https;
- proxy_set_header Host $http_host;
- proxy_set_header X-External-Client $external_client;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- }
-}
+~$ git clone git@git.ClusterID.example.com:username/testrepo.git
git_repo_http_base: https://git.uuid_prefix.your.domain/
+~$ git clone https://git.ClusterID.example.com/username/testrepo.git