Troubleshooting Debian Squeeze install of gitolite+ssh+http-backend

595 views
Skip to first unread message

Emmanuel Sciara

unread,
Jan 16, 2012, 2:59:36 AM1/16/12
to gito...@googlegroups.com
Hi,

I am setting up a gitolite+ssh+http-backend on a Debian Squeeze machine and trying to follow the doc at http://sitaramc.github.com/gitolite/ggshb.html (not quite the same thing on OpenSuse than on Debian) and I am running into trouble. Because of that I removed all the Gitweb settings to narrow down the potential origins of the problem. The only thing I kept where the following, as I am unsure of what it would do:
  • in /var/lib/gitolite/.gitolite.rc , I left $GL_GITCONFIG_KEYS = "gitweb.url receive.denyNonFastforwards receive.denyDeletes";
  • here is the content of gitolite.conf : (added daemon here and there for troubleshooting, but don't think it is needed)
repo gitolite-admin
     RW+ = admin daemon
     config receive.denyNonFastforwards = true
     config receive.denyDeletes = true

repo testing
     RW+ = @all
     R = daemon
     config receive.denyNonFastforwards = true
     config receive.denyDeletes = true

Going through ssh works perfectly. I am using the same user (admin) to configure gitolite from the client through the gitolite-admin repo. But going through http won't work.

Here is how I setup the thing.

Here is the apache gilolite vhost file:

<VirtualHost *:80>
        ServerAdmin webmaster@localhost

        LogLevel debug
        ErrorLog "|/usr/bin/cronolog /var/log/apache2/git/%Y/%W/%d-error.log"
        CustomLog "|/usr/bin/cronolog /var/log/apache2/git/%Y/%W/%d-access.log" combined

        DocumentRoot /var/www

        # Suexec setup
        SuexecUserGroup gitolite gitolite

        # Set up appropriate GIT environments
        SetEnv GIT_PROJECT_ROOT /var/lib/gitolite/repositories
        SetEnv GIT_HTTP_EXPORT_ALL
        SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER

        # Set up appropriate gitolite environments
        SetEnv GITOLITE_HTTP_HOME /var/lib/gitolite

        # run the script to launch gitolite
        ScriptAlias /git/ /var/www/bin/gitolite-suexec-wrapper.sh/

        # We need gl-auth-command executable
        <Directory "/var/www/bin">
                <Files "gitolite-suexec-wrapper.sh">
                        Order allow,deny
                        Allow from all
                </Files>
        </Directory>

        # Set up authentication to taste
        <Location />
                AuthType Basic
                AuthName "Private Git Access"
                Require valid-user
                AuthUserFile /var/lib/gitolite/http_pwd_file
        </Location>

        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
[..]

</VirtualHost>

and here is /var/www/bin/gitolite-suexec-wrapper.sh:

#!/bin/bash

#
# Suexec wrapper for gl-auth-command
#

USER=$1

export GIT_PROJECT_ROOT="/var/lib/gitolite/repositories"
export REMOTE_USER=$REDIRECT_REMOTE_USER
export GITOLITE_HTTP_HOME="/var/lib/gitolite"

# Debian Sqeeze gitolite DEB places gl-auth-command in /usr/share/gitolite
exec /usr/share/gitolite/gl-auth-command $USER

# End

Here is the error message I get from the client when I try to clone the "testing.git" repo:

host:git-test user$ git clone http://192.168.0.5/git/testing.git testing-http-git-blah
Cloning into testing-http-git-blah...
Username: 
Password: 
error: The requested URL returned error: 500 while accessing http://192.168.0.5/git/testing.git/info/refs
fatal: HTTP request failed

Here are the following errors I find in the log file /var/log/apache2/error.log :

[Mon Jan 16 00:54:52 2012] [error] [client 192.168.0.2] Use of uninitialized value in do "file" at /usr/share/gitolite/gl-auth-command line 40.
[Mon Jan 16 00:54:52 2012] [error] [client 192.168.0.2] Null filename used at /usr/share/gitolite/gl-auth-command line 40.
[Mon Jan 16 00:54:52 2012] [error] [client 192.168.0.2] Premature end of script headers: gitolite-suexec-wrapper.sh

Here is what the access log shows in the log file /var/log/apache2/git/2012/03/16-access.log :

