Friday, March 25, 2016

migration - Migrating git repositories to a new server


I want to mirgrate my repositories from:
RedHat 6.9 (Santiago) with apache 2.2 and php 5.3


to:
Ubuntu 16.04.4 LTS with apache 2.4 and php 7.0


I'm using the "gitweb/git-http-backend" to server the repositories through https, so, I'm not using SSH here. Another important thing is that I'm not going to change the VirtualHost Server name, so the users should not even notice this.


Unfortunately the preliminary tests on my new server aren't working, when trying to clone an existing repository, I will get a 404 not found error.


My first question here: for the tests, the original server's name is: my_server.com, then for the new server, I'm using my_server_dev.com. This is only for testing. Afterwards I will replace the name of the new server with the name of the old server. Do I have to change the server name in the repositories of the testing setup to be able to see if git works? I guess that once the tests work and won't have to change anything on the repositories, right?


This is working in my old server:



ServerName my_server.com
AddType application/x-httpd-php .php
CustomLog "/var/log/httpd/my_server_access.log" common
RewriteEngine On
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/etc/ssl/certs/my_cert.crt"
SSLCertificateChainFile "/etc/ssl/certs/my_fullchain.crt"
SSLCertificateKeyFile "/etc/ssl/certs/my_key.priv.key"
DocumentRoot /var/www/

Options FollowSymLinks
AllowOverride None


Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all

SetEnv GIT_PROJECT_ROOT /home/git
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
Alias /git /home/git

AuthType Basic
AuthName "Git repositories"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldaps://my_server1.com my_server2.com my_server3.com/ou=users,ou=my_ou,o=my_domain,c=my_country?uid?sub?(objectClass=*)"
AuthLDAPBindDN "my_bind_dn"
AuthLDAPBindPassword my_password
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
require valid-user
AuthGroupFile /etc/httpd/my_group_file


Allow from all
Order allow,deny
require group group1 group2


Allow from all
Order allow,deny
require group group1 group3

#More repositories here


So now, after having copied everything under "/home/git" from my old server to my new server, I have:



ServerName my_server.com
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
SSLCertificateFile /etc/ssl/certs/my_cert.pem
SSLCertificateChainFile /etc/ssl/certs/my_fullchain.pem
SSLCertificateKeyFile /etc/ssl/certs/my_privkey.pem
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/my_domain_access.log combined
RewriteEngine On
DocumentRoot ${APACHE_ROOT}/my_server

Options Indexes FollowSymLinks MultiViews
Require all granted
AllowOverride All

SetEnv GIT_PROJECT_ROOT /var/www/html/my_server/git
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
Alias /git /var/www/html/my_server/git

AuthType Basic
AuthName "Git repositories"
AuthBasicProvider ldap
AuthLDAPBindAuthoritative on
AuthLDAPURL "ldaps://my_server1.com my_server2.com my_server3.com/ou=users,ou=my_ou,o=my_domain,c=my_country?uid?sub?(objectClass=*)"
AuthLDAPBindDN "my_bind_dn"
AuthLDAPBindPassword my_password
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
require valid-user
AuthGroupFile /etc/apache2/my_group_file


require group group1 group2


require group group1 group3

#More repositories here


If you look carefully, you will see that the only changes I have are:



  1. Removed: "AddType application/x-httpd-php .php". This is already enabled in Ubuntu though "/etc/mods-enabled -> php7.0.*"

  2. The apache directories were changed to the Ubuntu ones: /etc/apache2, /var/log/apache2, and /var/www/html

  3. SSLCipherSuite changed a litte bit, but this shouldn't be a problem

  4. This was changed:


    Order allow,deny


    allow from all


    by:


    Require all granted


  5. "/home/git" was changed by: "/var/www/html/my_domain/git". To be honest, I also tried the first option, but it didn't work. I have seen cases where other folders outside from "/var/www/html" won't work.


  6. "/usr/libexec/git-core/git-http-backend/" was changed by: "/usr/lib/git-core/git-http-backend/", which is where this binary resides on Ubuntu.

  7. "AuthzLDAPAuthoritative" was changed by: "AuthLDAPBindAuthoritative". The first directive doesn't exist on apache 2.4 anymore.

  8. Changed:


Allow from all


Order allow,deny


require group group1


by just:


require group group1


This seems to be enough for Apache 2.4


The rest of my configuration is pretty the same. I just now that SSL is working and the LDAP authentication too. If I give the credentials from user, that is not allowed to access a repository, then I will see this on the error log file:


[authz_groupfile:error] [pid 17829] [client xxx.xxx.xxx.xxx:xxxx] AH01666: Authorization of user my_user1 to access /git/my_repo.git failed, reason: user doesn't appear in group file (/etc/apache2/my_group_file).
[authz_core:error] [pid 17829] [client xxx.xxx.xxx.xxx:xxxx] AH01631: user my_user1: authorization failure for "/git/my_repo.git":

Trying with a user that has the access, will pass the authentication, but I will see this on the client:


fatal: repository 'https://my_domain.com/git/my_repo.git/' not found

And in the access log there is indeed a 404 error code:


xxx.xxx.xxx.xxx - my_user [14/Mar/2018:20:45:29 +0100] "GET /git/my_repo.git/info/refs?service=git-upload-pack HTTP/1.1" 404 596 "-" "git/2.10.0.windows.1"

What could be wrong here?


Thanks in advanced


Best regards
Josef



Ok, I figured this out. It turns out that either mod_cgi or mod_cgid is needed. Here is the standard /etc/apache2/conf-available/gitweb.conf that comes with the binary package from Ubuntu:





Define ENABLE_GITWEB


Define ENABLE_GITWEB




Alias /gitweb /usr/share/gitweb

Options +FollowSymLinks +ExecCGI
AddHandler cgi-script .cgi



So if you are working with gitweb you need: mod_alias and mod_mime. You need either: mod_cgi or mod_cgid. In my case, I had the first two, but none of the last two cgi modules.


For enabling mod_cgid you need either mpm_worker_module or mpm_event_module.
For mod_cgi, you need: mpm_prefork_module


I don't know what the differences between the two cgis is, but since I already have mpm_prefork_module, I decided to enable the latter one:


sudo a2enmod cgi

On my case, for the testing server I need to go to each repository and do:


git update-server-info

The initial tests are now working.


Best regards
Josef


No comments:

Post a Comment

11.10 - Can't boot from USB after installing Ubuntu

I bought a Samsung series 5 notebook and a very strange thing happened: I installed Ubuntu 11.10 from a usb pen drive but when I restarted (...