Git is awesome and you want it in your large company? Then you will need to take into account some of the unique characteristics of such an environment. Namely: - centralization - authentication - authorization (and more, detailed in this presentation)

1. DVCS in big Corporation
November, 14th 2011 DVCS in big Corporation

2. DVCS in big Corporation
About Challenges Solutions
● Me ● Authentication ● Centralization
● DVCS ● Authorization ● Visualization
November, 14th 2011 DVCS in big Corporation

3. Quick notes
November, 14th 2011 DVCS in big Corporation

4. About : me
November, 14th 2011 DVCS in big Corporation

5. About : me on SO
100K+
Many times during the day
Every single day
A Lot Rep ask@me
November, 14th 2011 DVCS in big Corporation

6. CVCS
Client side Server side
November, 14th 2011 DVCS in big Corporation

7. And then, a miracle:
November, 14th 2011 DVCS in big Corporation

8. DVCS
Client side Server side
November, 14th 2011 DVCS in big Corporation

9. Git on a client
November, 14th 2011 DVCS in big Corporation

10. Git on a client
eclipse
November, 14th 2011 DVCS in big Corporation

11. Git on a client
eclipse
November, 14th 2011 DVCS in big Corporation

12. Reaction?
Not enthusiastic
November, 14th 2011 DVCS in big Corporation

13. Issues? Authentication.
Who is VonC?
X41064
LDAP
November, 14th 2011 DVCS in big Corporation

14. Issues? Communication
November, 14th 2011 DVCS in big Corporation

15. Issues? Publication
November, 14th 2011 DVCS in big Corporation

16. Centralization
Server
November, 14th 2011 DVCS in big Corporation

17. Centralization
itsvcprd git
November, 14th 2011 DVCS in big Corporation

18. Server
November, 14th 2011 DVCS in big Corporation

19. Server
MUTUALIZED
November, 14th 2011 DVCS in big Corporation

20. Server
November, 14th 2011 DVCS in big Corporation

21. Server: not root
Sudo apt-get install git
November, 14th 2011 DVCS in big Corporation

22. Server: not alone
Services are managed by root
November, 14th 2011 DVCS in big Corporation

23. Server: not in control
/usr/local content can change
at any time
November, 14th 2011 DVCS in big Corporation

24. Help?
November, 14th 2011 DVCS in big Corporation

25. Recompile Everything
November, 14th 2011 DVCS in big Corporation

26. Recompile Everything: root
November, 14th 2011 DVCS in big Corporation

27. Recompile Everything: alone
● Tailored services (ssh, ldap, https)
November, 14th 2011 DVCS in big Corporation

28. Recompile Everything: in control
Your own version of ~/usr/local
November, 14th 2011 DVCS in big Corporation

29. Manual recompilation?
Download sources
November, 14th 2011 DVCS in big Corporation

30. Manual recompilation?
Configure
./configure --prefix=${HULA}/@@NAMEVER@@ --with-lib=${HULL}
./configure --prefix=${HULA}/@@NAMEVER@@ --with-lib=${HULL}
--with-openssl --with-curl --with-expat --with-iconv=${HUL}
--with-openssl --with-curl --with-expat --with-iconv=${HUL}
--with-gitconfig=${HUL}/var/gitconfig --with-editor=vim
--with-gitconfig=${HUL}/var/gitconfig --with-editor=vim
--with-perl=${HULA}/perl/bin/perl --with-zlib=${HUL}
--with-perl=${HULA}/perl/bin/perl --with-zlib=${HUL}
./configure --prefix=${HULA}/@@NAMEVER@@
./configure --prefix=${HULA}/@@NAMEVER@@
--with-tcltk=no --with-python=${HULA}/python/bin/python
--with-tcltk=no --with-python=${HULA}/python/bin/python
