Gitolite

Updated 6 May 2019

Gitolite

Gitolite is a convenient way to manage your Git repositories from a single user account. User access to the repositories is managed with SSH-keys+. Gitolite allows flexible access to repositories by managing multiple repositories under a single user account, using SSH keys for authentication. End-users do not have to have accounts on the server, as they will be logged on via a single shared account, which will prevent them from executing custom commands.

Note

The article was written based on using the Git-client in Windows.

Installing Gitolite

To install Gitolite, run:

emerge -a dev-vcs/gitolite

Once the installation is complete, the git+ account will be created, to be accessed without password. The home directory will be /var/lib/gitolite/.

Configuring Gitolite

Create the keys for root:

ssh-keygen -t rsa

Two files will be created:

  • /root/.ssh/id_rsa.pub - public key
  • /root/.ssh/id_rsa - private key

Creating a repository with settings

Copy the public key:

cp /root/.ssh/id_rsa.pub /tmp/id_rsa.pub

Initializing Gitolite

Complete the configuration as user git

su git

cd

gitolite setup -pk /tmp/id_rsa.pub

exit

Note

The -pk+ key allows you to delete data from the previous Gitolite configuration if it was available back then.

Delete the temporary copy of the public key:

rm /tmp/id_rsa.pub

If you intend to use GitWeb, edit the directory permissions, so that the configuration repository be invisible online:

chmod 700 /var/lib/gitolite/repositories/gitolite-admin.git

Configuring the user repository

Copy the configuration repository to ~/tmp/gitolite-admin~~:

git clone git@имя_сервера:gitolite-admin.git /tmp/gitolite-admin

Go to the directory where the settings are stored:

cd /tmp/gitolite-admin

Copy the public key of ~gituser~~ to /tmp/gitolite-admin/keydir in any way you like, e.g. by using the scp command to copy files securely:

scp root@userhostname:/home/gituser/.ssh/id_rsa.pub ./keydir/gituser.pub

Note

The name of the client's public key file in /tmp/gitolite-admin/keydir is also the user's name in Gitolite.

Configure a new repository, ~project1 belonging to gituser~~:

/tmp/gitolite-admin/conf/gitolite.conf

repo    gitolite-admin
RW+     =    id_rsa

repo    project1
RW+     =    gituser
Permissions, access, and groups

Permissions may be specified as follows:
"R" - read only
"RW" - read and commit allowed, rewind not allowed (push --force)
"RW+" - full access
"RWC" - allowed to create a branch
"RWC" - allowed to remove a branch
"-" - write access denied


May be accessed:
"master@"" - branches
"ref/tags" - tags, or versions
"NAME/file_name" - file or directory names


Use the following syntax to create a group:
"@groupname" = user1 user2 user3


The same is used to group branches:
@importantbranches = master$ developer$ test$
repo testing
RW @importantbranches = @groupname
- @importantbranches = @groupname
RW+ = @groupname

Edit and save the new settings:

git commit -am "Granted full access for gituser@remotehost to project1""

git push origin master

Creating a new repository

In Gitolite, you do not need to create a repository with --bare init first - just add it to the configuration file. The repository will be available to the user on their PC with an SSH public key, i.e. not protected by a password:

git clone ssh://git@имя_сервера/project1.git

Checking sshd

rc-status | grep sshd
 sshd                                                              [  started  ]

git+ must be allowed SSH access:

/etc/ssh/sshd_config

AllowUsers git

Configuring the Git daemon

/etc/conf.d/git-daemon

GITDAEMON_OPTS="--syslog --port=9418 --reuseaddr --base-path=/var/lib/gitolite/repositories/ --export-all" 
GIT_USER="apache"

Note

If failing to restart, change the port number --port=9418 to another number, restart git-daemon, change it back and restart git-daemon again.

Creating a private user key in Linux

When logged in as the user on the user's computer, run the following:

ssh-keygen -t rsa

Two files will be created in the ~/.ssh directory:

  • id_rsa - private key
  • id_rsa.pub - public key

If the public key is stored in the keys+ directory of the Gitolite configuration repository on the server, and if conf/gitolite.conf has been edited to give access to the repositories, the user will be given this access.

Creating a key for users in Windows

To create a private RSA key, use ssh-keygen.exe, integrated into the MinGW32 environment.

As a result, two files will be created in C:\Users\username\.ssh:

  • id_rsa - private key
  • id_rsa.pub - public key

Important

Do not rename SSH private and public keys, as MinGW32 + Git-2.6.3 (32-bit) only operate with a key named id_rsa.

Configuring access to repository files

When saving repository files, Gitolite assigns them to the git+ user and group. The permissions are set according to the UMASK parameter in /var/lib/gitolite/.gitolite.rc. It may be important if the Git daemon is not started under the git+ user.

Examples of repository access permissions

Allow the developers group to do anything with the repository, except modification of the master branch:

conf/gitolite.conf

repo myrep
    -    master$ = @developers
    RW+          = @developers

Disable rewind for master (this rule means that the @developer group can only commit to the master branch):

conf/gitolite.conf

repo myrep
    RW  master$ = @developers

Allow the developers group to do anything with the repository except for creating tags (only ~maindeveloper can do this):

conf/gitolite.conf

repo myrep
 RW+ refs/tags = maindeveloper
 -   refs/tags = @developers
 RW            = developers