Michael Hammer/ blog/ Initialized a git (gitosis) repo on top of OpenAFS

Home

About me

Blog

Software

Projects

Science

c++ debian electronics gentoo hardware howto mac privat software

The Problem with gitosis and OpenAFS is simply that gitosis uses one user (e.g. git) to access the git repos and that this user is normally not authenticated against AFS. You add remote users by putting in all the ssh-keys. These keys can't be simply used for authentication and it's not needed and wanted to create a principal for each remote user.

I do not repeat the configuration of that part because it's well described in 1 and 2. Here I assume that you have allready initialized you gitosis environment and eventually even added repositories

The speciality in my configuration was the aim to have the git repositories lying on an OpenAFS mount-point. That's a bit tricky because the user never provides a password and therefore can't be identified against kerberos. What I do now is to create a kerberos principal for the git user.

jupiter ~ # kadmin.local 
kadmin.local:  ank -randkey git@REALM
kadmin.local:  ktadd -k  /etc/krb5.keytab.git git@REALM
kadmin.local:  exit

Now we have added the principal for our user and have created the keytab we need to authenticate. The next step is to create a user for openafs. (I assume git already exists as unix user - I'd like to use the uid as ID in AFS)

jupiter ~ # pts createuser git `id -u git`

Now we have both and have to set the ACLs in the correspondig directory so that the git user is able to read and write the directory. (You have to repleace $CELL by your cellname and have to create the folder or even mountpoint git inside)

jupiter ~ # fs sa /afs/$CELL/git git rlidwk

Now everything is ready to put your repositories inside /afs/$CELL/git. Therefore we change into the home of the user git.

jupiter ~ # cd /var/spool/gitosis/
jupiter gitosis # cp repositories/* /afs/$CELL/git
jupiter gitosis # mv repositories repositories.orig
jupiter gitosis # ln -s /afs/$CELL/git repositories

(Of course you can remove repositories.orig if everything went fine). The core problem does still exist. git is not authenticated against AFS. This is accomblished by adding an ~/.ssh/rc file like the following

#!/bin/sh

/usr/bin/kinit -k -t /etc/krb5.keytab.git git
/usr/bin/aklog

Be aware that the file has to be read and executable by the user git. Now every time an ssh connection on the user git is opened an token is created an the user can access AFS.

Now it's time to init a new git repo somewhere.

mkdir $some_repo
cd $some_repo
git init
git remote add origin git@${server}:${some_repo}.git

# do some work, git add and commit files

git push origin master:refs/heads/master

It's important for this step to work that the local master branch exists. Therefore you have to commit some changes ;) .

Have fun!