DVCS in big corporation

2,384 views

Published on

Git is awesome and you want it in your large company?
Then you will need to take into account some of the unique characteristics of such an environment.
Namely:
- centralization
- authentication
- authorization
(and more, detailed in this presentation)

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,384
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
27
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

DVCS in big corporation

  1. 1. DVCS in big CorporationNovember, 14th 2011 DVCS in big Corporation
  2. 2. DVCS in big Corporation About Challenges Solutions ● Me ● Authentication ● Centralization ● DVCS ● Authorization ● VisualizationNovember, 14th 2011 DVCS in big Corporation
  3. 3. Quick notesNovember, 14th 2011 DVCS in big Corporation
  4. 4. About : meNovember, 14th 2011 DVCS in big Corporation
  5. 5. About : me on SO 100K+ Many times during the day Every single dayA Lot Rep ask@meNovember, 14th 2011 DVCS in big Corporation
  6. 6. CVCS Client side Server sideNovember, 14th 2011 DVCS in big Corporation
  7. 7. And then, a miracle:November, 14th 2011 DVCS in big Corporation
  8. 8. DVCS Client side Server sideNovember, 14th 2011 DVCS in big Corporation
  9. 9. Git on a clientNovember, 14th 2011 DVCS in big Corporation
  10. 10. Git on a client eclipseNovember, 14th 2011 DVCS in big Corporation
  11. 11. Git on a client eclipseNovember, 14th 2011 DVCS in big Corporation
  12. 12. Reaction? Not enthusiasticNovember, 14th 2011 DVCS in big Corporation
  13. 13. Issues? Authentication. Who is VonC? X41064 LDAPNovember, 14th 2011 DVCS in big Corporation
  14. 14. Issues? CommunicationNovember, 14th 2011 DVCS in big Corporation
  15. 15. Issues? PublicationNovember, 14th 2011 DVCS in big Corporation
  16. 16. Centralization ServerNovember, 14th 2011 DVCS in big Corporation
  17. 17. Centralization itsvcprd gitNovember, 14th 2011 DVCS in big Corporation
  18. 18. ServerNovember, 14th 2011 DVCS in big Corporation
  19. 19. Server MUTUALIZEDNovember, 14th 2011 DVCS in big Corporation
  20. 20. ServerNovember, 14th 2011 DVCS in big Corporation
  21. 21. Server: not root Sudo apt-get install gitNovember, 14th 2011 DVCS in big Corporation
  22. 22. Server: not alone Services are managed by rootNovember, 14th 2011 DVCS in big Corporation
  23. 23. Server: not in control /usr/local content can change at any timeNovember, 14th 2011 DVCS in big Corporation
  24. 24. Help?November, 14th 2011 DVCS in big Corporation
  25. 25. Recompile EverythingNovember, 14th 2011 DVCS in big Corporation
  26. 26. Recompile Everything: rootNovember, 14th 2011 DVCS in big Corporation
  27. 27. Recompile Everything: alone ● Tailored services (ssh, ldap, https)November, 14th 2011 DVCS in big Corporation
  28. 28. Recompile Everything: in control Your own version of ~/usr/localNovember, 14th 2011 DVCS in big Corporation
  29. 29. Manual recompilation? Download sourcesNovember, 14th 2011 DVCS in big Corporation