--enable-ssl=shared --enable-ssl --with-ssl=${HUL}/ssl
--enable-ssl=shared --enable-ssl --with-ssl=${HUL}/ssl
--enable-proxy --enable-proxy-connect
--enable-proxy --enable-proxy-connect
--enable-proxy-ftp --enable-proxy-http
--enable-proxy-ftp --enable-proxy-http
--with-ldap --enable-ldap
--with-ldap --enable-ldap
--enable-authnz-ldap --enable-authn-alias
--enable-authnz-ldap --enable-authn-alias
./configure --prefix=${HULS}/@@NAMEVER@@
./configure --prefix=${HULS}/@@NAMEVER@@
--with-apr=${HUL} --with-apr-util=${HUL}
--with-apr=${HUL} --with-apr-util=${HUL}
--enable-shared --enable-static
--enable-shared --enable-static
--enable-mods-shared=all --with-z=${HUL} @@WITHOUT_GNU_LD@@
--enable-mods-shared=all --with-z=${HUL} @@WITHOUT_GNU_LD@@
--with-zlib=${HUL} --with-ssl-engine=${HUL}/ssl
--with-zlib=${HUL} --with-ssl-engine=${HUL}/ssl
--without-privsep-user --with-pid-dir=${HUL}/var/run
--without-privsep-user --with-pid-dir=${HUL}/var/run
--with-default-path=@@PATH@@
--with-default-path=@@PATH@@
--with-privsep-path=${HUL}/var/empty @@WITHOUT_GNU_LD@@
--with-privsep-path=${HUL}/var/empty @@WITHOUT_GNU_LD@@
November, 14th 2011 DVCS in big Corporation

31. Manual recompilation?
● Make
● Make install
November, 14th 2011 DVCS in big Corporation

32. Manual recompilation?
Rinse and repeat
Git
Git =
32 libraries
Gcc 3.4.6
Gcc 3.4.6
openssl,libssh2,curl,libiconv,expat,libidn,zlib
openssl,libssh2,curl,libiconv,expat,libidn,zlib
14 applications
openssh
+
openssh
Apache Http, lynx
Apache Http, lynx 4 modules (Perl or ruby)
Subversion, Python, perl
Subversion, Python, perl
November, 14th 2011 DVCS in big Corporation

33. Manual Automated recompilation
November, 14th 2011 DVCS in big Corporation

34. You've got git.
Now What?
November, 14th 2011 DVCS in big Corporation

35. What is missing?
Client side Server side
November, 14th 2011 DVCS in big Corporation

36. Gitolite: authorization script
Client side Server side
gl-auth-command Repo1:
user1, user2
Git command
+ Repo2:
user2, user3
=
Cmd output
November, 14th 2011 DVCS in big Corporation

37. Gitolite: openssh
Client side Server side
gl-auth-command Repo1:
user1, user2
Repo2:
user2, user3
Git command
ssh
Cmd output
November, 14th 2011 DVCS in big Corporation

38. Gitolite: forced command
~/.ssh/authorized_keys
Command=
"compileEverything/gitolite/bin/gl-auth-command
bjensen",
no-port-forwarding,no-X11-forwarding,
no-agent-forwarding,no-pty ssh-rsa
AAAAB3NzaC1yc2EAAA...
November, 14th 2011 DVCS in big Corporation

39. Gitolite: not for users
Client side Server side
gl-auth-command Repo1:
Repo1:
fisheye
user1
Repo2:
Repo2:
sonar
user2
ssh
November, 14th 2011 DVCS in big Corporation

40. SSH is not enough
Client side Server side
ssh gitolite
November, 14th 2011 DVCS in big Corporation

41. Git & “smart http”
Client side Server side
git-
http-backend
httpd
November, 14th 2011 DVCS in big Corporation

42. Gitolite: httpd
Client side LDAP Server side
git-
gl-auth-command http-backend
+
Git command
httpd =
Http answer
November, 14th 2011 DVCS in big Corporation

43. Gitolite: LDAP alias
Httpd.conf
<AuthnProviderAlias ldap myldap>
AuthLDAPBindDN cn=Manager,dc=example,dc=com
AuthLDAPBindPassword secret
AuthLDAPURL
ldap://localhost:9011/dc=example,dc=com
?uid?sub?(objectClass=*)
</AuthnProviderAlias>
November, 14th 2011 DVCS in big Corporation

