projects / cacert-infradocs.git / blob
? search:


62b4df894f5baaf39d1ccc17b3bffad298abf09c
[cacert-infradocs.git] / docs / systems / git.rst
1 .. index::
2 single: Systems; Git
3
4 ===
5 Git
6 ===
7
8 Purpose
9 =======
10
11 `Git`_ server for the :wiki:`Software` development and :wiki:`System
12 Administration <SystemAdministration/Team>` teams.
13
14 .. _Git: https://www.git-scm.com/
15
16 Application Links
17 -----------------
18
19 Gitweb
20 http://git.cacert.org/gitweb/
21
22 Administration
23 ==============
24
25 System Administration
26 ---------------------
27
28 * Primary: :ref:`people_jandd`
29 * Secondary: None
30
31 .. todo:: find an additional admin
32
33 Application Administration
34 --------------------------
35
36 +-------------+---------------------+
37 | Application | Administrator(s) |
38 +=============+=====================+
39 | Git | :ref:`people_jandd` |
40 +-------------+---------------------+
41 | Gitweb | :ref:`people_jandd` |
42 +-------------+---------------------+
43
44 Contact
45 -------
46
47 * git-admin@cacert.org
48
49 Additional People
50 -----------------
51
52 :ref:`people_mario`, :ref:`people_benbe` and :ref:`people_neo` have
53 :program:`sudo` access on that machine too.
54
55 Basics
56 ======
57
58 Physical Location
59 -----------------
60
61 This system is located in an :term:`LXC` container on physical machine
62 :doc:`infra02`.
63
64 Logical Location
65 ----------------
66
67 :IP Internet: :ip:v4:`213.154.225.250`
68 :IP Intranet: :ip:v4:`172.16.2.250`
69 :IP Internal: :ip:v4:`10.0.0.250`
70 :MAC address: :mac:`00:ff:2e:b0:4b:1b` (eth0)
71
72 .. seealso::
73
74 See :doc:`../network`
75
76 DNS
77 ---
78
79 .. index::
80 single: DNS records; <machine>
81
82 ===================== ======== ============================================
83 Name Type Content
84 ===================== ======== ============================================
85 git.cacert.org. IN A 213.154.225.250
86 git.cacert.org. IN SSHFP 1 1 23C7622D6DB5822C809152C1C0FD9EA7838F76C6
87 git.cacert.org. IN SSHFP 1 2 DABBE1766C7933071C4E6942A1DFC72C26D9D867D8DEE84BEDA210C8EF9EA2C5
88 git.cacert.org. IN SSHFP 2 1 8509DB491902FE10AB84C8F24B02F10C1ADF0E7F
89 git.cacert.org. IN SSHFP 2 2 00C20C26B6B9A026BBB11B5C45CBEC5D3AB44A039DC0F097CAD88374D3567D01
90 git.cacert.org. IN SSHFP 3 1 60DE5788BD83ABC7F315B667F634BDA5DA8502ED
91 git.cacert.org. IN SSHFP 3 2 132BD98483440124F6B8117148B02A66645477F53C18F974E4DECB32A7495644
92 git.intra.cacert.org. IN A 172.16.2.250
93 ===================== ======== ============================================
94
95 .. seealso::
96
97 See :wiki:`SystemAdministration/Procedures/DNSChanges`
98
99 Operating System
100 ----------------
101
102 .. index::
103 single: Debian GNU/Linux; Jessie
104 single: Debian GNU/Linux; 8.4
105
106 * Debian GNU/Linux 8.4
107
108 Applicable Documentation
109 ------------------------
110
111 This is it :-)
112
113 Services
114 ========
115
116 Listening services
117 ------------------
118
119 +----------+---------+---------+-----------------------------+
120 | Port | Service | Origin | Purpose |
121 +==========+=========+=========+=============================+
122 | 22/tcp | ssh | ANY | admin console access |
123 +----------+---------+---------+-----------------------------+
124 | 25/tcp | smtp | local | mail delivery to local MTA |
125 +----------+---------+---------+-----------------------------+
126 | 80/tcp | http | ANY | application |
127 +----------+---------+---------+-----------------------------+
128 | 443/tcp | https | ANY | application |
129 +----------+---------+---------+-----------------------------+
130 | 5666/tcp | nrpe | monitor | remote monitoring service |
131 +----------+---------+---------+-----------------------------+
132 | 9418/tcp | git | ANY | Git daemon port |
133 +----------+---------+---------+-----------------------------+
134
135 .. todo:: disable insecure git-daemon port and http for git, replace these with
136 https for read access and git+ssh for write access
137
138 Running services
139 ----------------
140
141 .. index::
142 single: Apache httpd
143 single: Postfix
144 single: cron
145 single: nrpe