  30. 30. Manual recompilation? Configure./configure --prefix=${HULA}/@@NAMEVER@@ --with-lib=${HULL}./configure --prefix=${HULA}/@@NAMEVER@@ --with-lib=${HULL}--with-openssl --with-curl --with-expat --with-iconv=${HUL}--with-openssl --with-curl --with-expat --with-iconv=${HUL}--with-gitconfig=${HUL}/var/gitconfig --with-editor=vim--with-gitconfig=${HUL}/var/gitconfig --with-editor=vim--with-perl=${HULA}/perl/bin/perl --with-zlib=${HUL}--with-perl=${HULA}/perl/bin/perl --with-zlib=${HUL} ./configure --prefix=${HULA}/@@NAMEVER@@ ./configure --prefix=${HULA}/@@NAMEVER@@--with-tcltk=no --with-python=${HULA}/python/bin/python--with-tcltk=no --with-python=${HULA}/python/bin/python --enable-ssl=shared --enable-ssl --with-ssl=${HUL}/ssl --enable-ssl=shared --enable-ssl --with-ssl=${HUL}/ssl --enable-proxy --enable-proxy-connect --enable-proxy --enable-proxy-connect --enable-proxy-ftp --enable-proxy-http --enable-proxy-ftp --enable-proxy-http --with-ldap --enable-ldap --with-ldap --enable-ldap --enable-authnz-ldap --enable-authn-alias --enable-authnz-ldap --enable-authn-alias ./configure --prefix=${HULS}/@@NAMEVER@@ ./configure --prefix=${HULS}/@@NAMEVER@@ --with-apr=${HUL} --with-apr-util=${HUL} --with-apr=${HUL} --with-apr-util=${HUL} --enable-shared --enable-static --enable-shared --enable-static --enable-mods-shared=all --with-z=${HUL} @@WITHOUT_GNU_LD@@ --enable-mods-shared=all --with-z=${HUL} @@WITHOUT_GNU_LD@@ --with-zlib=${HUL} --with-ssl-engine=${HUL}/ssl --with-zlib=${HUL} --with-ssl-engine=${HUL}/ssl --without-privsep-user --with-pid-dir=${HUL}/var/run --without-privsep-user --with-pid-dir=${HUL}/var/run --with-default-path=@@PATH@@ --with-default-path=@@PATH@@ --with-privsep-path=${HUL}/var/empty @@WITHOUT_GNU_LD@@ --with-privsep-path=${HUL}/var/empty @@WITHOUT_GNU_LD@@November, 14th 2011 DVCS in big Corporation
  31. 31. Manual recompilation? ● Make ● Make installNovember, 14th 2011 DVCS in big Corporation
  32. 32. Manual recompilation? Rinse and repeat Git Git = 32 libraries Gcc 3.4.6 Gcc 3.4.6 openssl,libssh2,curl,libiconv,expat,libidn,zlib openssl,libssh2,curl,libiconv,expat,libidn,zlib 14 applications openssh + openssh Apache Http, lynx Apache Http, lynx 4 modules (Perl or ruby) Subversion, Python, perl Subversion, Python, perlNovember, 14th 2011 DVCS in big Corporation
  33. 33. Manual Automated recompilationNovember, 14th 2011 DVCS in big Corporation
  34. 34. Youve got git. Now What?November, 14th 2011 DVCS in big Corporation
  35. 35. What is missing? Client side Server sideNovember, 14th 2011 DVCS in big Corporation
  36. 36. Gitolite: authorization script Client side Server side gl-auth-command Repo1: user1, user2 Git command + Repo2: user2, user3 = Cmd outputNovember, 14th 2011 DVCS in big Corporation
  37. 37. Gitolite: openssh Client side Server side gl-auth-command Repo1: user1, user2 Repo2: user2, user3 Git command ssh Cmd outputNovember, 14th 2011 DVCS in big Corporation
  38. 38. Gitolite: forced command ~/.ssh/authorized_keysCommand= "compileEverything/gitolite/bin/gl-auth-commandbjensen",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsaAAAAB3NzaC1yc2EAAA...November, 14th 2011 DVCS in big Corporation
  39. 39. Gitolite: not for users Client side Server side gl-auth-command Repo1: Repo1: fisheye user1 Repo2: Repo2: sonar user2 sshNovember, 14th 2011 DVCS in big Corporation
  40. 40. SSH is not enough Client side Server side ssh gitoliteNovember, 14th 2011 DVCS in big Corporation
  41. 41. Git & “smart http” Client side Server side git- http-backend httpdNovember, 14th 2011 DVCS in big Corporation
  42. 42. Gitolite: httpd Client side LDAP Server side git- gl-auth-command http-backend + Git command httpd = Http answerNovember, 14th 2011 DVCS in big Corporation
  43. 43. Gitolite: LDAP alias Httpd.conf<AuthnProviderAlias ldap myldap> AuthLDAPBindDN cn=Manager,dc=example,dc=com AuthLDAPBindPassword secret AuthLDAPURL ldap://localhost:9011/dc=example,dc=com ?uid?sub?(objectClass=*)</AuthnProviderAlias>November, 14th 2011 DVCS in big Corporation