44. Gitolite: REMOTE_USER
Httpd.conf
ScriptAlias /hgit/
compileEverything/gitolite/bin/gl-auth-command/
<Location /hgit>
AuthName "LDAP authentication for ITSVC
Smart HTTP Git repositories"
AuthBasicProvider myldap
Require valid-user
AddHandler cgi-script cgi
</Location>
November, 14th 2011 DVCS in big Corporation

45. Gitolite: https://itsvcprdgit:8453/hgit
Httpd.conf
# GitHttp on 8453
<VirtualHost itsvcprdgit.world.company:8453>
ServerName itsvcprdgit.world.company
ServerAlias itsvcprdgit
SetEnv GIT_PROJECT_ROOT /path/to/repositories
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv GITOLITE_HTTP_HOME
/home/auser/compileEverything
November, 14th 2011 DVCS in big Corporation

46. Httpd: multi-domain SSL certificate
Client side Server side
itsvcprdgit
httpdX509v3X509v3 Subject Alternative Name:
extensions:
DNS:itsvcprdgit.world.company,
DNS:itsvcprdgit
itsvcprdgit.world.company
November, 14th 2011 DVCS in big Corporation

47. Are we there yet?
Client side Server side
ssh gitolite
httpd
November, 14th 2011 DVCS in big Corporation

48. GitWeb
November, 14th 2011 DVCS in big Corporation

49. gitweb.cgi ?
Client side Server side
Gitweb.cgi
gl-auth-command
httpd
?
November, 14th 2011 DVCS in big Corporation

50. GitWeb: GL_USER
~/gitweb/gitweb.conf.pl
# finally the user name
$ENV{GL_USER} = $cgi->remote_user || "gitweb";
# now get gitolite stuff in...
unshift @INC, $ENV{GL_BINDIR};
require gitolite; gitolite -> import;
November, 14th 2011 DVCS in big Corporation

51. GitWeb: repo_rights()
~/gitweb/gitweb.conf.pl
$export_auth_hook = sub {
my $repo = shift;
return unless $repo =~ s/^Q$projectrootE/?
(.+).git$/$1/;
# check for (at least) "R" permission
my ($perm, $creator) = &repo_rights($repo);
return ($perm =~ /R/);
};
November, 14th 2011 DVCS in big Corporation

52. GitWeb: https://itsvcprdgit:8443/git
Httpd.conf
DocumentRoot compileEverything/gitweb
Alias /git compileEverything/gitweb
<Directory compileEverything/gitweb>
AuthBasicProvider myldap
AddHandler cgi-script cgi
DirectoryIndex gitweb.cgi
</Directory>
November, 14th 2011 DVCS in big Corporation

53. Are we there now?
Client side Server side
ssh gitolite
httpd
gitweb
November, 14th 2011 DVCS in big Corporation

54. CGit
November, 14th 2011 DVCS in big Corporation

55. cgit.cgi ?
Client side Server side
cgit.cgi
gl-auth-command
httpd
November, 14th 2011 DVCS in big Corporation

56. CGit: repo_rights()
~/cgit/cgit.pl
if ($request_uri ne "/cgit/" && $request_uri ne
"/cgit/cgit.pl/") {
(my $repo)=($path_info =~ //([^/]+)/);
my ($perm, $creator) = &repo_rights($repo);
if ($perm =~ /R/)
system("compileEverything/cgit/cgit.cgi");
else
print " <h1>HTTP Status 403 - Access is
denied</h1>n"; }
November, 14th 2011 DVCS in big Corporation

57. CGit: https://itsvcprdgit:8463/cgit
Httpd.conf
DocumentRoot compileEverything/cgit
Alias /cgit compileEverything/cgit
<Directory compileEverything/cgit>
AuthBasicProvider myldap
SetEnv GIT_PROJECT_ROOT=.../repositories
AddHandler cgi-script .cgi .pl
DirectoryIndex cgit.pl
</Directory>
November, 14th 2011 DVCS in big Corporation

