Project

General

Profile

HowTo configure Redmine for advanced git integration » History » Version 25

Vladimir Skubriev, 2013-10-04 08:07

1 1 Felix Schäfer
h1. HowTo configure Redmine for advanced git integration
2
3 3 Felix Schäfer
{{>TOC}}
4
5 1 Felix Schäfer
h2. Scope
6
7 21 Mr. DTTH
_Install on Centos 6.x_
8
9 17 Mr. DTTH
This HowTo explains how to serve git repositories on apache through the http-based "git-smart-http protocol":http://progit.org/2010/03/04/smart-http.html introduced in git 1.6.6. 
10 1 Felix Schäfer
11 17 Mr. DTTH
The git-smart-http offers various advantages over ssh or git-based access: you can use redmine access control as-is, no need for extra ssh keys or whatnot, you can secure it through SSL as needed, and there's generally less problems with firewalls and https/https ports than exist with ssh and git ports. git-smart-http also doesn't have some of the drawbacks of its "dumb" predecessor, as it doesn't require any complex DAV setup.
12 1 Felix Schäfer
13 17 Mr. DTTH
This HowTo is mainly written from memory and was conducted on a setup which was already serving [[Repositories_access_control_with_apache_mod_dav_svn_and_mod_perl|svn repositories integrated with redmine]], so it might be possible that I forgot some things or take them for granted. 
14
15
This is a wiki page, feel free to correct or amend anything you find lacking :-) You can also "drop me a line":/users/3866.
16
17 7 Felix Schäfer
Another option to integrate grack with redmine is the "modified grack+redmine plugin":http://github.com/friflaj/redmine_grack or "any other grack modified for redmine":http://github.com/search?q=grack&type=Everything&repo=&langOverride=&start_value=1, though those ones lack documentation and I haven't tried them, so I can't say much about those.
18 1 Felix Schäfer
19
h2. Prerequisites
20
21
* Apache with mod_perl (access control)
22
* git (version at least 1.6.6)
23
* A way to serve git-smart-http
24 10 Hallison Vasconcelos Batista
** mod_cgi (or mod_cgid) if you want to use the stock "git-http-backend":http://www.kernel.org/pub/software/scm/git/docs/git-http-backend.html
25 1 Felix Schäfer
** a rack server if you want to use "grack":http://github.com/schacon/grack (basically a rack wrapper around the right git commands) or
26 10 Hallison Vasconcelos Batista
"git-webby":http://git.io/BU7twg (another implementation based on grack but written in Sinatra).
27 1 Felix Schäfer
28 17 Mr. DTTH
You should already have a rack server to run redmine, and that's why I chose grack as the backend and which I will describe in this tutorial. 
29 1 Felix Schäfer
30 17 Mr. DTTH
Using the stock git-http-backend should be quite straightforward though (skip the [[HowTo_configure_Redmine_for_advanced_git_integration#Install-grack|grack installation]] part and get your install with the git-http-backend going (the "git-http-backend manpage":http://www.kernel.org/pub/software/scm/git/docs/git-http-backend.html has some examples), when that's done go on with the [[HowTo_configure_Redmine_for_advanced_git_integration#Access-control|access control]] part).
