Improve system documentation
[cacert-infradocs.git] / docs / systems / git.rst
1 .. index::
2 single: Systems; Git
3
4 ===
5 Git
6 ===
7
8 Purpose
9 =======
10
11 `Git`_ server for the :wiki:`Software` development and :wiki:`System
12 Administration <SystemAdministration/Team>` teams.
13
14 .. _Git: https://www.git-scm.com/
15
16 Application Links
17 -----------------
18
19 Gitweb
20 http://git.cacert.org/gitweb/
21
22 Administration
23 ==============
24
25 System Administration
26 ---------------------
27
28 * Primary: :ref:`people_jandd`
29 * Secondary: None
30
31 .. todo:: find an additional admin
32
33 Application Administration
34 --------------------------
35
36 +-------------+---------------------+
37 | Application | Administrator(s) |
38 +=============+=====================+
39 | Git | :ref:`people_jandd` |
40 +-------------+---------------------+
41 | Gitweb | :ref:`people_jandd` |
42 +-------------+---------------------+
43
44 Contact
45 -------
46
47 * git-admin@cacert.org
48
49 Additional People
50 -----------------
51
52 :ref:`people_mario` and :ref:`people_neo` have :program:`sudo` access on that
53 machine too.
54
55 Basics
56 ======
57
58 Physical Location
59 -----------------
60
61 This system is located in an :term:`LXC` container on physical machine
62 :doc:`infra02`.
63
64 Logical Location
65 ----------------
66
67 :IP Internet: :ip:v4:`213.154.225.250`
68 :IP Intranet: :ip:v4:`172.16.2.250`
69 :IP Internal: :ip:v4:`10.0.0.250`
70 :MAC address: :mac:`00:ff:2e:b0:4b:1b` (eth0)
71
72 .. seealso::
73
74 See :doc:`../network`
75
76 .. index::
77 single: Monitoring; Git
78
79 Monitoring
80 ----------
81
82 :internal checks: :monitor:`git.infra.cacert.org`
83
84 DNS
85 ---
86
87 .. index::
88 single: DNS records; Git
89
90 ===================== ======== ============================================
91 Name Type Content
92 ===================== ======== ============================================
93 git.cacert.org. IN A 213.154.225.250
94 git.cacert.org. IN SSHFP 1 1 23C7622D6DB5822C809152C1C0FD9EA7838F76C6
95 git.cacert.org. IN SSHFP 1 2 DABBE1766C7933071C4E6942A1DFC72C26D9D867D8DEE84BEDA210C8EF9EA2C5
96 git.cacert.org. IN SSHFP 2 1 8509DB491902FE10AB84C8F24B02F10C1ADF0E7F
97 git.cacert.org. IN SSHFP 2 2 00C20C26B6B9A026BBB11B5C45CBEC5D3AB44A039DC0F097CAD88374D3567D01
98 git.cacert.org. IN SSHFP 3 1 60DE5788BD83ABC7F315B667F634BDA5DA8502ED
99 git.cacert.org. IN SSHFP 3 2 132BD98483440124F6B8117148B02A66645477F53C18F974E4DECB32A7495644
100 git.cacert.org. IN SSHFP 4 1 13D611007B43D073CF4D89784510398116623EB7
101 git.cacert.org. IN SSHFP 4 2 40A61A25488FE01C056EAAFF703EF0FF9C6B01BEE00580A91B95741DFAA59751
102 git.intra.cacert.org. IN A 172.16.2.250
103 ===================== ======== ============================================
104
105 .. seealso::
106
107 See :wiki:`SystemAdministration/Procedures/DNSChanges`
108
109 Operating System
110 ----------------
111
112 .. index::
113 single: Debian GNU/Linux; Stretch
114 single: Debian GNU/Linux; 9.4
115
116 * Debian GNU/Linux 9.4
117
118 Applicable Documentation
119 ------------------------
120
121 This is it :-)
122
123 Services
124 ========
125
126 Listening services
127 ------------------
128
129 +----------+---------+---------+-----------------------------+
130 | Port | Service | Origin | Purpose |
131 +==========+=========+=========+=============================+
132 | 22/tcp | ssh | ANY | admin console access |
133 +----------+---------+---------+-----------------------------+
134 | 25/tcp | smtp | local | mail delivery to local MTA |
135 +----------+---------+---------+-----------------------------+
136 | 80/tcp | http | ANY | application |
137 +----------+---------+---------+-----------------------------+
138 | 443/tcp | https | ANY | application |
139 +----------+---------+---------+-----------------------------+
140 | 5666/tcp | nrpe | monitor | remote monitoring service |
141 +----------+---------+---------+-----------------------------+
142 | 9418/tcp | git | ANY | Git daemon port |
143 +----------+---------+---------+-----------------------------+
144
145 .. todo:: disable insecure git-daemon port and http for git, replace these with
146 https for read access and git+ssh for write access
147
148 Running services
149 ----------------
150
151 .. index::
152 single: Apache httpd
153 single: Postfix
154 single: cron