58. And now?
Client side Server side
ssh
httpd https://itsvcprdgit:8453/hgit
https://itsvcprdgit:8443/git
gitweb
https://itsvcprdgit:8463/cgit
cgit
November, 14th 2011 DVCS in big Corporation

59. What do they want?
Client side Server side
ssh
httpd https://itsvc/hgit NO PORT
NUMBER
https://itsvc/git
gitweb
SHORT
https://itsvc/cgit NAMES
cgit
November, 14th 2011 DVCS in big Corporation

60. Reverse Proxy
Client side Server side
ssh
httpd
itsvc
gitweb
cgit
November, 14th 2011 DVCS in big Corporation

61. NGinx: https://itsvc/xxx
nginx.conf
location /hgit/ {
proxy_pass
https://itsvcprdgit.world.company:8453/hgit/;}
location /git/ {
proxy_pass
https://itsvcprdgit.world.company:8443/git/;}
location /cgit/ {
proxy_pass
https://itsvcprdgit.world.company:8463/cgit/;}
November, 14th 2011 DVCS in big Corporation

62. There, there?
Client side Server side
ssh
httpd https://itsvc/hgit
https://itsvc/git
https://itsvc/cgit
November, 14th 2011 DVCS in big Corporation

63. What!?
Client side Server side
November, 14th 2011 DVCS in big Corporation

64. Issue1: authorname
November, 14th 2011 DVCS in big Corporation

65. Issue1: gitolite + hook
Client side Server side
gl-auth-command
Pre-receive
hook
November, 14th 2011 DVCS in big Corporation

66. Issue1: pre-receive hook
glog=`git log --format='%cn~%h~%s' $new --not
--all`
for cns in $glog ; do
atLeastOneCommit=true
echo branch $name: $cns
cn=`echo $cns | cut -d~ -f1`
hash=`echo $cns | cut -d~ -f2`
subject=`echo $cns | cut -d~ -f3`
if [ "$cn" = "$GL_USER" ]; then
echo "one commit found with $GL_USER as
committer name"
exit 0
fi
done
November, 14th 2011 DVCS in big Corporation

67. Issue1: pre-receive hook effect
push
remote: no commit with a committer name equals to 'bjensen',
so this push is denied.
November, 14th 2011 DVCS in big Corporation

68. Issue2: Actual user on server
Client side Server side
putty
November, 14th 2011 DVCS in big Corporation

69. Issue2: authorname on server
auser@vonc-VirtualBox:~/gitolite/demo$
../../bin/git commit -m "default user on server"
[master c694ed7] default user on server
Committer: auser <auser@vonc-VirtualBox.(none)>
Your name and email address were configured
automatically based on your username and
hostname.
Please check that they are accurate.
git config --global user.name "Your Name"
git config --global user.email you@exemp.com
November, 14th 2011 DVCS in big Corporation

70. Issue2: putty+ git wrapper
Client side Server side
putty
Git
wrapper
November, 14th 2011 DVCS in big Corporation

71. Issue2: authorname on server
alias agitBjensenItsvcprdgit='alias git="$
{H}/sbin/wgit u
bjensen,bjensen@example.com,itsvcprdgit.world.compan
y,bjensen"'
auser@vonc-VirtualBox:~$ git st
[ bjensen,bjensen@example.com for
itsvcprdgit.world.company ]
# On branch master
nothing to commit (working directory clean)
November, 14th 2011 DVCS in big Corporation

72. Finally, are we there?
Client side Server side
ssh gitolite
Pre-
httpd Git
wrapper
receive
hook
gitweb cgit
November, 14th 2011 DVCS in big Corporation

73. Conclusion: Server is hard
November, 14th 2011 DVCS in big Corporation

74. Conclusion: Application is hard
November, 14th 2011 DVCS in big Corporation

75. Conclusion: Big Corporation
November, 14th 2011 DVCS in big Corporation

76. Any questions?
November, 14th 2011 DVCS in big Corporation

77. DVCS in big Corporation
November, 14th 2011 DVCS in big Corporation
If you need to introduce any tool in a big corporation,
this presentation will help you be ware of the
question you need to be prepare to answer.
This is a more Git-oriented presentation, but most of
it equally applies to Mercurial.

