Project

General

Profile

HowTo configure Redmine for advanced git integration » History » Version 21

Mr. DTTH, 2013-08-08 04:58

1 1 Felix Schäfer
h1. HowTo configure Redmine for advanced git integration
2
3 3 Felix Schäfer
{{>TOC}}
4
5 1 Felix Schäfer
h2. Scope
6
7 21 Mr. DTTH
_Install on Centos 6.x_
8
9 17 Mr. DTTH
This HowTo explains how to serve git repositories on apache through the http-based "git-smart-http protocol":http://progit.org/2010/03/04/smart-http.html introduced in git 1.6.6. 
10 1 Felix Schäfer
11 17 Mr. DTTH
The git-smart-http offers various advantages over ssh or git-based access: you can use redmine access control as-is, no need for extra ssh keys or whatnot, you can secure it through SSL as needed, and there's generally less problems with firewalls and https/https ports than exist with ssh and git ports. git-smart-http also doesn't have some of the drawbacks of its "dumb" predecessor, as it doesn't require any complex DAV setup.
12 1 Felix Schäfer
13 17 Mr. DTTH
This HowTo is mainly written from memory and was conducted on a setup which was already serving [[Repositories_access_control_with_apache_mod_dav_svn_and_mod_perl|svn repositories integrated with redmine]], so it might be possible that I forgot some things or take them for granted. 
14
15
This is a wiki page, feel free to correct or amend anything you find lacking :-) You can also "drop me a line":/users/3866.
16
17 7 Felix Schäfer
Another option to integrate grack with redmine is the "modified grack+redmine plugin":http://github.com/friflaj/redmine_grack or "any other grack modified for redmine":http://github.com/search?q=grack&type=Everything&repo=&langOverride=&start_value=1, though those ones lack documentation and I haven't tried them, so I can't say much about those.
18 1 Felix Schäfer
19
h2. Prerequisites
20
21
* Apache with mod_perl (access control)
22
* git (version at least 1.6.6)
23
* A way to serve git-smart-http
24 10 Hallison Vasconcelos Batista
** mod_cgi (or mod_cgid) if you want to use the stock "git-http-backend":http://www.kernel.org/pub/software/scm/git/docs/git-http-backend.html
25 1 Felix Schäfer
** a rack server if you want to use "grack":http://github.com/schacon/grack (basically a rack wrapper around the right git commands) or
26 10 Hallison Vasconcelos Batista
"git-webby":http://git.io/BU7twg (another implementation based on grack but written in Sinatra).
27 1 Felix Schäfer
28 17 Mr. DTTH
You should already have a rack server to run redmine, and that's why I chose grack as the backend and which I will describe in this tutorial. 
29 1 Felix Schäfer
30 17 Mr. DTTH
Using the stock git-http-backend should be quite straightforward though (skip the [[HowTo_configure_Redmine_for_advanced_git_integration#Install-grack|grack installation]] part and get your install with the git-http-backend going (the "git-http-backend manpage":http://www.kernel.org/pub/software/scm/git/docs/git-http-backend.html has some examples), when that's done go on with the [[HowTo_configure_Redmine_for_advanced_git_integration#Access-control|access control]] part).
