Managing Git repositories with Gitosis

In a collaborative development environment, as can be to a company that wants its customers to consult the code as it develops, often we want to be able to control access for both read and write permissions to your code repositories. In the git world, gitosis offers us a way to create these controls in a more easy way.

Gitosis is a tool that gives us the ability to control access to Git repositories, and may give read and write access, or deny all type. This is very interesting when, as in our case, we provide access to a client application code while it is developing (you give read-only access and denied access to any other project repository). Gitosis manages multiple repositories with a single server user account, using SSH keys to identify users. Therefore, for the users, is not necessary to have a user account on the server, because the access control manage is completely transparent to them.

Enough talk, let's go to the party!

Installing Gitosis

Note: All examples that you see below are made with Ubuntu and a Debian server, but I think that it's useful for any Linux distribution. Gitosis is written in Python, so it will be necessary to have it installed on your system, in addition to the python-setuptools package.

First of all, you have to download and install gitosis in your server. Gitosis software is managed with Git, so descargarnoslo is as simple as:

git clone git://eagain.net/gitosis.git

After the download, let's do the installation:

cd gitosis
python setup.py install

After this, we must create a user account on the server to handle the whole thing: name git and home directory /home/git

sudo adduser --system --shell /bin/sh --gecos 'git version control' --group --disabled-password --home /home/git git

To continue the installation you must have a user certificate in the computer where we develop our projects. If you do not have any, create one from this machine:

ssh-keygen -t rsa

The public key will be in $HOME/.ssh/id_rsa.pub. Copy this file to the server where you installed gitosis (eg in /tmp). After, execute this command on the server:

sudo -H -u git gitosis-init < /tmp/id_rsa.pub

This initialize gitosis with your key. To see if it has gone well, you should get the following message on the screen:

Initialized empty Git repository in ./
Initialized empty Git repository in ./

Before they finished the tasks on the server, we change some permissions on a hook to prevent some problems:

sudo chmod 755 /home/git/repositories/gitosis-admin.git/hooks/post-update

Once done, we will have completed the tasks on the server. Then open a terminal in your development computer and execute:

git clone git@YOUR_SERVER:gitosis-admin.git
cd gitosis-admin

Now, we have everything you need to work with gitosis and create new repositories for our projects and adding new users. We will make changes in the configuration file, we will commit and push the changes, and then, gitosis, as if by magic, will create the new repository, modify the permissions, etc. transparently and effortlessly.

We will see examples of both of this: create repositories and add new users.

Create new repositories

Before you begin, go to the directory where we cloned gitosis and take a look at the default configuration file, gitosis.conf:

[gitosis]

[group gitosis-admin]
writable = gitosis-admin
members = ramon@ramon-laptop

The line of members is a combination of your user name and the name of your machine (hostname). It seems easy to see how to create new repositories, right? Then get to work.

To create a new repository, just need to give write permissions and make an initial push. We started writing this in our configuration file:

[group big_project_team]
members = ramon@ramon-laptop
writable = big_project

We just define a new group called "big_project_team" (it's an identification name), with a member and has write permission to the repository "big_project".

At this point, you must save the changes, commit and push.

git commit -a -m "Allow ramon write access to big_project"
git push

This just give write permission, but have not yet created a repository on the server. What you need to do is create it and make a push:

mkdir big_project
cd big_project
git init
git remote add origin git@YOUR_SERVER:big_project.git

# make some changes in files and then git add and commit

git push origin master:refs/heads/master

Once the push is finished, the repository will be created automatically on the server and we can start using it as if it were a normal repository.

Adding new users

Finally, we just see how we can add new users in projects/repositories, and give them different access levels.

We want to add a user and we assume that we have his public key (eg marta.pub and name marta@laptop). Then just add the key in gitosis and set up access:

cd gitosis-admin
cp /tmp/marta.pub keydir/
git add keydir/marta.pub

Now we need to give access, for example, to the project we created in the previous section. Open the gitosis.conf file and modify the relevant section:

[group big_project_team]
members = ramon@ramon-laptop marta@laptop
writable = big_project

Once done, just need to commit and push:

git commit -a -m "Allow Marta write access to big_project"
git push

And then, she will be able to clone the repository from her machine by running the command:

git clone git@YOUR_SERVER:big_project.git

At this point, I can only say "try" and if you have any doubt or question, leave a comment. At the time I relied on this article to learn how to configure it and I followed it for making this post.