78. DVCS in big Corporation
About Challenges Solutions
● Me ● Authentication ● Centralization
● DVCS ● Authorization ● Visualization
November, 14th 2011 DVCS in big Corporation

79. Quick notes
November, 14th 2011 DVCS in big Corporation
http://www.slideshare.net/dchaffiol/dvcs-in-big-corporation

80. About : me
November, 14th 2011 DVCS in big Corporation
The opinions and elements in this presentations are
mine and does not represent my current or former
clients.

81. About : me on SO
100K+
Many times during the day
Every single day
A Lot Rep ask@me
November, 14th 2011 DVCS in big Corporation

82. CVCS
Client side Server side
November, 14th 2011 DVCS in big Corporation

83. And then, a miracle:
November, 14th 2011 DVCS in big Corporation

84. DVCS
Client side Server side
November, 14th 2011 DVCS in big Corporation

85. Git on a client
November, 14th 2011 DVCS in big Corporation

86. Git on a client
eclipse
November, 14th 2011 DVCS in big Corporation

87. Git on a client
eclipse
November, 14th 2011 DVCS in big Corporation

88. Reaction?
Not enthusiastic
November, 14th 2011 DVCS in big Corporation

89. Issues? Authentication.
Who is VonC?
X41064
LDAP
November, 14th 2011 DVCS in big Corporation

90. Issues? Communication
November, 14th 2011 DVCS in big Corporation

91. Issues? Publication
November, 14th 2011 DVCS in big Corporation

92. Centralization
Server
November, 14th 2011 DVCS in big Corporation

93. Centralization
itsvcprd git
November, 14th 2011 DVCS in big Corporation

94. Server
November, 14th 2011 DVCS in big Corporation

95. Server
MUTUALIZED
November, 14th 2011 DVCS in big Corporation

96. Server
November, 14th 2011 DVCS in big Corporation

97. Server: not root
Sudo apt-get install git
November, 14th 2011 DVCS in big Corporation

98. Server: not alone
Services are managed by root
November, 14th 2011 DVCS in big Corporation

99. Server: not in control
/usr/local content can change
at any time
November, 14th 2011 DVCS in big Corporation

100. Help?
November, 14th 2011 DVCS in big Corporation
http://serverfault.com/questions/281810/how-to-install-packag

101. Recompile Everything
November, 14th 2011 DVCS in big Corporation

102. Recompile Everything: root
November, 14th 2011 DVCS in big Corporation

103. Recompile Everything: alone
● Tailored services (ssh, ldap, https)
November, 14th 2011 DVCS in big Corporation

104. Recompile Everything: in control
Your own version of ~/usr/local
November, 14th 2011 DVCS in big Corporation

105. Manual recompilation?
Download sources
November, 14th 2011 DVCS in big Corporation

106. Manual recompilation?
Configure
./configure --prefix=${HULA}/@@NAMEVER@@ --with-lib=${HULL}
./configure --prefix=${HULA}/@@NAMEVER@@ --with-lib=${HULL}
--with-openssl --with-curl --with-expat --with-iconv=${HUL}
--with-openssl --with-curl --with-expat --with-iconv=${HUL}
--with-gitconfig=${HUL}/var/gitconfig --with-editor=vim
--with-gitconfig=${HUL}/var/gitconfig --with-editor=vim
--with-perl=${HULA}/perl/bin/perl --with-zlib=${HUL}
--with-perl=${HULA}/perl/bin/perl --with-zlib=${HUL}
./configure --prefix=${HULA}/@@NAMEVER@@
./configure --prefix=${HULA}/@@NAMEVER@@
--with-tcltk=no --with-python=${HULA}/python/bin/python
--with-tcltk=no --with-python=${HULA}/python/bin/python
--enable-ssl=shared --enable-ssl --with-ssl=${HUL}/ssl
--enable-ssl=shared --enable-ssl --with-ssl=${HUL}/ssl