31
32 20 Mr. DTTH
h2. Install Git
33
34
<pre><code class="bash">
35
yum install git
36
</code></pre>
37
38 2 Felix Schäfer
h2. Install grack
39 1 Felix Schäfer
40 3 Felix Schäfer
h3. Get the sources
41 2 Felix Schäfer
42 19 Mr. DTTH
Fetch grack from its "github repository":http://github.com/schacon/grack, I checked out mine to @/var/www/grack@
43 1 Felix Schäfer
44 19 Mr. DTTH
<pre><code class="bash">
45
cd /var/www
46
git clone http://github.com/schacon/grack.git
47
</code></pre>
48 1 Felix Schäfer
49 18 Mr. DTTH
And create a directory for repositories :
50
51
<pre><code class="bash">
52 1 Felix Schäfer
mkdir /opt/repositories
53 21 Mr. DTTH
mkdir /opt/repositories/git
54 18 Mr. DTTH
chown -R apache:apache /opt/repositories/git
55
</code></pre>
56
57 2 Felix Schäfer
h3. Configuration
58
59
Edit the @config.ru@ file and adapt it to your local configuration. @project_root@ must contain the path to the directory containing your git repositories, @git_path@ must obviously contain the path to the git, mine looks like this (on gentoo):
60 1 Felix Schäfer
61 21 Mr. DTTH
<pre><code class="bash">
62
vi /var/www/grack/config.ru
63
</code></pre>
64
65
And edit file :
66
67 2 Felix Schäfer
<pre><code class="ruby">$LOAD_PATH.unshift File.expand_path(File.dirname(__FILE__) + '/lib')
68 1 Felix Schäfer
69 2 Felix Schäfer
use Rack::ShowExceptions
70 1 Felix Schäfer
71 18 Mr. DTTH
require 'grack'
72 1 Felix Schäfer
73 18 Mr. DTTH
require 'git_adapter'
74 2 Felix Schäfer
75 18 Mr. DTTH
config = {
76
  :project_root => "/opt/repositories/git",
77 2 Felix Schäfer
  :git_path => '/usr/bin/git',
78
  :upload_pack => true,
79 1 Felix Schäfer
  :receive_pack => true,
80
}
81
82 21 Mr. DTTH
run GitHttp::App.new(config)
83
</code></pre>
84 3 Felix Schäfer
85 24 Vladimir Skubriev
If you use the latest version of grack, then may be this config.ru file is usable
86
87
88
<pre><code class="ruby">
89
90
$LOAD_PATH.unshift File.expand_path(File.dirname(__FILE__) + '/lib')
91
92
use Rack::ShowExceptions
93
94
require 'grack'
95
96
require 'git_adapter'
97
98
config = {
99
  :project_root => "/opt/repositories/git",
100
  :git_path => '/usr/bin/git',
101
  :upload_pack => true,
102
  :receive_pack => true,
103
  :adapter => Grack::GitAdapter,
104
}
105
106
run Grack::App.new(config)
107
108
</code></pre>
109
110 25 Vladimir Skubriev
Don't forget to install dependencies of grack
111
<pre><code class="bash">
112
$ cd /var/www/grack
113
$ bundle install
114
</code></pre>
115
116 1 Felix Schäfer
h3. Integrate with Apache
117
118 17 Mr. DTTH
You could obviously use any rack server you like at this point, but the access control mechanism @Redmine.pm@ is written for apache with mod_perl, so you will at least need to reverse proxy your rack server through apache. 
119 1 Felix Schäfer
120 17 Mr. DTTH
My rack server of choice is "passenger":http://modrails.com/ (solid performance, apache module, mostly simple configuration) and it is already configured on my system. 
121
122
As passenger installation and configuration is not within the scope of this HowTo, please refer to the "passenger documentation":http://modrails.com/documentation.html or to the passenger installation guide from your distribution.
123
124
There's a little more work to do here to get passenger to work with this, you will need to create the directories @public@ and @tmp@ in the grack directory. 
125 1 Felix Schäfer
126
Please also be aware that in the standard configuration, passenger will run the grack application with the same user and group owning the @config.ru@ file. This user must have read- and write-access as needed to the git repositories!