31
32 20 Mr. DTTH
h2. Install Git
33
34
<pre><code class="bash">
35
yum install git
36
</code></pre>
37
38 2 Felix Schäfer
h2. Install grack
39 1 Felix Schäfer
40 3 Felix Schäfer
h3. Get the sources
41 2 Felix Schäfer
42 19 Mr. DTTH
Fetch grack from its "github repository":http://github.com/schacon/grack, I checked out mine to @/var/www/grack@
43 1 Felix Schäfer
44 19 Mr. DTTH
<pre><code class="bash">
45
cd /var/www
46
git clone http://github.com/schacon/grack.git
47
</code></pre>
48 1 Felix Schäfer
49 18 Mr. DTTH
And create a directory for repositories :
50
51
<pre><code class="bash">
52 1 Felix Schäfer
mkdir /opt/repositories
53 21 Mr. DTTH
mkdir /opt/repositories/git
54 18 Mr. DTTH
chown -R apache:apache /opt/repositories/git
55
</code></pre>
56
57 2 Felix Schäfer
h3. Configuration
58
59
Edit the @config.ru@ file and adapt it to your local configuration. @project_root@ must contain the path to the directory containing your git repositories, @git_path@ must obviously contain the path to the git, mine looks like this (on gentoo):
60 1 Felix Schäfer
61 21 Mr. DTTH
<pre><code class="bash">
62
vi /var/www/grack/config.ru
63
</code></pre>
64
65
And edit file :
66
67 2 Felix Schäfer
<pre><code class="ruby">$LOAD_PATH.unshift File.expand_path(File.dirname(__FILE__) + '/lib')
68 1 Felix Schäfer
69 2 Felix Schäfer
use Rack::ShowExceptions
70 1 Felix Schäfer
71 18 Mr. DTTH
require 'grack'
72 1 Felix Schäfer
73 18 Mr. DTTH
require 'git_adapter'
74 2 Felix Schäfer
75 18 Mr. DTTH
config = {
76
  :project_root => "/opt/repositories/git",
77 2 Felix Schäfer
  :git_path => '/usr/bin/git',
78
  :upload_pack => true,
79 1 Felix Schäfer
  :receive_pack => true,
80
}
81
82 21 Mr. DTTH
run GitHttp::App.new(config)
83
</code></pre>
84 3 Felix Schäfer
85 1 Felix Schäfer
h3. Integrate with Apache
86
87 17 Mr. DTTH
You could obviously use any rack server you like at this point, but the access control mechanism @Redmine.pm@ is written for apache with mod_perl, so you will at least need to reverse proxy your rack server through apache. 
88 1 Felix Schäfer
89 17 Mr. DTTH
My rack server of choice is "passenger":http://modrails.com/ (solid performance, apache module, mostly simple configuration) and it is already configured on my system. 
90
91
As passenger installation and configuration is not within the scope of this HowTo, please refer to the "passenger documentation":http://modrails.com/documentation.html or to the passenger installation guide from your distribution.
92
93
There's a little more work to do here to get passenger to work with this, you will need to create the directories @public@ and @tmp@ in the grack directory. 
94 1 Felix Schäfer
95
Please also be aware that in the standard configuration, passenger will run the grack application with the same user and group owning the @config.ru@ file. This user must have read- and write-access as needed to the git repositories!
96
97 21 Mr. DTTH
Create directories 'public' and 'tmp' in /var/www/grack for apache :
98
99
<pre><code class="bash">
100
cd /var/www/grack
101
mkdir public
102
mkdir tmp
103
chown -R apache:apache /var/www/grack
104
</code></pre>
105
106
Edit config file "/etc/httpd/conf/httpd.conf" for support multi virtualhost by remove comment :
107
108
<pre><code class="bash">
109
NameVirtualHost *:80
110
</code></pre>
111
112
Create a file virtualhost :
113
114
<pre><code class="bash">
115
vi /etc/httpd/conf.d/git.conf
116
</code></pre>
117
118
119 2 Felix Schäfer
120
<pre><code class="apache"><VirtualHost yo.ur.i.p:80>
121
    ServerName git.myhost.com
122
123
    ServerAdmin root@myhost.com
124
    DocumentRoot "/var/www/git.myhost.com/public"
125
126
    <Directory "/var/www/git.myhost.com/public">
127
        Options None
128
        AllowOverride None
129
        Order allow,deny
130
        Allow from all
131
    </Directory>
132
</VirtualHost></code></pre>
133 1 Felix Schäfer
134 10 Hallison Vasconcelos Batista
At this point, if you have a repository in @/var/git/git.myhost.com/myrepo@, you should be able to access it through @http://git.myhost.com/myrepo@, for example @git ls-remote http://git.myhost.com/myrepo@ should show you some information about the repository.
135
136
h2. Install git-webby
137 3 Felix Schäfer
138
Follow the instructions available in "repository page":http://git.io/BU7twg that use basically the same instructions described above.
139
140
h2. Access control
141
142
You now have a working git server, albeit with no access control. Currently, the shipped perl module for access control @Redmine.pm@ (in @extra/svn/@ in your redmine directory) does not support access control for the git-smart-http protocol, the patch in #4905 aims to implement that.