--enable-proxy --enable-proxy-connect
--enable-proxy --enable-proxy-connect
--enable-proxy-ftp --enable-proxy-http
--enable-proxy-ftp --enable-proxy-http
--with-ldap --enable-ldap
--with-ldap --enable-ldap
--enable-authnz-ldap --enable-authn-alias
--enable-authnz-ldap --enable-authn-alias
./configure --prefix=${HULS}/@@NAMEVER@@
./configure --prefix=${HULS}/@@NAMEVER@@
--with-apr=${HUL} --with-apr-util=${HUL}
--with-apr=${HUL} --with-apr-util=${HUL}
--enable-shared --enable-static
--enable-shared --enable-static
--enable-mods-shared=all --with-z=${HUL} @@WITHOUT_GNU_LD@@
--enable-mods-shared=all --with-z=${HUL} @@WITHOUT_GNU_LD@@
--with-zlib=${HUL} --with-ssl-engine=${HUL}/ssl
--with-zlib=${HUL} --with-ssl-engine=${HUL}/ssl
--without-privsep-user --with-pid-dir=${HUL}/var/run
--without-privsep-user --with-pid-dir=${HUL}/var/run
--with-default-path=@@PATH@@
--with-default-path=@@PATH@@
--with-privsep-path=${HUL}/var/empty @@WITHOUT_GNU_LD@@
--with-privsep-path=${HUL}/var/empty @@WITHOUT_GNU_LD@@
November, 14th 2011 DVCS in big Corporation

107. Manual recompilation?
● Make
● Make install
November, 14th 2011 DVCS in big Corporation

108. Manual recompilation?
Rinse and repeat
Git
Git =
32 libraries
Gcc 3.4.6
Gcc 3.4.6
openssl,libssh2,curl,libiconv,expat,libidn,zlib
openssl,libssh2,curl,libiconv,expat,libidn,zlib
14 applications
openssh
+
openssh
Apache Http, lynx
Apache Http, lynx 4 modules (Perl or ruby)
Subversion, Python, perl
Subversion, Python, perl
November, 14th 2011 DVCS in big Corporation

109. Manual Automated recompilation
November, 14th 2011 DVCS in big Corporation
https://github.com/VonC/compileEverything

110. You've got git.
Now What?
November, 14th 2011 DVCS in big Corporation

111. What is missing?
Client side Server side
November, 14th 2011 DVCS in big Corporation

112. Gitolite: authorization script
Client side Server side
gl-auth-command Repo1:
user1, user2
Git command
+ Repo2:
user2, user3
=
Cmd output
November, 14th 2011 DVCS in big Corporation
https://github.com/sitaramc/gitolite

113. Gitolite: openssh
Client side Server side
gl-auth-command Repo1:
user1, user2
Repo2:
user2, user3
Git command
ssh
Cmd output
November, 14th 2011 DVCS in big Corporation

114. Gitolite: forced command
~/.ssh/authorized_keys
Command=
"compileEverything/gitolite/bin/gl-auth-command
bjensen",
no-port-forwarding,no-X11-forwarding,
no-agent-forwarding,no-pty ssh-rsa
AAAAB3NzaC1yc2EAAA...
November, 14th 2011 DVCS in big Corporation

115. Gitolite: not for users
Client side Server side
gl-auth-command Repo1:
Repo1:
fisheye
user1
Repo2:
Repo2:
sonar
user2
ssh
November, 14th 2011 DVCS in big Corporation

116. SSH is not enough
Client side Server side
ssh gitolite
November, 14th 2011 DVCS in big Corporation

117. Git & “smart http”
Client side Server side
git-
http-backend
httpd
November, 14th 2011 DVCS in big Corporation

118. Gitolite: httpd
Client side LDAP Server side
git-
gl-auth-command http-backend
+
Git command
httpd =
Http answer
November, 14th 2011 DVCS in big Corporation

119. Gitolite: LDAP alias
Httpd.conf
<AuthnProviderAlias ldap myldap>
AuthLDAPBindDN cn=Manager,dc=example,dc=com
AuthLDAPBindPassword secret
AuthLDAPURL
ldap://localhost:9011/dc=example,dc=com
?uid?sub?(objectClass=*)
</AuthnProviderAlias>
November, 14th 2011 DVCS in big Corporation

