4b59901fa35329eabf81de4427ddad36f6b402bd
[cacert-infradocs.git] / docs / systems / git.rst
1 .. index::
2 single: Systems; Git
3
4 ===
5 Git
6 ===
7
8 Purpose
9 =======
10
11 `Git`_ server for the :wiki:`Software` development and :wiki:`System
12 Administration <SystemAdministration/Team>` teams.
13
14 .. _Git: https://www.git-scm.com/
15
16 Application Links
17 -----------------
18
19 Gitweb
20 http://git.cacert.org/gitweb/
21
22 Administration
23 ==============
24
25 System Administration
26 ---------------------
27
28 * Primary: :ref:`people_jandd`
29 * Secondary: None
30
31 .. todo:: find an additional admin
32
33 Application Administration
34 --------------------------
35
36 +-------------+---------------------+
37 | Application | Administrator(s) |
38 +=============+=====================+
39 | Git | :ref:`people_jandd` |
40 +-------------+---------------------+
41 | Gitweb | :ref:`people_jandd` |
42 +-------------+---------------------+
43
44 Contact
45 -------
46
47 * git-admin@cacert.org
48
49 Additional People
50 -----------------
51
52 :ref:`people_mario` and :ref:`people_neo` have :program:`sudo` access on that
53 machine too.
54
55 Basics
56 ======
57
58 Physical Location
59 -----------------
60
61 This system is located in an :term:`LXC` container on physical machine
62 :doc:`infra02`.
63
64 Logical Location
65 ----------------
66
67 :IP Internet: :ip:v4:`213.154.225.250`
68 :IP Intranet: :ip:v4:`172.16.2.250`
69 :IP Internal: :ip:v4:`10.0.0.250`
70 :MAC address: :mac:`00:ff:2e:b0:4b:1b` (eth0)
71
72 .. seealso::
73
74 See :doc:`../network`
75
76 DNS
77 ---
78
79 .. index::
80 single: DNS records; Git
81
82 ===================== ======== ============================================
83 Name Type Content
84 ===================== ======== ============================================
85 git.cacert.org. IN A 213.154.225.250
86 git.cacert.org. IN SSHFP 1 1 23C7622D6DB5822C809152C1C0FD9EA7838F76C6
87 git.cacert.org. IN SSHFP 1 2 DABBE1766C7933071C4E6942A1DFC72C26D9D867D8DEE84BEDA210C8EF9EA2C5
88 git.cacert.org. IN SSHFP 2 1 8509DB491902FE10AB84C8F24B02F10C1ADF0E7F
89 git.cacert.org. IN SSHFP 2 2 00C20C26B6B9A026BBB11B5C45CBEC5D3AB44A039DC0F097CAD88374D3567D01
90 git.cacert.org. IN SSHFP 3 1 60DE5788BD83ABC7F315B667F634BDA5DA8502ED
91 git.cacert.org. IN SSHFP 3 2 132BD98483440124F6B8117148B02A66645477F53C18F974E4DECB32A7495644
92 git.cacert.org. IN SSHFP 4 1 13D611007B43D073CF4D89784510398116623EB7
93 git.cacert.org. IN SSHFP 4 2 40A61A25488FE01C056EAAFF703EF0FF9C6B01BEE00580A91B95741DFAA59751
94 git.intra.cacert.org. IN A 172.16.2.250
95 ===================== ======== ============================================
96
97 .. seealso::
98
99 See :wiki:`SystemAdministration/Procedures/DNSChanges`
100
101 Operating System
102 ----------------
103
104 .. index::
105 single: Debian GNU/Linux; Stretch
106 single: Debian GNU/Linux; 9.4
107
108 * Debian GNU/Linux 9.4
109
110 Applicable Documentation
111 ------------------------
112
113 This is it :-)
114
115 Services
116 ========
117
118 Listening services
119 ------------------
120
121 +----------+---------+---------+-----------------------------+
122 | Port | Service | Origin | Purpose |
123 +==========+=========+=========+=============================+
124 | 22/tcp | ssh | ANY | admin console access |
125 +----------+---------+---------+-----------------------------+
126 | 25/tcp | smtp | local | mail delivery to local MTA |
127 +----------+---------+---------+-----------------------------+
128 | 80/tcp | http | ANY | application |
129 +----------+---------+---------+-----------------------------+
130 | 443/tcp | https | ANY | application |
131 +----------+---------+---------+-----------------------------+
132 | 5666/tcp | nrpe | monitor | remote monitoring service |
133 +----------+---------+---------+-----------------------------+
134 | 9418/tcp | git | ANY | Git daemon port |
135 +----------+---------+---------+-----------------------------+
136
137 .. todo:: disable insecure git-daemon port and http for git, replace these with
138 https for read access and git+ssh for write access
139
140 Running services
141 ----------------
142
143 .. index::
144 single: Apache httpd
145 single: Postfix
146 single: cron
147 single: nrpe
148 single: openssh
149 single: rsyslog