192.168.0.2 - admin [16/Jan/2012:00:54:52 +0100] "GET /git/testing.git/info/refs?service=git-upload-pack HTTP/1.1" 500 831 "-" "git/1.7.7"
192.168.0.2 - admin [16/Jan/2012:00:54:52 +0100] "GET /git/testing.git/info/refs HTTP/1.1" 500 831 "-" "git/1.7.7"

Trying to narrow down the problem, I created another vhost with pretty much the same settings but calling a suexec wrapper that would use git-http-backend: (it is probably dumb http since I had to add the git-daemon-export-ok file to the repo's dir)

Here is the apache git-usexec vhost file:

<VirtualHost *:80>
        ServerAdmin webmaster@localhost

        LogLevel debug
        ErrorLog "|/usr/bin/cronolog /var/log/apache2/git/%Y/%W/%d-error.log"
        CustomLog "|/usr/bin/cronolog /var/log/apache2/git/%Y/%W/%d-access.log" combined

        DocumentRoot /var/www

        # Suexec setup
        SuexecUserGroup gitolite gitolite

        # Set up appropriate GIT environments
        SetEnv GIT_PROJECT_ROOT /var/lib/gitolite/repositories
        SetEnv GIT_HTTP_EXPORT_ALL
        SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER

        # Set up appropriate gitolite environments (not needed here but I left it to get like for like)
        SetEnv GITOLITE_HTTP_HOME /var/lib/gitolite 

        # run the script to launch git
        ScriptAlias /git/ /var/www/bin/git-suexec-wrapper.sh/

        # We need git-http-backend executable
        <Directory "/var/www/bin">
                <Files "git-suexec-wrapper.sh">
                        Order allow,deny
                        Allow from all
                </Files>
        </Directory>

        # Set up authentication to taste
        <Location />
                AuthType Basic
                AuthName "Private Git Access"
                Require valid-user
                AuthUserFile /var/lib/gitolite/http_pwd_file
        </Location>

        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
[..]

</VirtualHost>

and here is /var/www/bin/git-suexec-wrapper.sh:

#!/bin/bash

#
# Suexec wrapper for git-http-backend
#

# USER=$1

export GIT_PROJECT_ROOT="/var/lib/gitolite/repositories"
export REMOTE_USER=$REDIRECT_REMOTE_USER
export GITOLITE_HTTP_HOME="/var/lib/gitolite"

# no comment :) 
exec /usr/lib/git-core/git-http-backend

# End

Using this, cloning the repo works:

host:git-test user$ git clone http://192.168.0.5/git/testing.git testing-http-git-blah
Cloning into testing-http-git-blah...
Username: 
Password: 
remote: Counting objects: 6, done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 6 (delta 0), reused 0 (delta 0)
Unpacking objects: 100% (6/6), done.

Here is what shows in the log file /var/log/apache2/git/2012/03/16-access.log :

192.168.0.2 - admin [16/Jan/2012:01:02:58 +0100] "GET /git/testing.git/info/refs?service=git-upload-pack HTTP/1.1" 200 575 "-" "git/1.7.7"
192.168.0.2 - admin [16/Jan/2012:01:02:58 +0100] "POST /git/testing.git/git-upload-pack HTTP/1.1" 200 1144 "-" "git/1.7.7"

One thing I also noticed by putting traces in /var/www/bin/gitolite-suexec-wrapper.sh is that $USER remains empty where it should hold the username who got authentified by apache.

Any clue of what needs to be changed/done?

Em

Em

unread,
Jan 16, 2012, 4:26:05 PM1/16/12
to gito...@googlegroups.com
Hi folks,

Please give your inputs to this post instead of the other. It is more complete. :)

Em

Detlef Vollmann

unread,
Jan 16, 2012, 6:12:56 PM1/16/12
to gito...@googlegroups.com, Emmanuel Sciara
On 01/16/12 08:59, Emmanuel Sciara wrote:
> Here is the apache gilolite vhost file:
>
> <VirtualHost *:80>

> DocumentRoot /var/www
Here I have
DocumentRoot /source/gitolite
which is where my repositories reside, but I'm not sure that this
matters.

> # Suexec setup
> SuexecUserGroup gitolite gitolite

This looks correct.

> # Set up appropriate GIT environments
> SetEnv GIT_PROJECT_ROOT /var/lib/gitolite/repositories
> SetEnv GIT_HTTP_EXPORT_ALL
> SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER
>
> # Set up appropriate gitolite environments
> SetEnv GITOLITE_HTTP_HOME /var/lib/gitolite

I'm not sure that this works.
I dimly remember something that environment vars that don't start
with 'HTTP_' are removed from the environment, but I might be wrong.
But I just set everything in my suexec wrapper script...