120. Gitolite: REMOTE_USER
Httpd.conf
ScriptAlias /hgit/
compileEverything/gitolite/bin/gl-auth-command/
<Location /hgit>
AuthName "LDAP authentication for ITSVC
Smart HTTP Git repositories"
AuthBasicProvider myldap
Require valid-user
AddHandler cgi-script cgi
</Location>
November, 14th 2011 DVCS in big Corporation

121. Gitolite: https://itsvcprdgit:8453/hgit
Httpd.conf
# GitHttp on 8453
<VirtualHost itsvcprdgit.world.company:8453>
ServerName itsvcprdgit.world.company
ServerAlias itsvcprdgit
SetEnv GIT_PROJECT_ROOT /path/to/repositories
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv GITOLITE_HTTP_HOME
/home/auser/compileEverything
November, 14th 2011 DVCS in big Corporation

122. Httpd: multi-domain SSL certificate
Client side Server side
itsvcprdgit
httpdX509v3X509v3 Subject Alternative Name:
extensions:
DNS:itsvcprdgit.world.company,
DNS:itsvcprdgit
itsvcprdgit.world.company
November, 14th 2011 DVCS in big Corporation

123. Are we there yet?
Client side Server side
ssh gitolite
httpd
November, 14th 2011 DVCS in big Corporation

124. GitWeb
November, 14th 2011 DVCS in big Corporation

125. gitweb.cgi ?
Client side Server side
Gitweb.cgi
gl-auth-command
httpd
?
November, 14th 2011 DVCS in big Corporation

126. GitWeb: GL_USER
~/gitweb/gitweb.conf.pl
# finally the user name
$ENV{GL_USER} = $cgi->remote_user || "gitweb";
# now get gitolite stuff in...
unshift @INC, $ENV{GL_BINDIR};
require gitolite; gitolite -> import;
November, 14th 2011 DVCS in big Corporation

127. GitWeb: repo_rights()
~/gitweb/gitweb.conf.pl
$export_auth_hook = sub {
my $repo = shift;
return unless $repo =~ s/^Q$projectrootE/?
(.+).git$/$1/;
# check for (at least) "R" permission
my ($perm, $creator) = &repo_rights($repo);
return ($perm =~ /R/);
};
November, 14th 2011 DVCS in big Corporation

128. GitWeb: https://itsvcprdgit:8443/git
Httpd.conf
DocumentRoot compileEverything/gitweb
Alias /git compileEverything/gitweb
<Directory compileEverything/gitweb>
AuthBasicProvider myldap
AddHandler cgi-script cgi
DirectoryIndex gitweb.cgi
</Directory>
November, 14th 2011 DVCS in big Corporation

129. Are we there now?
Client side Server side
ssh gitolite
httpd
gitweb
November, 14th 2011 DVCS in big Corporation

130. CGit
November, 14th 2011 DVCS in big Corporation

131. cgit.cgi ?
Client side Server side
cgit.cgi
gl-auth-command
httpd
November, 14th 2011 DVCS in big Corporation

132. CGit: repo_rights()
~/cgit/cgit.pl
if ($request_uri ne "/cgit/" && $request_uri ne
"/cgit/cgit.pl/") {
(my $repo)=($path_info =~ //([^/]+)/);
my ($perm, $creator) = &repo_rights($repo);
if ($perm =~ /R/)
system("compileEverything/cgit/cgit.cgi");
else
print " <h1>HTTP Status 403 - Access is
denied</h1>n"; }
November, 14th 2011 DVCS in big Corporation

133. CGit: https://itsvcprdgit:8463/cgit
Httpd.conf
DocumentRoot compileEverything/cgit
Alias /cgit compileEverything/cgit
<Directory compileEverything/cgit>
AuthBasicProvider myldap
SetEnv GIT_PROJECT_ROOT=.../repositories
AddHandler cgi-script .cgi .pl
DirectoryIndex cgit.pl
</Directory>
November, 14th 2011 DVCS in big Corporation

