Gitosis and Public Access to my Git Repositories on Mac OS X 10.3.9
In a previous post I discussed getting Git running on Mac OS X 10.3.9 - which is what's running on frosty my Snow iMac G3 in my office. It would be running 10.4 if it had a DVD drive, but it's still fine and every now and then it's a hassle - like with installing Git, but in the end I have Git 1.6.0.2 running on it just fine, and that's what really matters.
This installment is about getting public and private access to the Git repositories that I'm planning on hosting on this box. While you don't have to have a central repository for team members to sync with, I will work this way as it also provides people with a way to anonymously get the repo and decide if it's got something for them.
Private Repository Access
While the traditional way to handle Private repo access is to have accounts on the machine for each team member, I'm going to use Gitosis. This is a neat little package that allows you to simply have the id_rsa.pub SSH public keys for the users and then have a single user (git) handle all the authentication and push/pull work with Git.
Let's get started. The first thing I did was to add the user 'git' to my Mac using the traditional System Preferences application. Just add them with a password, etc. that you know (it will not be visible to the team members) and then you're ready to go to the next step. Typically, this places the files for the account into /Users/git and that's OK with me as the repositories will be placed in a directory off this users' $HOME directory.
The Python that comes with OS X 10.3.9 is Python 2.3, and we're going to need a more up-to-date version - say 2.5. I got this from the PythonMac.org website. Install it and then make sure that /usr/local/bin is very near the beginning of your path (and the path for the 'git' user). Make sure that you have this in the right place by checking:
$ python -V Python 2.5
If you get the right response, you're looking good.
Unfortunately, Gitosis is going to need a little more and that "little more" is the Python library 'setuptools'. We have to get that, and install it, which is pretty simple:
curl -o setuptools-0.6c8-py2.5.egg \ http://pypi.python.org/packages/2.5/s/setuptools/setuptools-0.6c8-\ py2.5.egg#md5=1721747ee329dc150590a58b3e1ac95b sh setuptools-0.6c8-py2.5.egg
the URL in the second and third lines is really one line and you have to make sure to have the name of the file exactly as indicated as that's used by the installer to know what to do. Once this is done, we're ready for the next step - installing Gitosis.
While the Gitosis talks about the location of the install, I've found that it's good advice and there's only one little hitch on OS X 10.3.9 - that is, that the Gitosis commands are not deposited in the PATH. So, we need to get the package and install it:
su - git git clone git://eagain.net/gitosis.git cd gitosis sudo python setup.py install
and then symlink the executables from their install locations on OS X 10.3.9 to the obvious - /usr/local/bin:
cd /usr/local/bin sudo ln -s /Library/Frameworks/Python.framework/Versions/2.5/bin/gitosis-init . sudo ln -s /Library/Frameworks/Python.framework/Versions/2.5/bin/gitosis-run-hook . sudo ln -s /Library/Frameworks/Python.framework/Versions/2.5/bin/gitosis-serve .
At this point, we're ready to initialize Gitosis for the one user (me):
su - git cd /Users/git gitosis-init < /Users/drbob/.ssh/id_rsa.pub chmod 755 repositories/gitosis-admin.git/hooks/post-update
where the SSH public key file (/Users/drbob/id_rsa.pub) can be from your other machine, or where ever - I just happened to already have all my public keys on this server, so it's easy.
A point worth mentioning is that the last chmod command is needed because the setuptools doesn't properly set the execute permissions on the file and they need to be set in order for Gitosis to work properly.
We're ready to us the private access! I have already set up the DNS entry for git.themanfromspud.com to point to the machine, and put a hole for port 9418 in my router/firewall for this guy, so I can say from any machine:
git clone git@git.themanfromspud.com:gitosis-admin.git cd gitosis-admin
and I'm ready to go!
At this point, it seems reasonable to follow the outline of steps here to add groups and users based on their SSH RSA public key files. I haven't needed to do that yet - but certainly will as time goes on. Got all the notes I need in VoodooPad.
Public Repository Access
This doesn't look as bad as the other, but it took me a lot longer as I was stumped trying to figure out why it wasn't working. Basically, I wanted to add git:// as an xinetd service to the box, and I was getting a ton of errors like:
$ git clone git://git.themanfromspud.com/gitosis-admin.git Initialized empty Git repository in /Users/drbob/gitosis-admin/.git/ fatal: The remote end hung up unexpectedly
To start at the top, you need to make sure that we have the line for the protocol in /etc/services:
git 9418/tcp # Git Version Control Repo Viewer
and then in /etc/xinetd.d you need to create a file git-daemon which contains:
# default: off
# description: The git server offers access to git repositories
service git
{
disable = no
socket_type = stream
wait = no
user = git
env = PATH=/bin:/usr/bin:/usr/local/bin:/usr/local/libexec/git-core
server = /usr/local/libexec/git-core/git-daemon
server_args = --base-path=/Users/git/repositories/ --export-all --inetd
log_on_failure += USERID
}
and then send a kill -HUP to the xinetd process. The tricky point for me was the env = PATH=... line - without it the xinetd process does not know the path to the executables even with the path specified! So make sure it's there. After this, you should have the protocol working so you can say:
$ git clone git://git.themanfromspud.com/gitosis-admin.git Initialized empty Git repository in /Users/drbob/gitosis-admin/.git/ remote: Counting objects: 5, done. remote: Compressing objects: 100% (4/4), done. remote: Total 5 (delta 0), reused 5 (delta 0)