>
> # run the script to launch gitolite
> ScriptAlias /git/ /var/www/bin/gitolite-suexec-wrapper.sh/

Which package did you install, apache2-suexec or apache2-suexec-custom?
And if the latter, what's the contents of /etc/apache2/suexec/www-data?

> # We need gl-auth-command executable
> <Directory "/var/www/bin">
> <Files "gitolite-suexec-wrapper.sh">
> Order allow,deny
> Allow from all
> </Files>
> </Directory>

I don't need this.
(I just have 'AllowOverride None' for my document root, as you have
below, to avoid annoying error logs...)

> # Set up authentication to taste
> <Location />
> AuthType Basic
> AuthName "Private Git Access"
> Require valid-user
> AuthUserFile /var/lib/gitolite/http_pwd_file
> </Location>

Mine looks different, as I use Digest (I can't use HTTPS), but it's
probably ok.

> <Directory />
> Options FollowSymLinks
> AllowOverride None
> </Directory>

Ok.

> <Directory /var/www/>
> Options Indexes FollowSymLinks MultiViews
> AllowOverride None
> Order allow,deny
> allow from all
> </Directory>

Probably ok, though I don't need any of these (as I set my DocumentRoot
to the correct location, I don't need symlinks).

> and here is /var/www/bin/gitolite-suexec-wrapper.sh:
Who's owner of that script?

>
> #!/bin/bash
>
> #
> # Suexec wrapper for gl-auth-command
> #
>
> USER=$1
>
> export GIT_PROJECT_ROOT="/var/lib/gitolite/repositories"
> export REMOTE_USER=$REDIRECT_REMOTE_USER

I'm not sure that this one works, and it's probably not required.


> export GITOLITE_HTTP_HOME="/var/lib/gitolite"
>
> # Debian Sqeeze gitolite DEB places gl-auth-command in /usr/share/gitolite

Hmmm, this reminds me that I didn't use gitolite from Debian, because
it was too old for smart HTTP support.
> exec /usr/share/gitolite/gl-auth-command $USER

Here is something similar to what I have:
#! /bin/sh
# gl-suexec-wrapper: just set env from rc file and call gl-auth-command

glhome=/var/lib/gitolite

# this is for gitweb...
export GL_BINDIR=/usr/local/bin
export GL_RC=$glhome/.gitolite.rc
export GL_REPO_BASE_ABS=/source/gitolite
export GITWEB_INDEXTEXT=$glhome/gitweb-index.html
export GITWEB_COMMAND=/usr/lib/cgi-bin/gitweb.cgi

# ... and this for "smart http" access
export GIT_PROJECT_ROOT=$GL_REPO_BASE_ABS
export GITOLITE_HTTP_HOME=$glhome
export GITOLITE_AUTH_COMMAND=/usr/local/bin/gl-auth-command
export GIT_HTTP_BACKEND="/usr/lib/git-core/git-http-backend"

exec $GITOLITE_AUTH_COMMAND "$@"


For some background it might be useful to look up the discussion
on the mailing list nearly exactly one year ago.

Detlef

Emmanuel Sciara

unread,
Jan 17, 2012, 5:25:39 AM1/17/12
to gito...@googlegroups.com
Here is the apache gilolite vhost file:

 <VirtualHost *:80>

         DocumentRoot /var/www
Here I have
 DocumentRoot /source/gitolite
which is where my repositories reside, but I'm not sure that this
matters.

Yep Should not.

         # Suexec setup
         SuexecUserGroup gitolite gitolite
This looks correct.


         # Set up appropriate GIT environments
         SetEnv GIT_PROJECT_ROOT /var/lib/gitolite/repositories
         SetEnv GIT_HTTP_EXPORT_ALL
         SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER

         # Set up appropriate gitolite environments
         SetEnv GITOLITE_HTTP_HOME /var/lib/gitolite
I'm not sure that this works.
I dimly remember something that environment vars that don't start
with 'HTTP_' are removed from the environment, but I might be wrong.
But I just set everything in my suexec wrapper script...

Just followed the doc. Will try later and if it is not needed, will propose a change to the doc.
 
         # run the script to launch gitolite
         ScriptAlias /git/ /var/www/bin/gitolite-suexec-wrapper.sh/
Which package did you install, apache2-suexec or apache2-suexec-custom?
And if the latter, what's the contents of /etc/apache2/suexec/www-data?