150 single: git-daemon
151
152 +--------------------+---------------------+----------------------------------------+
153 | Service | Usage | Start mechanism |
154 +====================+=====================+========================================+
155 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
156 | | remote | |
157 | | administration | |
158 +--------------------+---------------------+----------------------------------------+
159 | Apache httpd | Webserver for | init script |
160 | | gitweb | :file:`/etc/init.d/apache2` |
161 | | | |
162 +--------------------+---------------------+----------------------------------------+
163 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
164 +--------------------+---------------------+----------------------------------------+
165 | rsyslog | syslog daemon | init script |
166 | | | :file:`/etc/init.d/syslog` |
167 +--------------------+---------------------+----------------------------------------+
168 | Postfix | SMTP server for | init script |
169 | | local mail | :file:`/etc/init.d/postfix` |
170 | | submission | |
171 +--------------------+---------------------+----------------------------------------+
172 | Nagios NRPE server | remote monitoring | init script |
173 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
174 | | :doc:`monitor` | |
175 +--------------------+---------------------+----------------------------------------+
176 | runit | service supervision | :file:`/etc/inittab` entry |
177 | | for git-daemon | |
178 +--------------------+---------------------+----------------------------------------+
179 | git-daemon | Daemon for native | runit service description in |
180 | | Git protocol | :file:`/etc/sv/git-daemon/run` |
181 | | access | |
182 +--------------------+---------------------+----------------------------------------+
183
184 Connected Systems
185 -----------------
186
187 * :doc:`monitor`
188 * :doc:`jenkins` for git repository access
189
190 Outbound network connections
191 ----------------------------
192
193 * crl.cacert.org (rsync) for getting CRLs
194 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
195 * :doc:`emailout` as SMTP relay
196 * :doc:`proxyout` as HTTP proxy for APT
197 * :doc:`jenkins` for triggering web hooks
198
199 Security
200 ========
201
202 .. sshkeys::
203 :RSA: SHA256:2rvhdmx5MwccTmlCod/HLCbZ2GfY3uhL7aIQyO+eosU MD5:b6:85:16:ad:57:a1:45:3c:33:e5:f1:64:04:0d:7a:ab
204 :DSA: SHA256:AMIMJra5oCa7sRtcRcvsXTq0SgOdwPCXytiDdNNWfQE MD5:27:e5:f3:95:b8:4e:73:48:b5:f2:28:8f:32:5a:96:70
205 :ECDSA: SHA256:EyvZhINEAST2uBFxSLAqZmRUd/U8GPl05N7LMqdJVkQ MD5:b2:f4:80:77:98:95:46:17:7a:9e:7d:73:65:6e:f4:9c
206 :ED25519: SHA256:QKYaJUiP4BwFbqr/cD7w/5xrAb7gBYCpG5V0Hfqll1E MD5:38:6b:90:f7:8b:c7:b2:cf:cd:86:29:5c:e4:03:fa:35
207
208 Dedicated user roles
209 --------------------
210
211 +-----------------+----------------------------------------------------+
212 | Group | Purpose |
213 +=================+====================================================+
214 | git-birdshack | access to :wiki:`BirdShack` git repositories |
215 +-----------------+----------------------------------------------------+
216 | softass | Software assessors |
217 +-----------------+----------------------------------------------------+
218 | git-boardvoting | access to board voting git repository |
219 +-----------------+----------------------------------------------------+
220 | git-rccrtauth | access to Roundcube certificate authentication git |
221 | | repository |
222 +-----------------+----------------------------------------------------+
223 | git-infra | access to infrastructure git repositories |
224 +-----------------+----------------------------------------------------+
225
226 .. todo:: think about regulating git access by a proper git repository manager
227 like gitolite or gitea
228
229 Non-distribution packages and modifications
230 -------------------------------------------
231
232 Gitweb has been modified to use https for `Gravatar`_ lookups:
233
234 .. code-block:: diff
235
236 --- gitweb.cgi 2014-02-06 14:01:48.696730208 +0000
237 +++ /usr/share/gitweb/gitweb.cgi 2014-02-06 14:03:52.933721422 +0000
238 @@ -2064,7 +2064,7 @@
239 my $email = lc shift;
240 my $size = shift;
241 $avatar_cache{$email} ||=
242 - "http://www.gravatar.com/avatar/" .