  44. 44. Gitolite: REMOTE_USER Httpd.conf ScriptAlias /hgit/compileEverything/gitolite/bin/gl-auth-command/ <Location /hgit> AuthName "LDAP authentication for ITSVC Smart HTTP Git repositories" AuthBasicProvider myldap Require valid-user AddHandler cgi-script cgi </Location>November, 14th 2011 DVCS in big Corporation
  45. 45. Gitolite: https://itsvcprdgit:8453/hgit Httpd.conf# GitHttp on 8453<VirtualHost itsvcprdgit.world.company:8453> ServerName itsvcprdgit.world.company ServerAlias itsvcprdgit SetEnv GIT_PROJECT_ROOT /path/to/repositories SetEnv GIT_HTTP_EXPORT_ALL SetEnv GITOLITE_HTTP_HOME/home/auser/compileEverythingNovember, 14th 2011 DVCS in big Corporation
  46. 46. Httpd: multi-domain SSL certificate Client side Server side itsvcprdgit httpdX509v3X509v3 Subject Alternative Name: extensions: DNS:itsvcprdgit.world.company, DNS:itsvcprdgit itsvcprdgit.world.companyNovember, 14th 2011 DVCS in big Corporation
  47. 47. Are we there yet? Client side Server side ssh gitolite httpdNovember, 14th 2011 DVCS in big Corporation
  48. 48. GitWebNovember, 14th 2011 DVCS in big Corporation
  49. 49. gitweb.cgi ? Client side Server side Gitweb.cgi gl-auth-command httpd ?November, 14th 2011 DVCS in big Corporation
  50. 50. GitWeb: GL_USER ~/gitweb/gitweb.conf.pl# finally the user name$ENV{GL_USER} = $cgi->remote_user || "gitweb";# now get gitolite stuff in...unshift @INC, $ENV{GL_BINDIR};require gitolite; gitolite -> import;November, 14th 2011 DVCS in big Corporation
  51. 51. GitWeb: repo_rights() ~/gitweb/gitweb.conf.pl$export_auth_hook = sub { my $repo = shift; return unless $repo =~ s/^Q$projectrootE/?(.+).git$/$1/; # check for (at least) "R" permission my ($perm, $creator) = &repo_rights($repo); return ($perm =~ /R/);};November, 14th 2011 DVCS in big Corporation
  52. 52. GitWeb: https://itsvcprdgit:8443/git Httpd.conf DocumentRoot compileEverything/gitweb Alias /git compileEverything/gitweb <Directory compileEverything/gitweb> AuthBasicProvider myldap AddHandler cgi-script cgi DirectoryIndex gitweb.cgi </Directory>November, 14th 2011 DVCS in big Corporation
  53. 53. Are we there now? Client side Server side ssh gitolite httpd gitwebNovember, 14th 2011 DVCS in big Corporation
  54. 54. CGitNovember, 14th 2011 DVCS in big Corporation
  55. 55. cgit.cgi ? Client side Server side cgit.cgi gl-auth-command httpdNovember, 14th 2011 DVCS in big Corporation
  56. 56. CGit: repo_rights() ~/cgit/cgit.plif ($request_uri ne "/cgit/" && $request_uri ne"/cgit/cgit.pl/") { (my $repo)=($path_info =~ //([^/]+)/); my ($perm, $creator) = &repo_rights($repo); if ($perm =~ /R/) system("compileEverything/cgit/cgit.cgi"); else print " <h1>HTTP Status 403 - Access isdenied</h1>n"; }November, 14th 2011 DVCS in big Corporation
  57. 57. CGit: https://itsvcprdgit:8463/cgit Httpd.conf DocumentRoot compileEverything/cgit Alias /cgit compileEverything/cgit <Directory compileEverything/cgit> AuthBasicProvider myldap SetEnv GIT_PROJECT_ROOT=.../repositories AddHandler cgi-script .cgi .pl DirectoryIndex cgit.pl </Directory>November, 14th 2011 DVCS in big Corporation
  58. 58. And now? Client side Server side ssh httpd https://itsvcprdgit:8453/hgit https://itsvcprdgit:8443/git gitweb https://itsvcprdgit:8463/cgit cgitNovember, 14th 2011 DVCS in big Corporation