134. And now?
Client side Server side
ssh
httpd https://itsvcprdgit:8453/hgit
https://itsvcprdgit:8443/git
gitweb
https://itsvcprdgit:8463/cgit
cgit
November, 14th 2011 DVCS in big Corporation

135. What do they want?
Client side Server side
ssh
httpd https://itsvc/hgit NO PORT
NUMBER
https://itsvc/git
gitweb
SHORT
https://itsvc/cgit NAMES
cgit
November, 14th 2011 DVCS in big Corporation

136. Reverse Proxy
Client side Server side
ssh
httpd
itsvc
gitweb
cgit
November, 14th 2011 DVCS in big Corporation

137. NGinx: https://itsvc/xxx
nginx.conf
location /hgit/ {
proxy_pass
https://itsvcprdgit.world.company:8453/hgit/;}
location /git/ {
proxy_pass
https://itsvcprdgit.world.company:8443/git/;}
location /cgit/ {
proxy_pass
https://itsvcprdgit.world.company:8463/cgit/;}
November, 14th 2011 DVCS in big Corporation

138. There, there?
Client side Server side
ssh
httpd https://itsvc/hgit
https://itsvc/git
https://itsvc/cgit
November, 14th 2011 DVCS in big Corporation

139. What!?
Client side Server side
November, 14th 2011 DVCS in big Corporation

140. Issue1: authorname
November, 14th 2011 DVCS in big Corporation

141. Issue1: gitolite + hook
Client side Server side
gl-auth-command
Pre-receive
hook
November, 14th 2011 DVCS in big Corporation

142. Issue1: pre-receive hook
glog=`git log --format='%cn~%h~%s' $new --not
--all`
for cns in $glog ; do
atLeastOneCommit=true
echo branch $name: $cns
cn=`echo $cns | cut -d~ -f1`
hash=`echo $cns | cut -d~ -f2`
subject=`echo $cns | cut -d~ -f3`
if [ "$cn" = "$GL_USER" ]; then
echo "one commit found with $GL_USER as
committer name"
exit 0
fi
done
November, 14th 2011 DVCS in big Corporation

143. Issue1: pre-receive hook effect
push
remote: no commit with a committer name equals to 'bjensen',
so this push is denied.
November, 14th 2011 DVCS in big Corporation

144. Issue2: Actual user on server
Client side Server side
putty
November, 14th 2011 DVCS in big Corporation

145. Issue2: authorname on server
auser@vonc-VirtualBox:~/gitolite/demo$
../../bin/git commit -m "default user on server"
[master c694ed7] default user on server
Committer: auser <auser@vonc-VirtualBox.(none)>
Your name and email address were configured
automatically based on your username and
hostname.
Please check that they are accurate.
git config --global user.name "Your Name"
git config --global user.email you@exemp.com
November, 14th 2011 DVCS in big Corporation

146. Issue2: putty+ git wrapper
Client side Server side
putty
Git
wrapper
November, 14th 2011 DVCS in big Corporation

147. Issue2: authorname on server
alias agitBjensenItsvcprdgit='alias git="$
{H}/sbin/wgit u
bjensen,bjensen@example.com,itsvcprdgit.world.compan
y,bjensen"'
auser@vonc-VirtualBox:~$ git st
[ bjensen,bjensen@example.com for
itsvcprdgit.world.company ]
# On branch master
nothing to commit (working directory clean)
November, 14th 2011 DVCS in big Corporation

148. Finally, are we there?
Client side Server side
ssh gitolite
Pre-
httpd Git
wrapper
receive
hook
gitweb cgit
November, 14th 2011 DVCS in big Corporation

149. Conclusion: Server is hard
November, 14th 2011 DVCS in big Corporation

150. Conclusion: Application is hard
November, 14th 2011 DVCS in big Corporation

151. Conclusion: Big Corporation
November, 14th 2011 DVCS in big Corporation

152. Any questions?
November, 14th 2011 DVCS in big Corporation