143
144 11 Gregory Bartholomew
h3. Applying the patch
145 1 Felix Schäfer
146 3 Felix Schäfer
Download the latest (or better: correct) version of the patch from #4905 to your redmine directory. In the redmine directory, apply the patch: @patch -p1 < the-patch-file.patch@ should work (if it tells you stuff about being unable to apply a hunk, the patch is incompatible with your @Redmine.pm@ version, if it says other stuff, try @patch -p0 < the-patch-file.patch@ or @patch Redmine.pm < the-patch-file.patch@, if it still borks, ask for advice on #4905).
147 1 Felix Schäfer
148
-You will possibly still need to edit the file from here, because the current version of the patch only works for repositories served from @http://git.myhost.com/git/myrepo@ though the above example uses @http://git.myhost.com/myrepo@.- This step isn't needed anymore, the patch has been updated to take the information from the @Location@ block from apache into account.
149 8 Felix Schäfer
150 3 Felix Schäfer
h3. Configuring Apache
151 17 Mr. DTTH
152 3 Felix Schäfer
You now have to make Apache aware of your new authentication module (if you already had done this step for subversion integration, you can go to the @Location@ directives directly). 
153 17 Mr. DTTH
154
Copy or link @Redmine.pm@ (from your @extra/svn/@ directory) to @/usr/lib/perl5/Apache/Redmine.pm@ (ubuntu) or wherever your distribution puts its apache perl modules (e.g. gentoo puts them in @/usr/lib64/perl5/vendor_perl/5.8.8/Apache/@, fedora puts them in @/usr/lib64/perl5/vendor_perl/Apache/@).
155 3 Felix Schäfer
156
Having done that, reload apache to make sure everything in the patching phase went well (if not, remove the link or the file create in the step just before and restart apache to get apache back up, try to find the error in your Redmine.pm file). Now edit your vhost configuration to look somewhat like (same as above but with more stuff):
157
158
<pre><code class="apache"><VirtualHost yo.ur.i.p:80>
159
    ServerName git.myhost.com
160
161
    ServerAdmin root@myhost.com
162
    DocumentRoot "/var/www/git.myhost.com/public"
163
164
    PerlLoadModule Apache::Redmine
165
166
    <Directory "/var/www/git.myhost.com/public">
167
        Options None
168
        AllowOverride None
169
        Order allow,deny
170
        Allow from all
171
    </Directory>
172
173
    <Location "/">
174
        AuthType Basic
175
        AuthName "Redmine git repositories"
176
        Require valid-user
177
178
        PerlAccessHandler Apache::Authn::Redmine::access_handler
179
        PerlAuthenHandler Apache::Authn::Redmine::authen_handler
180
181
        ## for mysql
182
        RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
183
        ## for postgres
184
        # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
185
        ## for SQLite3
186
        # RedmineDSN "DBI:SQLite:dbname=database.db"
187
188
        RedmineDbUser "redmine"
189
        RedmineDbPass "password"
190 1 Felix Schäfer
        RedmineGitSmartHttp yes
191 3 Felix Schäfer
    </Location>
192 1 Felix Schäfer
</VirtualHost></code></pre>
193
194 3 Felix Schäfer
Reload your apache, and everything should be good and well :-)
195
196
h2. Known issues
197 17 Mr. DTTH
198 1 Felix Schäfer
If you are using the stock git-http-backend directly under apache and you are finding errors like "Request not supported: '/git/your-git-repo'" in your apache error log, you may need to add "SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER" to the to the list of environment variables that you are setting in your apache configuration.  
199 17 Mr. DTTH
200
Unfortionately, this setting may cause redmine to borke.  If so, you will need to set the variable for only the requests that are passed through git-http-backend.  One way to accomplish this is with mod_rewrite.  Below is a sample apache configuration from a Fedora 17 system that uses git-http-backend and mod_rewrite.