  59. 59. What do they want? Client side Server side ssh httpd https://itsvc/hgit NO PORT NUMBER https://itsvc/git gitweb SHORT https://itsvc/cgit NAMES cgitNovember, 14th 2011 DVCS in big Corporation
  60. 60. Reverse Proxy Client side Server side ssh httpd itsvc gitweb cgitNovember, 14th 2011 DVCS in big Corporation
  61. 61. NGinx: https://itsvc/xxx nginx.conflocation /hgit/ { proxy_passhttps://itsvcprdgit.world.company:8453/hgit/;}location /git/ { proxy_passhttps://itsvcprdgit.world.company:8443/git/;}location /cgit/ { proxy_passhttps://itsvcprdgit.world.company:8463/cgit/;}November, 14th 2011 DVCS in big Corporation
  62. 62. There, there? Client side Server side ssh httpd https://itsvc/hgit https://itsvc/git https://itsvc/cgitNovember, 14th 2011 DVCS in big Corporation
  63. 63. What!? Client side Server sideNovember, 14th 2011 DVCS in big Corporation
  64. 64. Issue1: authornameNovember, 14th 2011 DVCS in big Corporation
  65. 65. Issue1: gitolite + hook Client side Server side gl-auth-command Pre-receive hookNovember, 14th 2011 DVCS in big Corporation
  66. 66. Issue1: pre-receive hookglog=`git log --format=%cn~%h~%s $new --not--all`for cns in $glog ; do atLeastOneCommit=true echo branch $name: $cns cn=`echo $cns | cut -d~ -f1` hash=`echo $cns | cut -d~ -f2` subject=`echo $cns | cut -d~ -f3` if [ "$cn" = "$GL_USER" ]; then echo "one commit found with $GL_USER as committer name" exit 0 fidoneNovember, 14th 2011 DVCS in big Corporation
  67. 67. Issue1: pre-receive hook effect pushremote: no commit with a committer name equals to bjensen, so this push is denied.November, 14th 2011 DVCS in big Corporation
  68. 68. Issue2: Actual user on server Client side Server side puttyNovember, 14th 2011 DVCS in big Corporation
  69. 69. Issue2: authorname on serverauser@vonc-VirtualBox:~/gitolite/demo$../../bin/git commit -m "default user on server"[master c694ed7] default user on server Committer: auser <auser@vonc-VirtualBox.(none)>Your name and email address were configuredautomatically based on your username andhostname.Please check that they are accurate. git config --global user.name "Your Name" git config --global user.email you@exemp.com November, 14th 2011 DVCS in big Corporation
  70. 70. Issue2: putty+ git wrapper Client side Server side putty Git wrapperNovember, 14th 2011 DVCS in big Corporation
  71. 71. Issue2: authorname on serveralias agitBjensenItsvcprdgit=alias git="${H}/sbin/wgit ubjensen,bjensen@example.com,itsvcprdgit.world.company,bjensen"auser@vonc-VirtualBox:~$ git st[ bjensen,bjensen@example.com foritsvcprdgit.world.company ]# On branch masternothing to commit (working directory clean) November, 14th 2011 DVCS in big Corporation
  72. 72. Finally, are we there? Client side Server side ssh gitolite Pre- httpd Git wrapper receive hook gitweb cgitNovember, 14th 2011 DVCS in big Corporation
  73. 73. Conclusion: Server is hardNovember, 14th 2011 DVCS in big Corporation
  74. 74. Conclusion: Application is hardNovember, 14th 2011 DVCS in big Corporation
  75. 75. Conclusion: Big CorporationNovember, 14th 2011 DVCS in big Corporation
  76. 76. Any questions?November, 14th 2011 DVCS in big Corporation
  77. 77. DVCS in big Corporation November, 14th 2011 DVCS in big CorporationIf you need to introduce any tool in a big corporation, this presentation will help you be ware of the question you need to be prepare to answer.This is a more Git-oriented presentation, but most of it equally applies to Mercurial.