146 single: openssh
147 single: rsyslog
148 single: git-daemon
149
150 +--------------------+---------------------+----------------------------------------+
151 | Service | Usage | Start mechanism |
152 +====================+=====================+========================================+
153 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
154 | | remote | |
155 | | administration | |
156 +--------------------+---------------------+----------------------------------------+
157 | Apache httpd | Webserver for | init script |
158 | | gitweb | :file:`/etc/init.d/apache2` |
159 | | | |
160 +--------------------+---------------------+----------------------------------------+
161 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
162 +--------------------+---------------------+----------------------------------------+
163 | rsyslog | syslog daemon | init script |
164 | | | :file:`/etc/init.d/syslog` |
165 +--------------------+---------------------+----------------------------------------+
166 | Postfix | SMTP server for | init script |
167 | | local mail | :file:`/etc/init.d/postfix` |
168 | | submission | |
169 +--------------------+---------------------+----------------------------------------+
170 | Nagios NRPE server | remote monitoring | init script |
171 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
172 | | :doc:`monitor` | |
173 +--------------------+---------------------+----------------------------------------+
174 | runit | service supervision | :file:`/etc/inittab` entry |
175 | | for git-daemon | |
176 +--------------------+---------------------+----------------------------------------+
177 | git-daemon | Daemon for native | runit service description in |
178 | | Git protocol | :file:`/etc/sv/git-daemon/run` |
179 | | access | |
180 +--------------------+---------------------+----------------------------------------+
181
182 Connected Systems
183 -----------------
184
185 * :doc:`monitor`
186 * :doc:`jenkins` for git repository access
187
188 Outbound network connections
189 ----------------------------
190
191 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
192 * :doc:`emailout` as SMTP relay
193 * ftp.nl.debian.org as Debian mirror
194 * security.debian.org for Debian security updates
195 * crl.cacert.org (rsync) for getting CRLs
196 * :doc:`jenkins` for triggering web hooks
197
198 Security
199 ========
200
201 .. sshkeys::
202 :RSA: b6:85:16:ad:57:a1:45:3c:33:e5:f1:64:04:0d:7a:ab
203 :DSA: 27:e5:f3:95:b8:4e:73:48:b5:f2:28:8f:32:5a:96:70
204 :ECDSA: b2:f4:80:77:98:95:46:17:7a:9e:7d:73:65:6e:f4:9c
205
206 .. todo:: setup ED25519 host key
207
208 Dedicated user roles
209 --------------------
210
211 +-----------------+----------------------------------------------------+
212 | Group | Purpose |
213 +=================+====================================================+
214 | git-birdshack | access to :wiki:`BirdShack` git repositories |
215 +-----------------+----------------------------------------------------+
216 | softass | Software assessors |
217 +-----------------+----------------------------------------------------+
218 | git-boardvoting | access to board voting git repository |
219 +-----------------+----------------------------------------------------+
220 | git-rccrtauth | access to Roundcube certificate authentication git |
221 | | repository |
222 +-----------------+----------------------------------------------------+
223 | git-infra | access to infrastructure git repositories |
224 +-----------------+----------------------------------------------------+
225
226 .. todo:: think about regulating git access by a proper git repository manager
227 like gitolite
228
229 Non-distribution packages and modifications
230 -------------------------------------------
231
232 Gitweb has been modified to use https for `Gravatar`_ lookups:
233
234 .. code-block:: diff
235
236 --- gitweb.cgi 2014-02-06 14:01:48.696730208 +0000
237 +++ /usr/share/gitweb/gitweb.cgi 2014-02-06 14:03:52.933721422 +0000
238 @@ -2064,7 +2064,7 @@
239 my $email = lc shift;
240 my $size = shift;
241 $avatar_cache{$email} ||=
242 - "http://www.gravatar.com/avatar/" .