155 single: nrpe
156 single: openssh
157 single: rsyslog
158 single: git-daemon
159
160 +--------------------+---------------------+----------------------------------------+
161 | Service | Usage | Start mechanism |
162 +====================+=====================+========================================+
163 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
164 | | remote | |
165 | | administration | |
166 +--------------------+---------------------+----------------------------------------+
167 | Apache httpd | Webserver for | init script |
168 | | gitweb | :file:`/etc/init.d/apache2` |
169 | | | |
170 +--------------------+---------------------+----------------------------------------+
171 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
172 +--------------------+---------------------+----------------------------------------+
173 | rsyslog | syslog daemon | init script |
174 | | | :file:`/etc/init.d/syslog` |
175 +--------------------+---------------------+----------------------------------------+
176 | Postfix | SMTP server for | init script |
177 | | local mail | :file:`/etc/init.d/postfix` |
178 | | submission | |
179 +--------------------+---------------------+----------------------------------------+
180 | Nagios NRPE server | remote monitoring | init script |
181 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
182 | | :doc:`monitor` | |
183 +--------------------+---------------------+----------------------------------------+
184 | runit | service supervision | :file:`/etc/inittab` entry |
185 | | for git-daemon | |
186 +--------------------+---------------------+----------------------------------------+
187 | git-daemon | Daemon for native | runit service description in |
188 | | Git protocol | :file:`/etc/sv/git-daemon/run` |
189 | | access | |
190 +--------------------+---------------------+----------------------------------------+
191
192 Connected Systems
193 -----------------
194
195 * :doc:`monitor`
196 * :doc:`jenkins` for git repository access
197
198 Outbound network connections
199 ----------------------------
200
201 * crl.cacert.org (rsync) for getting CRLs
202 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
203 * :doc:`emailout` as SMTP relay
204 * :doc:`proxyout` as HTTP proxy for APT
205 * :doc:`jenkins` for triggering web hooks
206
207 Security
208 ========
209
210 .. sshkeys::
211 :RSA: SHA256:2rvhdmx5MwccTmlCod/HLCbZ2GfY3uhL7aIQyO+eosU MD5:b6:85:16:ad:57:a1:45:3c:33:e5:f1:64:04:0d:7a:ab
212 :DSA: SHA256:AMIMJra5oCa7sRtcRcvsXTq0SgOdwPCXytiDdNNWfQE MD5:27:e5:f3:95:b8:4e:73:48:b5:f2:28:8f:32:5a:96:70
213 :ECDSA: SHA256:EyvZhINEAST2uBFxSLAqZmRUd/U8GPl05N7LMqdJVkQ MD5:b2:f4:80:77:98:95:46:17:7a:9e:7d:73:65:6e:f4:9c
214 :ED25519: SHA256:QKYaJUiP4BwFbqr/cD7w/5xrAb7gBYCpG5V0Hfqll1E MD5:38:6b:90:f7:8b:c7:b2:cf:cd:86:29:5c:e4:03:fa:35
215
216 Dedicated user roles
217 --------------------
218
219 +-----------------+----------------------------------------------------+
220 | Group | Purpose |
221 +=================+====================================================+
222 | git-birdshack | access to :wiki:`BirdShack` git repositories |
223 +-----------------+----------------------------------------------------+
224 | softass | Software assessors |
225 +-----------------+----------------------------------------------------+
226 | git-boardvoting | access to board voting git repository |
227 +-----------------+----------------------------------------------------+
228 | git-rccrtauth | access to Roundcube certificate authentication git |
229 | | repository |
230 +-----------------+----------------------------------------------------+
231 | git-infra | access to infrastructure git repositories |
232 +-----------------+----------------------------------------------------+
233
234 .. todo:: think about regulating git access by a proper git repository manager
235 like gitolite or gitea
236
237 Non-distribution packages and modifications
238 -------------------------------------------
239
240 Gitweb has been modified to use https for `Gravatar`_ lookups:
241
242 .. code-block:: diff
243
244 --- gitweb.cgi 2014-02-06 14:01:48.696730208 +0000
245 +++ /usr/share/gitweb/gitweb.cgi 2014-02-06 14:03:52.933721422 +0000
246 @@ -2064,7 +2064,7 @@
247 my $email = lc shift;
248 my $size = shift;
249 $avatar_cache{$email} ||=
250 - "http://www.gravatar.com/avatar/" .