  78. 78. DVCS in big Corporation About Challenges Solutions ● Me ● Authentication ● Centralization ● DVCS ● Authorization ● VisualizationNovember, 14th 2011 DVCS in big Corporation
  79. 79. Quick notes November, 14th 2011 DVCS in big Corporationhttp://www.slideshare.net/dchaffiol/dvcs-in-big-corporation
  80. 80. About : me November, 14th 2011 DVCS in big CorporationThe opinions and elements in this presentations are mine and does not represent my current or former clients.
  81. 81. About : me on SO 100K+ Many times during the day Every single dayA Lot Rep ask@meNovember, 14th 2011 DVCS in big Corporation
  82. 82. CVCS Client side Server sideNovember, 14th 2011 DVCS in big Corporation
  83. 83. And then, a miracle:November, 14th 2011 DVCS in big Corporation
  84. 84. DVCS Client side Server sideNovember, 14th 2011 DVCS in big Corporation
  85. 85. Git on a clientNovember, 14th 2011 DVCS in big Corporation
  86. 86. Git on a client eclipseNovember, 14th 2011 DVCS in big Corporation
  87. 87. Git on a client eclipseNovember, 14th 2011 DVCS in big Corporation
  88. 88. Reaction? Not enthusiasticNovember, 14th 2011 DVCS in big Corporation
  89. 89. Issues? Authentication. Who is VonC? X41064 LDAPNovember, 14th 2011 DVCS in big Corporation
  90. 90. Issues? CommunicationNovember, 14th 2011 DVCS in big Corporation
  91. 91. Issues? PublicationNovember, 14th 2011 DVCS in big Corporation
  92. 92. Centralization ServerNovember, 14th 2011 DVCS in big Corporation
  93. 93. Centralization itsvcprd gitNovember, 14th 2011 DVCS in big Corporation
  94. 94. ServerNovember, 14th 2011 DVCS in big Corporation
  95. 95. Server MUTUALIZEDNovember, 14th 2011 DVCS in big Corporation
  96. 96. ServerNovember, 14th 2011 DVCS in big Corporation
  97. 97. Server: not root Sudo apt-get install gitNovember, 14th 2011 DVCS in big Corporation
  98. 98. Server: not alone Services are managed by rootNovember, 14th 2011 DVCS in big Corporation
  99. 99. Server: not in control /usr/local content can change at any timeNovember, 14th 2011 DVCS in big Corporation
  100. 100. Help? November, 14th 2011 DVCS in big Corporationhttp://serverfault.com/questions/281810/how-to-install-packag
  101. 101. Recompile EverythingNovember, 14th 2011 DVCS in big Corporation
  102. 102. Recompile Everything: rootNovember, 14th 2011 DVCS in big Corporation
  103. 103. Recompile Everything: alone ● Tailored services (ssh, ldap, https)November, 14th 2011 DVCS in big Corporation
  104. 104. Recompile Everything: in control Your own version of ~/usr/localNovember, 14th 2011 DVCS in big Corporation
  105. 105. Manual recompilation? Download sourcesNovember, 14th 2011 DVCS in big Corporation
  106. 106. Manual recompilation? Configure./configure --prefix=${HULA}/@@NAMEVER@@ --with-lib=${HULL}./configure --prefix=${HULA}/@@NAMEVER@@ --with-lib=${HULL}--with-openssl --with-curl --with-expat --with-iconv=${HUL}--with-openssl --with-curl --with-expat --with-iconv=${HUL}--with-gitconfig=${HUL}/var/gitconfig --with-editor=vim--with-gitconfig=${HUL}/var/gitconfig --with-editor=vim--with-perl=${HULA}/perl/bin/perl --with-zlib=${HUL}--with-perl=${HULA}/perl/bin/perl --with-zlib=${HUL} ./configure --prefix=${HULA}/@@NAMEVER@@ ./configure --prefix=${HULA}/@@NAMEVER@@--with-tcltk=no --with-python=${HULA}/python/bin/python--with-tcltk=no --with-python=${HULA}/python/bin/python --enable-ssl=shared --enable-ssl --with-ssl=${HUL}/ssl --enable-ssl=shared --enable-ssl --with-ssl=${HUL}/ssl --enable-proxy --enable-proxy-connect --enable-proxy --enable-proxy-connect --enable-proxy-ftp --enable-proxy-http --enable-proxy-ftp --enable-proxy-http --with-ldap --enable-ldap --with-ldap --enable-ldap --enable-authnz-ldap --enable-authn-alias --enable-authnz-ldap --enable-authn-alias ./configure --prefix=${HULS}/@@NAMEVER@@ ./configure --prefix=${HULS}/@@NAMEVER@@ --with-apr=${HUL} --with-apr-util=${HUL} --with-apr=${HUL} --with-apr-util=${HUL} --enable-shared --enable-static --enable-shared --enable-static --enable-mods-shared=all --with-z=${HUL} @@WITHOUT_GNU_LD@@ --enable-mods-shared=all --with-z=${HUL} @@WITHOUT_GNU_LD@@ --with-zlib=${HUL} --with-ssl-engine=${HUL}/ssl --with-zlib=${HUL} --with-ssl-engine=${HUL}/ssl --without-privsep-user --with-pid-dir=${HUL}/var/run --without-privsep-user --with-pid-dir=${HUL}/var/run --with-default-path=@@PATH@@ --with-default-path=@@PATH@@ --with-privsep-path=${HUL}/var/empty @@WITHOUT_GNU_LD@@ --with-privsep-path=${HUL}/var/empty @@WITHOUT_GNU_LD@@November, 14th 2011 DVCS in big Corporation
  107. 107. Manual recompilation? ● Make ● Make installNovember, 14th 2011 DVCS in big Corporation
  108. 108. Manual recompilation? Rinse and repeat Git Git = 32 libraries Gcc 3.4.6 Gcc 3.4.6 openssl,libssh2,curl,libiconv,expat,libidn,zlib openssl,libssh2,curl,libiconv,expat,libidn,zlib 14 applications openssh + openssh Apache Http, lynx Apache Http, lynx 4 modules (Perl or ruby) Subversion, Python, perl Subversion, Python, perlNovember, 14th 2011 DVCS in big Corporation
  109. 109. Manual Automated recompilation November, 14th 2011 DVCS in big Corporationhttps://github.com/VonC/compileEverything
  110. 110. Youve got git. Now What?November, 14th 2011 DVCS in big Corporation
  111. 111. What is missing? Client side Server sideNovember, 14th 2011 DVCS in big Corporation
  112. 112. Gitolite: authorization script Client side Server side gl-auth-command Repo1: user1, user2 Git command + Repo2: user2, user3 = Cmd output November, 14th 2011 DVCS in big Corporationhttps://github.com/sitaramc/gitolite
  113. 113. Gitolite: openssh Client side Server side gl-auth-command Repo1: user1, user2 Repo2: user2, user3 Git command ssh Cmd outputNovember, 14th 2011 DVCS in big Corporation
  114. 114. Gitolite: forced command ~/.ssh/authorized_keysCommand= "compileEverything/gitolite/bin/gl-auth-commandbjensen",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsaAAAAB3NzaC1yc2EAAA...November, 14th 2011 DVCS in big Corporation
  115. 115. Gitolite: not for users Client side Server side gl-auth-command Repo1: Repo1: fisheye user1 Repo2: Repo2: sonar user2 sshNovember, 14th 2011 DVCS in big Corporation
  116. 116. SSH is not enough Client side Server side ssh gitoliteNovember, 14th 2011 DVCS in big Corporation
  117. 117. Git & “smart http” Client side Server side git- http-backend httpdNovember, 14th 2011 DVCS in big Corporation
  118. 118. Gitolite: httpd Client side LDAP Server side git- gl-auth-command http-backend + Git command httpd = Http answerNovember, 14th 2011 DVCS in big Corporation