I am using  apache2-suexec.

         # We need gl-auth-command executable
         <Directory "/var/www/bin">
                 <Files "gitolite-suexec-wrapper.sh">
                         Order allow,deny
                         Allow from all
                 </Files>
         </Directory>
I don't need this.
(I just have 'AllowOverride None' for my document root, as you have
below, to avoid annoying error logs...)

Same thing: was in the doc. Will propose update if need be
 
         # Set up authentication to taste
         <Location />
                 AuthType Basic
                 AuthName "Private Git Access"
                 Require valid-user
                 AuthUserFile /var/lib/gitolite/http_pwd_file
         </Location>
Mine looks different, as I use Digest (I can't use HTTPS), but it's
probably ok.

I will be using HTTPS, so I will keep this one.
 
         <Directory />
                 Options FollowSymLinks
                 AllowOverride None
         </Directory>
Ok.


         <Directory /var/www/>
                 Options Indexes FollowSymLinks MultiViews
                 AllowOverride None
                 Order allow,deny
                 allow from all
         </Directory>
Probably ok, though I don't need any of these (as I set my DocumentRoot
to the correct location, I don't need symlinks).

Yep, just used the default apache vhost file
 
 and here is /var/www/bin/gitolite-suexec-wrapper.sh:
Who's owner of that script?

gitolite uis owner and gitolite is group

 #!/bin/bash

 #
 # Suexec wrapper for gl-auth-command
 #

 USER=$1

 export GIT_PROJECT_ROOT="/var/lib/gitolite/repositories"
 export REMOTE_USER=$REDIRECT_REMOTE_USER
I'm not sure that this one works, and it's probably not required.

Probably not in the script. Just kept it there as it is deemed important when installing GIT with smartHTTP in http://stackoverflow.com/questions/3947530/git-push-fatal-failed/7177690#7177690
 
 export GITOLITE_HTTP_HOME="/var/lib/gitolite"

 # Debian Sqeeze gitolite DEB places gl-auth-command in /usr/share/gitolite
Hmmm, this reminds me that I didn't use gitolite from Debian, because
it was too old for smart HTTP support.

ARRRRGGGHHHH... [and hell broke loose]... that is the one... package installs 1.5.4 (dated July 23, 2010!!!) and the first version supporting smart HTTP is 1.5.6 (dated October 16, 2010)... Latest version is 2.2.1 (dated January 07, 2012) . This should really be stated in the doc as a pre-requisite! Will definitely send an update.

Will update and let you know what is the result.

Will also look at the rest of your suggestions.

Thanks Detlef!

Em

Em

unread,
Jan 17, 2012, 8:30:24 AM1/17/12
to gito...@googlegroups.com
Ok, that was it. Debians package was too old. I also had to add the GIT_HTTP_BACKEND you mentioned part and a GIT_HTTP_EXPORT_ALL part too. So here is the script /var/www/bin/gitolite-suexec-wrapper.sh:

#!/bin/bash

#
# Wrapper for gl-auth-command
#

USER=$1

export GIT_PROJECT_ROOT="/home/gitolite/repositories"
export GITOLITE_HTTP_HOME="/home/gitolite"
export GIT_HTTP_EXPORT_ALL=1
export GIT_HTTP_BACKEND="/usr/lib/git-core/git-http-backend"

# Debian gitolite DEB places gl-auth-command in /usr/share/gitolite
exec /home/gitolite/bin/gl-auth-command $USER

# End

Thanks for your help Detlef!

Em

Detlef Vollmann

unread,
Jan 17, 2012, 9:59:54 AM1/17/12
to gito...@googlegroups.com
On 01/17/12 11:25, Emmanuel Sciara wrote:
>> I dimly remember something that environment vars that don't start
>> with 'HTTP_' are removed from the environment, but I might be wrong.
>> But I just set everything in my suexec wrapper script...
>
>
> Just followed the doc.
It depends on which doc...
I think the stripping has to do with suexec.

>>> export REMOTE_USER=$REDIRECT_REMOTE_**USER


>>>
>> I'm not sure that this one works, and it's probably not required.
>
>
> Probably not in the script. Just kept it there as it is deemed important
> when installing GIT with smartHTTP in
> http://stackoverflow.com/questions/3947530/git-push-fatal-failed/7177690#7177690

There they don't use suexec.
If you use suexec, REMOTE_USER is set by gl-auth-command.

Detlef

Reply all
Reply to author
Forward
0 new messages