251 + "https://secure.gravatar.com/avatar/" .
252 Digest::MD5::md5_hex($email) . "?s=";
253 return $avatar_cache{$email} . $size;
254 }
255
256 .. _Gravatar: http://www.gravatar.com/
257
258
259 Risk assessments on critical packages
260 -------------------------------------
261
262 The package git-daemon-run exposes the git native protocol which is prone to
263 man in the middle attacks that could hand out modified code to users. There are
264 alternatives (ssh, https) and git-daemon support should be disabled.
265
266 Critical Configuration items
267 ============================
268
269 Keys and X.509 certificates
270 ---------------------------
271
272 .. sslcert:: git.cacert.org
273 :altnames: DNS:git.cacert.org
274 :certfile: /etc/ssl/public/git.c.o.chain.crt
275 :keyfile: /etc/ssl/private/git.c.o.key
276 :serial: 1381E7
277 :expiration: Mar 16 09:28:01 2020 GMT
278 :sha1fp: 23:0D:DC:34:D5:4D:B0:96:9C:6B:A6:18:69:5C:5C:5F:80:62:DC:A6
279 :issuer: CA Cert Signing Authority
280
281 The :file:`/etc/ssl/public/git.c.o.chain.crt` contains the CAcert.org Class 1
282 certificate too.
283
284 .. seealso::
285
286 * :wiki:`SystemAdministration/CertificateList`
287
288 .. index:: Git repositories
289
290 Git repositories
291 ----------------
292
293 .. index::
294 pair: Apache httpd; configuration
295
296 Apache httpd configuration
297 --------------------------
298
299 Apache httpd serves the gitweb interface via http and https. The http
300 VirtualHost redirects all traffic to https. The following changes have been
301 applied to the Debian package's Apache httpd configuration:
302
303 .. literalinclude:: ../configdiff/git/git-apache-config.diff
304 :language: diff
305
306 .. index::
307 pair: Gitweb; configuration
308
309 Gitweb configuration
310 --------------------
311
312 Gitweb is configured in :file:`/etc/gitweb.conf` which has the following
313 changes to the version contained in the distribution package:
314
315 .. literalinclude:: ../configdiff/git/gitweb.conf.diff
316 :language: diff
317
318 .. index::
319 pair: runit; configuration
320 pair: git-daemon; configuration
321
322 git-daemon configuration
323 ------------------------
324
325 The git-daemon is started by runit. The configuration is stored in
326 :file:`/etc/sv/git-daemon/run` and has the following changes to the version
327 contained in the distribution package git-daemon-run:
328
329 .. literalinclude:: ../configdiff/git/git-daemon-run.diff
330 :language: diff
331
332 The runit service handling is triggered through :file:`/etc/inittab`.
333
334 Tasks
335 =====
336
337 Changes
338 =======
339
340 Planned
341 -------
342
343 .. todo:: enable IPv6
344
345 System Future
346 -------------
347
348 * No plans
349
350 Additional documentation
351 ========================
352
353 Adding a git repository
354 -----------------------
355
356 The git repositories are stored in :file:`/var/cache/git/`. To create a new
357 repository use:
358
359 .. code-block:: shell
360
361 cd /var/cache/git/
362 git init --bare --shared=group <reponame.git>
363 chgrp -R <groupname> <reponame.git>
364
365 The gitweb index is built from all repositories that contain a file
366 :file:`git-daemon-export-ok`. You should also put a description in the
367 repository's :file:`description` file and set the repository owner via:
368
369 .. code-block:: shell
370
371 cd <reponame.git>
372 git config gitweb.owner "Owner information"
373
374 .. seealso::
375
376 * :wiki:`PostfixConfiguration`
377
378 References
379 ----------
380
381 Apache httpd documentation
382 http://httpd.apache.org/docs/2.4/