  119. 119. Gitolite: LDAP alias Httpd.conf<AuthnProviderAlias ldap myldap> AuthLDAPBindDN cn=Manager,dc=example,dc=com AuthLDAPBindPassword secret AuthLDAPURL ldap://localhost:9011/dc=example,dc=com ?uid?sub?(objectClass=*)</AuthnProviderAlias>November, 14th 2011 DVCS in big Corporation
  120. 120. Gitolite: REMOTE_USER Httpd.conf ScriptAlias /hgit/compileEverything/gitolite/bin/gl-auth-command/ <Location /hgit> AuthName "LDAP authentication for ITSVC Smart HTTP Git repositories" AuthBasicProvider myldap Require valid-user AddHandler cgi-script cgi </Location>November, 14th 2011 DVCS in big Corporation
  121. 121. Gitolite: https://itsvcprdgit:8453/hgit Httpd.conf# GitHttp on 8453<VirtualHost itsvcprdgit.world.company:8453> ServerName itsvcprdgit.world.company ServerAlias itsvcprdgit SetEnv GIT_PROJECT_ROOT /path/to/repositories SetEnv GIT_HTTP_EXPORT_ALL SetEnv GITOLITE_HTTP_HOME/home/auser/compileEverythingNovember, 14th 2011 DVCS in big Corporation
  122. 122. Httpd: multi-domain SSL certificate Client side Server side itsvcprdgit httpdX509v3X509v3 Subject Alternative Name: extensions: DNS:itsvcprdgit.world.company, DNS:itsvcprdgit itsvcprdgit.world.companyNovember, 14th 2011 DVCS in big Corporation
  123. 123. Are we there yet? Client side Server side ssh gitolite httpdNovember, 14th 2011 DVCS in big Corporation
  124. 124. GitWebNovember, 14th 2011 DVCS in big Corporation
  125. 125. gitweb.cgi ? Client side Server side Gitweb.cgi gl-auth-command httpd ?November, 14th 2011 DVCS in big Corporation
  126. 126. GitWeb: GL_USER ~/gitweb/gitweb.conf.pl# finally the user name$ENV{GL_USER} = $cgi->remote_user || "gitweb";# now get gitolite stuff in...unshift @INC, $ENV{GL_BINDIR};require gitolite; gitolite -> import;November, 14th 2011 DVCS in big Corporation
  127. 127. GitWeb: repo_rights() ~/gitweb/gitweb.conf.pl$export_auth_hook = sub { my $repo = shift; return unless $repo =~ s/^Q$projectrootE/?(.+).git$/$1/; # check for (at least) "R" permission my ($perm, $creator) = &repo_rights($repo); return ($perm =~ /R/);};November, 14th 2011 DVCS in big Corporation
  128. 128. GitWeb: https://itsvcprdgit:8443/git Httpd.conf DocumentRoot compileEverything/gitweb Alias /git compileEverything/gitweb <Directory compileEverything/gitweb> AuthBasicProvider myldap AddHandler cgi-script cgi DirectoryIndex gitweb.cgi </Directory>November, 14th 2011 DVCS in big Corporation
  129. 129. Are we there now? Client side Server side ssh gitolite httpd gitwebNovember, 14th 2011 DVCS in big Corporation
  130. 130. CGitNovember, 14th 2011 DVCS in big Corporation
  131. 131. cgit.cgi ? Client side Server side cgit.cgi gl-auth-command httpdNovember, 14th 2011 DVCS in big Corporation
  132. 132. CGit: repo_rights() ~/cgit/cgit.plif ($request_uri ne "/cgit/" && $request_uri ne"/cgit/cgit.pl/") { (my $repo)=($path_info =~ //([^/]+)/); my ($perm, $creator) = &repo_rights($repo); if ($perm =~ /R/) system("compileEverything/cgit/cgit.cgi"); else print " <h1>HTTP Status 403 - Access isdenied</h1>n"; }November, 14th 2011 DVCS in big Corporation
  133. 133. CGit: https://itsvcprdgit:8463/cgit Httpd.conf DocumentRoot compileEverything/cgit Alias /cgit compileEverything/cgit <Directory compileEverything/cgit> AuthBasicProvider myldap SetEnv GIT_PROJECT_ROOT=.../repositories AddHandler cgi-script .cgi .pl DirectoryIndex cgit.pl </Directory>November, 14th 2011 DVCS in big Corporation