127
128 21 Mr. DTTH
Create directories 'public' and 'tmp' in /var/www/grack for apache :
129
130
<pre><code class="bash">
131
cd /var/www/grack
132
mkdir public
133
mkdir tmp
134
chown -R apache:apache /var/www/grack
135
</code></pre>
136
137
Edit config file "/etc/httpd/conf/httpd.conf" for support multi virtualhost by remove comment :
138
139
<pre><code class="bash">
140
NameVirtualHost *:80
141
</code></pre>
142
143
Create a file virtualhost :
144
145
<pre><code class="bash">
146
vi /etc/httpd/conf.d/git.conf
147
</code></pre>
148
149 22 Mr. DTTH
with text :
150 1 Felix Schäfer
151 22 Mr. DTTH
<pre><code class="apache">
152
<VirtualHost *:80>
153
    ServerName git.yourdomain.com
154
    DocumentRoot "/var/www/grack/public"
155
    <Directory "/var/www/grack/public">
156 1 Felix Schäfer
        Options None
157
        AllowOverride None
158 22 Mr. DTTH
        <IfVersion < 2.3 >
159 1 Felix Schäfer
        Order allow,deny
160
        Allow from all
161 22 Mr. DTTH
        </IfVersion>
162
        <IfVersion >= 2.3>
163
        Require all granted
164
        </IfVersion>
165
     </Directory>
166
 </VirtualHost>
167
</code></pre>
168 2 Felix Schäfer
169 22 Mr. DTTH
In controlpanel DNS record at domain name page, create a subdomain with name "git.yourdomain.com" and point to your IP server.
170 2 Felix Schäfer
171 22 Mr. DTTH
At this point, if you have a repository in "/opt/repositories/git/myrepo", you should be able to access it through "http://git.yourdomain.com/myrepo", for example :
172 2 Felix Schäfer
173 22 Mr. DTTH
Use a git client as Gitbash or TortoiseGit to clone repos :
174
175
<pre><code class="apache">
176
git clone http://git.yourdomain.com/myrepo
177
</code></pre>
178
179
If it successful, git on server and connection is very good!
180 3 Felix Schäfer
181
h2. Access control
182
183
You now have a working git server, albeit with no access control. Currently, the shipped perl module for access control @Redmine.pm@ (in @extra/svn/@ in your redmine directory) does not support access control for the git-smart-http protocol, the patch in #4905 aims to implement that.
184
185 11 Gregory Bartholomew
h3. Applying the patch
186 1 Felix Schäfer
187 23 Mr. DTTH
_If you are using Redmine >= 2.1.0, step over to Configuring Apache_
188
189 3 Felix Schäfer
Download the latest (or better: correct) version of the patch from #4905 to your redmine directory. In the redmine directory, apply the patch: @patch -p1 < the-patch-file.patch@ should work (if it tells you stuff about being unable to apply a hunk, the patch is incompatible with your @Redmine.pm@ version, if it says other stuff, try @patch -p0 < the-patch-file.patch@ or @patch Redmine.pm < the-patch-file.patch@, if it still borks, ask for advice on #4905).
190 1 Felix Schäfer
191
-You will possibly still need to edit the file from here, because the current version of the patch only works for repositories served from @http://git.myhost.com/git/myrepo@ though the above example uses @http://git.myhost.com/myrepo@.- This step isn't needed anymore, the patch has been updated to take the information from the @Location@ block from apache into account.
192 8 Felix Schäfer
193 3 Felix Schäfer
h3. Configuring Apache
194 17 Mr. DTTH
195 3 Felix Schäfer
You now have to make Apache aware of your new authentication module (if you already had done this step for subversion integration, you can go to the @Location@ directives directly). 
196 17 Mr. DTTH
197
Copy or link @Redmine.pm@ (from your @extra/svn/@ directory) to @/usr/lib/perl5/Apache/Redmine.pm@ (ubuntu) or wherever your distribution puts its apache perl modules (e.g. gentoo puts them in @/usr/lib64/perl5/vendor_perl/5.8.8/Apache/@, fedora puts them in @/usr/lib64/perl5/vendor_perl/Apache/@).
