Girocco::Project: Make update() return values consistent

[girocco/testingthisout.git] / README

This is the duct tape that ties repo.or.cz together, codenamed Girocco.
You will find some hardcoded paths inside, and some other kludgy stuff; we are
working on cleaning it up, though.

The user interface is kept in the cgi/ subdirectory (repo.or.cz/m/ is symlink
to that).

There are two modes of operation for each project: hosting and mirroring.


Hosting mode
------------

(All uids and gids are allocated from range 65536..infty. All passwords are
stored in DES crypt(3) format because Apache is moronic - in the past the group
file was also used as htpasswd file.)


This is how the push access is provided:

The whole setup is confined in a chroot with its own instance of sshd running.
The chroot looks like:

drwxr-xr-x root     repo  /
drwxr-xr-x root     repo  /bin
------x--x root     repo  /bin/sh
------x--x root     root  /bin/git-index-pack
------x--x root     root  /bin/git-pack-objects
------x--x root     root  /bin/git-receive-pack
------x--x root     root  /bin/git-repack
------x--x root     root  /bin/git-rev-list
------x--x root     root  /bin/git-shell
------x--x root     root  /bin/git-unpack-objects
------x--x root     root  /bin/git-update-server-info
------x--x root     root  /bin/git-upload-pack
drwxr-xr-x root     repo  /sbin
---x------ root     repo  /sbin/sshd
drwxr-xr-x root     repo  /lib
-r-xr-xr-x root     repo  /lib/libwrap.so.0
-r-xr-xr-x root     repo  /lib/libpam.so.0
-r-xr-xr-x root     repo  /lib/libresolv.so.2
-r-xr-xr-x root     repo  /lib/libcrypto.so.0.9.7
-r-xr-xr-x root     repo  /lib/libutil.so.1
-r-xr-xr-x root     repo  /lib/libz.so.1
-r-xr-xr-x root     repo  /lib/libnsl.so.1
-r-xr-xr-x root     repo  /lib/libcrypt.so.1
-r-xr-xr-x root     repo  /lib/libpthread.so.0
-r-xr-xr-x root     repo  /lib/libc.so.6
-r-xr-xr-x root     repo  /lib/ld-linux.so.2
-r-xr-xr-x root     repo  /lib/libnss_compat.so.2
-r-xr-xr-x root     repo  /lib/libgcc_s.so.1
-r-xr-xr-x root     repo  /lib/libdl.so.2
drwxrwsr-x repo     repo  /etc
-rw-rw-r-- www-data repo  /etc/passwd
-rw-rw-r-- www-data repo  /etc/group
drwxr-x--- root     repo  /etc/ssh
-rw-r--r-- root     repo  /etc/ssh/moduli
-rw------- root     repo  /etc/ssh/ssh_host_rsa_key
-rw-r--r-- root     repo  /etc/ssh/ssh_host_rsa_key.pub
-rw------- root     repo  /etc/ssh/ssh_host_dsa_key
-rw-r--r-- root     repo  /etc/ssh/ssh_host_dsa_key.pub
-rw-r--r-- root     repo  /etc/ssh/sshd_config
drwxrwsr-x repo     repo  /etc/sshkeys
drwxrwsr-x pasky    repo  /srv/git
drwxr-xr-x root     repo  /var
drwxr-xr-x root     root  /var/run
drwxr-xr-x root     repo  /var/run/sshd
---------- 65538    root  /var/run/mob
-rw-r--r-- root     root  /var/run/sshd.pid
drwxr-xr-x root     root  /srv
drwxr-xr-x root     root  /dev
crw-rw-rw- root     root  /dev/null
crw-rw-rw- root     root  /dev/zero
crw-rw-rw- root     root  /dev/random
cr--r--r-- root     root  /dev/urandom
srw-rw-rw- root     root  /dev/log
lrwxrwxrwx root     root  /usr -> .

There is a (non-chroot) system user 'repo' and a group of the same name (the
webserver is member of the group; TODO: suexec). The files in /etc are owned
by repo.repo and group-writable, as well as all files in /srv/git/*/ but
refs/**, info/**, and objects/** which are repo.project. /var/run/mob has zero
permissions bits but is owned by the mob user.


When you register a project, it will get a gid allocation and you will set a
password for it. The triple is stored in a group(5) file (but containing just
the project groups):

        projname:crypt:gid:list,of,users

When you register a user, it will get a uid allocation and you will upload
an ssh public key for it. The user is stored in a passwd(5) file (but
containing just the repo.or.cz users; 65534 is nogroup):

        username:x:uid:65534:email:/:/bin/git-shell

The authorized keys are stored in /etc/sshkeys/username.

When you (un)assign user to a project, you just manipulate the list of users
for the project in /etc/group. The web interface for the project administration
is protected by the group password; chroot/etc/group is used as the htpasswd
file here.

Since Apache is not in the project groups, there is a special cronjob run
every minute to fix up the permissions for the refs/, info/, and objects/
project directories, under the root user.


Mirror mode
-----------

To keep things safe and neat, repo.or.cz is job-controlled: the only thing the
cgi script does is scheduling a clone job (by creating a directory with some
files at a magic location) and then the clonecheck.sh script is invoked every
minute by cron (under more reasonable uid) to check if there are any jobs
scheduled, and calls clone.sh to do the clone itself, notifying the user about
the results.

The script that keeps repositories up-to-date is updatecheck.sh, being run
by cron every hour and calling update.sh for all the relevant repositories.

updateglibc.sh stands somewhat out of the crowd and keeps the Git mirror of
the glibc CVS repository up-to-date, so it's probably not interesting for
anyone.

To make sure a project is not pushable when in mirror mode, the last colon
in the /etc/group entry for the project is doubled.


Girocco
-------

Until Jul 2008, we called all the repo.or.cz machinery just 'repo', however
that is not very good name, especially since we are now working at making
the machinery suitable for universal usage even outside of repo.or.cz.
Thankfully, Jan Engelhart invented a nice name 'Girocco', standing for
'GIt Repo.Or.Cz COdebase'.