  134. 134. And now? Client side Server side ssh httpd https://itsvcprdgit:8453/hgit https://itsvcprdgit:8443/git gitweb https://itsvcprdgit:8463/cgit cgitNovember, 14th 2011 DVCS in big Corporation
  135. 135. What do they want? Client side Server side ssh httpd https://itsvc/hgit NO PORT NUMBER https://itsvc/git gitweb SHORT https://itsvc/cgit NAMES cgitNovember, 14th 2011 DVCS in big Corporation
  136. 136. Reverse Proxy Client side Server side ssh httpd itsvc gitweb cgitNovember, 14th 2011 DVCS in big Corporation
  137. 137. NGinx: https://itsvc/xxx nginx.conflocation /hgit/ { proxy_passhttps://itsvcprdgit.world.company:8453/hgit/;}location /git/ { proxy_passhttps://itsvcprdgit.world.company:8443/git/;}location /cgit/ { proxy_passhttps://itsvcprdgit.world.company:8463/cgit/;}November, 14th 2011 DVCS in big Corporation
  138. 138. There, there? Client side Server side ssh httpd https://itsvc/hgit https://itsvc/git https://itsvc/cgitNovember, 14th 2011 DVCS in big Corporation
  139. 139. What!? Client side Server sideNovember, 14th 2011 DVCS in big Corporation
  140. 140. Issue1: authornameNovember, 14th 2011 DVCS in big Corporation
  141. 141. Issue1: gitolite + hook Client side Server side gl-auth-command Pre-receive hookNovember, 14th 2011 DVCS in big Corporation
  142. 142. Issue1: pre-receive hookglog=`git log --format=%cn~%h~%s $new --not--all`for cns in $glog ; do atLeastOneCommit=true echo branch $name: $cns cn=`echo $cns | cut -d~ -f1` hash=`echo $cns | cut -d~ -f2` subject=`echo $cns | cut -d~ -f3` if [ "$cn" = "$GL_USER" ]; then echo "one commit found with $GL_USER as committer name" exit 0 fidoneNovember, 14th 2011 DVCS in big Corporation
  143. 143. Issue1: pre-receive hook effect pushremote: no commit with a committer name equals to bjensen, so this push is denied.November, 14th 2011 DVCS in big Corporation
  144. 144. Issue2: Actual user on server Client side Server side puttyNovember, 14th 2011 DVCS in big Corporation
  145. 145. Issue2: authorname on serverauser@vonc-VirtualBox:~/gitolite/demo$../../bin/git commit -m "default user on server"[master c694ed7] default user on server Committer: auser <auser@vonc-VirtualBox.(none)>Your name and email address were configuredautomatically based on your username andhostname.Please check that they are accurate. git config --global user.name "Your Name" git config --global user.email you@exemp.com November, 14th 2011 DVCS in big Corporation
  146. 146. Issue2: putty+ git wrapper Client side Server side putty Git wrapperNovember, 14th 2011 DVCS in big Corporation
  147. 147. Issue2: authorname on serveralias agitBjensenItsvcprdgit=alias git="${H}/sbin/wgit ubjensen,bjensen@example.com,itsvcprdgit.world.company,bjensen"auser@vonc-VirtualBox:~$ git st[ bjensen,bjensen@example.com foritsvcprdgit.world.company ]# On branch masternothing to commit (working directory clean) November, 14th 2011 DVCS in big Corporation
  148. 148. Finally, are we there? Client side Server side ssh gitolite Pre- httpd Git wrapper receive hook gitweb cgitNovember, 14th 2011 DVCS in big Corporation
  149. 149. Conclusion: Server is hardNovember, 14th 2011 DVCS in big Corporation
  150. 150. Conclusion: Application is hardNovember, 14th 2011 DVCS in big Corporation
  151. 151. Conclusion: Big CorporationNovember, 14th 2011 DVCS in big Corporation
  152. 152. Any questions?November, 14th 2011 DVCS in big Corporation

×