198 3 Felix Schäfer
199 1 Felix Schäfer
Having done that, reload apache to make sure everything in the patching phase went well (if not, remove the link or the file create in the step just before and restart apache to get apache back up, try to find the error in your Redmine.pm file). Now edit your vhost configuration to look somewhat like (same as above but with more stuff):
200
201 23 Mr. DTTH
<pre><code class="bash">
202
vi /etc/httpd/conf.d/git.conf
203
</code></pre>
204 1 Felix Schäfer
205 23 Mr. DTTH
with :
206 1 Felix Schäfer
207 23 Mr. DTTH
<pre><code class="bash">
208 1 Felix Schäfer
209 23 Mr. DTTH
<VirtualHost *:80>
210
211
    ServerName git.yourdomain.com
212
213
    DocumentRoot "/var/www/grack/public"
214
215
    <Directory "/var/www/grack/public">
216
217 1 Felix Schäfer
        Options None
218 23 Mr. DTTH
219 1 Felix Schäfer
        AllowOverride None
220 23 Mr. DTTH
221
        <IfVersion < 2.3 >
222
223 1 Felix Schäfer
        Order allow,deny
224 23 Mr. DTTH
225 1 Felix Schäfer
        Allow from all
226
227 23 Mr. DTTH
        </IfVersion>
228 1 Felix Schäfer
229 23 Mr. DTTH
        <IfVersion >= 2.3>
230 1 Felix Schäfer
231 23 Mr. DTTH
        Require all granted
232 1 Felix Schäfer
233 23 Mr. DTTH
        </IfVersion>
234 1 Felix Schäfer
235 23 Mr. DTTH
     </Directory>
236
237
     PerlLoadModule Apache::Redmine
238
    <Directory "/var/www/grack/public">
239
240
        Options None
241
242
        AllowOverride None
243
244
        <IfVersion < 2.3 >
245
246
        Order allow,deny
247
248
        Allow from all
249
250
        </IfVersion>
251
252
        <IfVersion >= 2.3>
253
254
        Require all granted
255
256
        </IfVersion>
257
258
     </Directory>
259
260
     
261
     <Location "/">
262
263
       AuthType Basic
264
265
       AuthName "Redmine git repositories"
266
267
       Require valid-user
268
269
       PerlAccessHandler Apache::Authn::Redmine::access_handler
270
       PerlAuthenHandler Apache::Authn::Redmine::authen_handler
271
   
272
       RedmineDSN "DBI:mysql:database=your_database;host=localhost:3306"
273
274
       RedmineDbUser "user_database"
275
       RedmineDbPass "password_database"       
276
       RedmineGitSmartHttp yes
277
     </Location>
278
279
 </VirtualHost>
280
</code></pre>
281
282
Restart your apache, and everything should be good and well :-)
283 13 Gregory Bartholomew
284
h2. Known issues
285
286
If you are using the stock git-http-backend directly under apache and you are finding errors like "Request not supported: '/git/your-git-repo'" in your apache error log, you may need to add "SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER" to the to the list of environment variables that you are setting in your apache configuration.  
287
288
Unfortionately, this setting may cause redmine to borke.  If so, you will need to set the variable for only the requests that are passed through git-http-backend.  One way to accomplish this is with mod_rewrite.  Below is a sample apache configuration from a Fedora 17 system that uses git-http-backend and mod_rewrite.