243 + "https://secure.gravatar.com/avatar/" .
244 Digest::MD5::md5_hex($email) . "?s=";
245 return $avatar_cache{$email} . $size;
246 }
247
248 .. _Gravatar: http://www.gravatar.com/
249
250
251 Risk assessments on critical packages
252 -------------------------------------
253
254 The package git-daemon-run exposes the git native protocol which is prone to
255 man in the middle attacks that could hand out modified code to users. There are
256 alternatives (ssh, https) and git-daemon support should be disabled.
257
258 Critical Configuration items
259 ============================
260
261 Keys and X.509 certificates
262 ---------------------------
263
264 .. sslcert:: git.cacert.org
265 :altnames: DNS:git.cacert.org
266 :certfile: /etc/ssl/public/git.c.o.chain.crt
267 :keyfile: /etc/ssl/private/git.c.o.key
268 :serial: 11E84D
269 :expiration: Mar 31 20:07:57 18 GMT
270 :sha1fp: B8:F9:FF:4E:F3:F6:45:A9:44:7D:8A:1E:F5:D7:28:24:74:ED:48:46
271 :issuer: CA Cert Signing Authority
272
273 The :file:`/etc/ssl/public/git.c.o.chain.crt` contains the CAcert.org Class 1
274 certificate too.
275
276 .. seealso::
277
278 * :wiki:`SystemAdministration/CertificateList`
279
280 .. index:: Git repositories
281
282 Git repositories
283 ----------------
284
285 .. index::
286 pair: Apache httpd; configuration
287
288 Apache httpd configuration
289 --------------------------
290
291 Apache httpd serves the gitweb interface via http and https. The http
292 VirtualHost redirects all traffic to https. The following changes have been
293 applied to the Debian package's Apache httpd configuration:
294
295 .. literalinclude:: ../configdiff/git/git-apache-config.diff
296 :language: diff
297
298 .. index::
299 pair: Gitweb; configuration
300
301 Gitweb configuration
302 --------------------
303
304 Gitweb is configured in :file:`/etc/gitweb.conf` which has the following
305 changes to the version contained in the distribution package:
306
307 .. literalinclude:: ../configdiff/git/gitweb.conf.diff
308 :language: diff
309
310 .. index::
311 pair: runit; configuration
312 pair: git-daemon; configuration
313
314 git-daemon configuration
315 ------------------------
316
317 The git-daemon is started by runit. The configuration is stored in
318 :file:`/etc/sv/git-daemon/run` and has the following changes to the version
319 contained in the distribution package git-daemon-run:
320
321 .. literalinclude:: ../configdiff/git/git-daemon-run.diff
322 :language: diff
323
324 Tasks
325 =====
326
327 Planned
328 -------
329
330 .. todo:: enable IPv6
331
332 Changes
333 =======
334
335 System Future
336 -------------
337
338 * No plans
339
340 Additional documentation
341 ========================
342
343 Adding a git repository
344 -----------------------
345
346 The git repositories are stored in :file:`/var/cache/git/`. To create a new
347 repository use:
348
349 .. code-block:: shell
350
351 cd /var/cache/git/
352 git init --bare --shared=group <reponame.git>
353 chgrp -R <groupname> <reponame.git>
354
355 The gitweb index is built from all repositories that contain a file
356 :file:`git-daemon-export-ok`. You should also put a description in the
357 repository's :file:`description` file and set the repository owner via:
358
359 .. code-block:: shell
360
361 cd <reponame.git>
362 git config gitweb.owner "Owner information"
363
364 .. seealso::
365
366 * :wiki:`PostfixConfiguration`
367
368 References
369 ----------
370
371 Apache httpd documentation
372 http://httpd.apache.org/docs/2.4/
Sphinx based infrastructure documentation