Friday, March 25, 2016

migration - Migrating git repositories to a new server


I want to mirgrate my repositories from:
RedHat 6.9 (Santiago) with apache 2.2 and php 5.3


to:
Ubuntu 16.04.4 LTS with apache 2.4 and php 7.0


I'm using the "gitweb/git-http-backend" to server the repositories through https, so, I'm not using SSH here. Another important thing is that I'm not going to change the VirtualHost Server name, so the users should not even notice this.


Unfortunately the preliminary tests on my new server aren't working, when trying to clone an existing repository, I will get a 404 not found error.


My first question here: for the tests, the original server's name is: my_server.com, then for the new server, I'm using my_server_dev.com. This is only for testing. Afterwards I will replace the name of the new server with the name of the old server. Do I have to change the server name in the repositories of the testing setup to be able to see if git works? I guess that once the tests work and won't have to change anything on the repositories, right?


This is working in my old server:



  ServerName my_server.com
  AddType application/x-httpd-php .php
  CustomLog "/var/log/httpd/my_server_access.log" common
  RewriteEngine On
  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLCertificateFile "/etc/ssl/certs/my_cert.crt"
  SSLCertificateChainFile "/etc/ssl/certs/my_fullchain.crt"
  SSLCertificateKeyFile "/etc/ssl/certs/my_key.priv.key"
  DocumentRoot /var/www/
  
    Options FollowSymLinks
    AllowOverride None
  
  
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
  
  SetEnv GIT_PROJECT_ROOT /home/git
  SetEnv GIT_HTTP_EXPORT_ALL
  ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
  Alias /git /home/git
  
    AuthType Basic
    AuthName "Git repositories"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    AuthLDAPURL "ldaps://my_server1.com my_server2.com my_server3.com/ou=users,ou=my_ou,o=my_domain,c=my_country?uid?sub?(objectClass=*)"
    AuthLDAPBindDN "my_bind_dn"
    AuthLDAPBindPassword my_password
    AuthLDAPGroupAttributeIsDN off
    AuthLDAPGroupAttribute memberUid
    require valid-user
    AuthGroupFile /etc/httpd/my_group_file
  
  
        Allow from all
        Order allow,deny
        require group group1 group2
  
  
        Allow from all
        Order allow,deny
        require group group1 group3
  
  #More repositories here


So now, after having copied everything under "/home/git" from my old server to my new server, I have:



  ServerName my_server.com
  SSLEngine on
  SSLProtocol ALL -SSLv2 -SSLv3
  SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
  SSLHonorCipherOrder on
  SSLCompression off
  SSLOptions +StrictRequire
  SSLCertificateFile /etc/ssl/certs/my_cert.pem
  SSLCertificateChainFile /etc/ssl/certs/my_fullchain.pem
  SSLCertificateKeyFile /etc/ssl/certs/my_privkey.pem
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/my_domain_access.log combined
  RewriteEngine On
  DocumentRoot ${APACHE_ROOT}/my_server
  
    Options Indexes FollowSymLinks MultiViews
    Require all granted
    AllowOverride All
  
  SetEnv GIT_PROJECT_ROOT /var/www/html/my_server/git
  SetEnv GIT_HTTP_EXPORT_ALL
  ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
  Alias /git /var/www/html/my_server/git
  
    AuthType Basic
    AuthName "Git repositories"
    AuthBasicProvider ldap
    AuthLDAPBindAuthoritative on
    AuthLDAPURL "ldaps://my_server1.com my_server2.com my_server3.com/ou=users,ou=my_ou,o=my_domain,c=my_country?uid?sub?(objectClass=*)"
    AuthLDAPBindDN "my_bind_dn"
    AuthLDAPBindPassword my_password
    AuthLDAPGroupAttributeIsDN off
    AuthLDAPGroupAttribute memberUid
    require valid-user
    AuthGroupFile /etc/apache2/my_group_file
  
  
    require group group1 group2
  
  
    require group group1 group3
  
  #More repositories here


If you look carefully, you will see that the only changes I have are:



  1. Removed: "AddType application/x-httpd-php .php". This is already enabled in Ubuntu though "/etc/mods-enabled -> php7.0.*"

  2. The apache directories were changed to the Ubuntu ones: /etc/apache2, /var/log/apache2, and /var/www/html

  3. SSLCipherSuite changed a litte bit, but this shouldn't be a problem

  4. This was changed:


    Order allow,deny


    allow from all


    by:


    Require all granted


  5. "/home/git" was changed by: "/var/www/html/my_domain/git". To be honest, I also tried the first option, but it didn't work. I have seen cases where other folders outside from "/var/www/html" won't work.


  6. "/usr/libexec/git-core/git-http-backend/" was changed by: "/usr/lib/git-core/git-http-backend/", which is where this binary resides on Ubuntu.

  7. "AuthzLDAPAuthoritative" was changed by: "AuthLDAPBindAuthoritative". The first directive doesn't exist on apache 2.4 anymore.

  8. Changed:


Allow from all


Order allow,deny


require group group1


by just:


require group group1


This seems to be enough for Apache 2.4


The rest of my configuration is pretty the same. I just now that SSL is working and the LDAP authentication too. If I give the credentials from user, that is not allowed to access a repository, then I will see this on the error log file:


[authz_groupfile:error] [pid 17829] [client xxx.xxx.xxx.xxx:xxxx] AH01666: Authorization of user my_user1 to access /git/my_repo.git failed, reason: user doesn't appear in group file (/etc/apache2/my_group_file).
[authz_core:error] [pid 17829] [client xxx.xxx.xxx.xxx:xxxx] AH01631: user my_user1: authorization failure for "/git/my_repo.git":

Trying with a user that has the access, will pass the authentication, but I will see this on the client:


fatal: repository 'https://my_domain.com/git/my_repo.git/' not found

And in the access log there is indeed a 404 error code:


xxx.xxx.xxx.xxx - my_user [14/Mar/2018:20:45:29 +0100] "GET /git/my_repo.git/info/refs?service=git-upload-pack HTTP/1.1" 404 596 "-" "git/2.10.0.windows.1"

What could be wrong here?


Thanks in advanced


Best regards
Josef



Ok, I figured this out. It turns out that either mod_cgi or mod_cgid is needed. Here is the standard /etc/apache2/conf-available/gitweb.conf that comes with the binary package from Ubuntu:



    
        
          Define ENABLE_GITWEB
        
    
      Define ENABLE_GITWEB
    
  


  Alias /gitweb /usr/share/gitweb
  
    Options +FollowSymLinks +ExecCGI
    AddHandler cgi-script .cgi


So if you are working with gitweb you need: mod_alias and mod_mime. You need either: mod_cgi or mod_cgid. In my case, I had the first two, but none of the last two cgi modules.


For enabling mod_cgid you need either mpm_worker_module or mpm_event_module.
For mod_cgi, you need: mpm_prefork_module


I don't know what the differences between the two cgis is, but since I already have mpm_prefork_module, I decided to enable the latter one:


sudo a2enmod cgi

On my case, for the testing server I need to go to each repository and do:


git update-server-info

The initial tests are now working.


Best regards
Josef


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

11.10 - Can't boot from USB after installing Ubuntu

I bought a Samsung series 5 notebook and a very strange thing happened: I installed Ubuntu 11.10 from a usb pen drive but when I restarted (...