289
290
In httpd.conf:
291
292
<pre><code class="apache">Listen xxx.xxx.xxx.xxx:80
293
<VirtualHost xxx.xxx.xxx.xxx:80>
294
   DocumentRoot /var/www/redmine/public
295
   ServerName servername.domain:80
296
   Include conf/servername.conf
297
</VirtualHost>
298
299
Listen xxx.xxx.xxx.xxx:443
300
<VirtualHost xxx.xxx.xxx.xxx:443>
301
   DocumentRoot /var/www/redmine/public
302
   ServerName servername.domain:443
303
   Include conf/servername.conf
304
   Include conf/ssl.conf
305
</VirtualHost></code></pre>
306
307
In servername.conf:
308
309
<pre><code class="apache">PerlLoadModule Apache::Authn::Redmine
310
311
SetEnv GIT_PROJECT_ROOT /git-1/repositories
312
SetEnv GIT_HTTP_EXPORT_ALL
313
314
<IfModule mod_rewrite.c>
315
   RewriteEngine On
316 15 Gregory Bartholomew
317
   RewriteCond %{HTTPS} ^off$
318
   RewriteCond %{REQUEST_URI} !^/git-private/
319 13 Gregory Bartholomew
   RewriteRule ^.*$ https://servername.domain$0 [R=301,L]
320
   RewriteRule ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /git-1/repositories/$1 [L]
321
   RewriteRule ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /git-1/repositories/$1 [L]
322
   RewriteRule ^/git/(.*)$ /usr/libexec/git-core/git-http-backend/$1 [E=REMOTE_USER:$REDIRECT_REMOTE_USER,H=cgi-script,L]
323
</IfModule>
324
325
<Directory /usr/libexec/git-core>
326
   <Files "git-http-backend">
327
      Options +ExecCGI
328
   </Files>
329
</Directory>
330
331
<Location /git>
332
   AuthType Basic
333 14 Gregory Bartholomew
   AuthName "CAMPUS"
334 13 Gregory Bartholomew
   AuthBasicProvider external
335
   AuthExternal pwauth
336
   Require valid-user
337
338
   PerlAccessHandler Apache::Authn::Redmine::access_handler
339
   PerlAuthenHandler Apache::Authn::Redmine::authen_handler
340
 
341
   RedmineDSN "DBI:mysql:database=redmine;host=localhost" 
342
   RedmineDbUser "redmine" 
343
   # RedmineDbPass "password"
344
   RedmineGitSmartHttp yes
345
</Location>
346
347
Alias /git-private /git-1/repositories
348
349
<Location /git-private>
350
   Order deny,allow
351
   Deny from all
352
   <Limit GET PROPFIND OPTIONS REPORT>
353
      Options Indexes FollowSymLinks MultiViews
354
      Allow from 127.0.0.1
355
      Allow from localhost
356
   </Limit>
357
</Location>
358
359
<Directory "/var/www/redmine/public">
360
   RailsEnv production
361
   RailsBaseURI /
362
363
   Options -MultiViews
364
   AllowOverride All
365
</Directory></code></pre>
366
367
In conf/ssl.conf:
368
369
<pre><code class="apache">LogLevel warn
370
SSLEngine on
371
SSLProtocol all -SSLv2
372
SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
373
SSLCertificateFile /etc/pki/tls/certs/your-server.crt
374
SSLCertificateKeyFile /etc/pki/tls/private/your-server.key
375
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
376
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
377
378
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
379
    SSLOptions +StdEnvVars
380
</Files>
381
<Directory "/var/www/cgi-bin">
382
    SSLOptions +StdEnvVars
383
</Directory>
384 1 Felix Schäfer
385
SetEnvIf User-Agent ".*MSIE.*" \
386
         nokeepalive ssl-unclean-shutdown \
387 13 Gregory Bartholomew
         downgrade-1.0 force-response-1.0
388
</code></pre>
389
390
In conf.d/ssl.conf:
391
392 17 Mr. DTTH
<pre><code class="apache">LoadModule ssl_module modules/mod_ssl.so
393
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
394
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
395 13 Gregory Bartholomew
SSLSessionCacheTimeout  300
396 15 Gregory Bartholomew
SSLMutex default
397 13 Gregory Bartholomew
SSLRandomSeed startup file:/dev/urandom  256
398
SSLRandomSeed connect builtin
399 1 Felix Schäfer
SSLCryptoDevice builtin
400
</code></pre>
401
402
You will also need to have the perl modules Net::LDAP, Authen::Simple, and Authen::Simple::LDAP installed.  The first two are available in Fedora's default package repositories.  
403
404
The third must be installed after the other two and it must be obtained directly from cpan.  Below are the commands that I used to install these packages on Fedora 17.
405
406
yum -y install gcc make perl-LDAP perl-Authen-Simple
407
cpan
408
cpan> install Authen::Simple::LDAP