243 + "https://secure.gravatar.com/avatar/" .
244 Digest::MD5::md5_hex($email) . "?s=";
245 return $avatar_cache{$email} . $size;
246 }
247
248 .. _Gravatar: http://www.gravatar.com/
249
250
251 Risk assessments on critical packages
252 -------------------------------------
253
254 The package git-daemon-run exposes the git native protocol which is prone to
255 man in the middle attacks that could hand out modified code to users. There are
256 alternatives (ssh, https) and git-daemon support should be disabled.
257
258 Critical Configuration items
259 ============================
260
261 Keys and X.509 certificates
262 ---------------------------
263
264 .. sslcert:: git.cacert.org
265 :altnames: DNS:git.cacert.org
266 :certfile: /etc/ssl/public/git.c.o.chain.crt
267 :keyfile: /etc/ssl/private/git.c.o.key
268 :serial: 1381E7
269 :expiration: Mar 16 09:28:01 2020 GMT
270 :sha1fp: 23:0D:DC:34:D5:4D:B0:96:9C:6B:A6:18:69:5C:5C:5F:80:62:DC:A6
271 :issuer: CA Cert Signing Authority
272
273 The :file:`/etc/ssl/public/git.c.o.chain.crt` contains the CAcert.org Class 1
274 certificate too.
275
276 .. seealso::
277
278 * :wiki:`SystemAdministration/CertificateList`
279
280 .. index:: Git repositories
281
282 Git repositories
283 ----------------
284
285 .. index::
286 pair: Apache httpd; configuration
287
288 Apache httpd configuration
289 --------------------------
290
291 Apache httpd serves the gitweb interface via http and https. The http
292 VirtualHost redirects all traffic to https. The following changes have been
293 applied to the Debian package's Apache httpd configuration:
294
295 .. literalinclude:: ../configdiff/git/git-apache-config.diff
296 :language: diff
297
298 .. index::
299 pair: Gitweb; configuration
300
301 Gitweb configuration
302 --------------------
303
304 Gitweb is configured in :file:`/etc/gitweb.conf` which has the following
305 changes to the version contained in the distribution package:
306
307 .. literalinclude:: ../configdiff/git/gitweb.conf.diff
308 :language: diff
309
310 .. index::
311 pair: runit; configuration
312 pair: git-daemon; configuration
313
314 git-daemon configuration
315 ------------------------
316
317 The git-daemon is started by runit. The configuration is stored in
318 :file:`/etc/sv/git-daemon/run` and has the following changes to the version
319 contained in the distribution package git-daemon-run:
320
321 .. literalinclude:: ../configdiff/git/git-daemon-run.diff
322 :language: diff
323
324 The runit service handling is triggered through :file:`/etc/inittab`.
325
326 Tasks
327 =====
328
329 Planned
330 -------
331
332 .. todo:: enable IPv6
333
334 Changes
335 =======
336
337 System Future
338 -------------
339
340 * No plans
341
342 Additional documentation
343 ========================
344
345 Adding a git repository
346 -----------------------
347
348 The git repositories are stored in :file:`/var/cache/git/`. To create a new
349 repository use:
350
351 .. code-block:: shell
352
353 cd /var/cache/git/
354 git init --bare --shared=group <reponame.git>
355 chgrp -R <groupname> <reponame.git>
356
357 The gitweb index is built from all repositories that contain a file
358 :file:`git-daemon-export-ok`. You should also put a description in the
359 repository's :file:`description` file and set the repository owner via:
360
361 .. code-block:: shell
362
363 cd <reponame.git>
364 git config gitweb.owner "Owner information"
365
366 .. seealso::
367
368 * :wiki:`PostfixConfiguration`
369
370 References
371 ----------
372
373 Apache httpd documentation
374 http://httpd.apache.org/docs/2.4/