201 13 Gregory Bartholomew
202
In httpd.conf:
203
204
<pre><code class="apache">Listen xxx.xxx.xxx.xxx:80
205
<VirtualHost xxx.xxx.xxx.xxx:80>
206
   DocumentRoot /var/www/redmine/public
207
   ServerName servername.domain:80
208
   Include conf/servername.conf
209
</VirtualHost>
210
211
Listen xxx.xxx.xxx.xxx:443
212
<VirtualHost xxx.xxx.xxx.xxx:443>
213
   DocumentRoot /var/www/redmine/public
214
   ServerName servername.domain:443
215
   Include conf/servername.conf
216
   Include conf/ssl.conf
217
</VirtualHost></code></pre>
218
219
In servername.conf:
220
221
<pre><code class="apache">PerlLoadModule Apache::Authn::Redmine
222
223
SetEnv GIT_PROJECT_ROOT /git-1/repositories
224
SetEnv GIT_HTTP_EXPORT_ALL
225
226
<IfModule mod_rewrite.c>
227
   RewriteEngine On
228
229
   RewriteCond %{HTTPS} ^off$
230
   RewriteCond %{REQUEST_URI} !^/git-private/
231
   RewriteRule ^.*$ https://servername.domain$0 [R=301,L]
232
   RewriteRule ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /git-1/repositories/$1 [L]
233
   RewriteRule ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /git-1/repositories/$1 [L]
234
   RewriteRule ^/git/(.*)$ /usr/libexec/git-core/git-http-backend/$1 [E=REMOTE_USER:$REDIRECT_REMOTE_USER,H=cgi-script,L]
235
</IfModule>
236
237 15 Gregory Bartholomew
<Directory /usr/libexec/git-core>
238
   <Files "git-http-backend">
239
      Options +ExecCGI
240 13 Gregory Bartholomew
   </Files>
241
</Directory>
242
243
<Location /git>
244
   AuthType Basic
245
   AuthName "CAMPUS"
246
   AuthBasicProvider external
247
   AuthExternal pwauth
248
   Require valid-user
249
250
   PerlAccessHandler Apache::Authn::Redmine::access_handler
251
   PerlAuthenHandler Apache::Authn::Redmine::authen_handler
252
 
253
   RedmineDSN "DBI:mysql:database=redmine;host=localhost" 
254 14 Gregory Bartholomew
   RedmineDbUser "redmine" 
255 13 Gregory Bartholomew
   # RedmineDbPass "password"
256
   RedmineGitSmartHttp yes
257
</Location>
258
259
Alias /git-private /git-1/repositories
260
261
<Location /git-private>
262
   Order deny,allow
263
   Deny from all
264
   <Limit GET PROPFIND OPTIONS REPORT>
265
      Options Indexes FollowSymLinks MultiViews
266
      Allow from 127.0.0.1
267
      Allow from localhost
268
   </Limit>
269
</Location>
270
271
<Directory "/var/www/redmine/public">
272
   RailsEnv production
273
   RailsBaseURI /
274
275
   Options -MultiViews
276
   AllowOverride All
277
</Directory></code></pre>
278
279
In conf/ssl.conf:
280
281
<pre><code class="apache">LogLevel warn
282
SSLEngine on
283
SSLProtocol all -SSLv2
284
SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
285
SSLCertificateFile /etc/pki/tls/certs/your-server.crt
286
SSLCertificateKeyFile /etc/pki/tls/private/your-server.key
287
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
288
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
289
290
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
291
    SSLOptions +StdEnvVars
292
</Files>
293
<Directory "/var/www/cgi-bin">
294
    SSLOptions +StdEnvVars
295
</Directory>
296
297
SetEnvIf User-Agent ".*MSIE.*" \
298
         nokeepalive ssl-unclean-shutdown \
299
         downgrade-1.0 force-response-1.0
300
</code></pre>
301
302
In conf.d/ssl.conf:
303
304
<pre><code class="apache">LoadModule ssl_module modules/mod_ssl.so
305 1 Felix Schäfer
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
306
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
307
SSLSessionCacheTimeout  300
308 13 Gregory Bartholomew
SSLMutex default
309
SSLRandomSeed startup file:/dev/urandom  256
310
SSLRandomSeed connect builtin
311
SSLCryptoDevice builtin
312
</code></pre>
313 17 Mr. DTTH
314
You will also need to have the perl modules Net::LDAP, Authen::Simple, and Authen::Simple::LDAP installed.  The first two are available in Fedora's default package repositories.  
315
316 13 Gregory Bartholomew
The third must be installed after the other two and it must be obtained directly from cpan.  Below are the commands that I used to install these packages on Fedora 17.
317 15 Gregory Bartholomew
318 13 Gregory Bartholomew
yum -y install gcc make perl-LDAP perl-Authen-Simple
319
cpan
320 1 Felix Schäfer
cpan> install Authen::Simple::LDAP