diff options
author | Pete Travis <immanetize@fedoraproject.org> | 2014-04-22 23:08:33 -0600 |
---|---|---|
committer | Pete Travis <immanetize@fedoraproject.org> | 2014-04-22 23:08:33 -0600 |
commit | a4cd831fbd924b766eb58b020a649f2f05b36807 (patch) | |
tree | 01c537d3d029f3453def9073bb9325c60223531b | |
parent | f369d8892b3af2727935c72b9b096d00fa311224 (diff) | |
download | fedora-cookbook-a4cd831fbd924b766eb58b020a649f2f05b36807.tar.gz fedora-cookbook-a4cd831fbd924b766eb58b020a649f2f05b36807.tar.xz fedora-cookbook-a4cd831fbd924b766eb58b020a649f2f05b36807.zip |
Starting a recipe on using a locked down account for automated git pulls
-rw-r--r-- | en-US/git/secure-git-pull.xml | 142 |
1 files changed, 142 insertions, 0 deletions
diff --git a/en-US/git/secure-git-pull.xml b/en-US/git/secure-git-pull.xml new file mode 100644 index 0000000..c2d21f3 --- /dev/null +++ b/en-US/git/secure-git-pull.xml @@ -0,0 +1,142 @@ + +<?xml version='1.0' encoding='utf-8' ?> + <!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" + "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ + <!ENTITY % BOOK_ENTITIES SYSTEM "Fedora_Cookbook.ent"> + %BOOK_ENTITIES; +]> +<!-- Do not edit above this line --> +<!-- + Please provide some information so we can give you credit: + name: Pete Travis + fas_id: immanetize + email: immanetize@fedoraproject.org +--> + +<section id="secure_git_pull"> + <title>Secure deployment with Git and SSH</title> + <para> + Git, a distributed version control system, can be used to transfer software and other files to remote systems. By configuring the remote system to pull content from a git repository on a schedule, deployment can be accomplished with a simple local merge. Configuring the system that hosts the repository to restrict access from the remote system enhances security without affecting the method's usefulness. + </para> + <section id="secure_git_pull-ingredients"> + <title>Required Ingredients</title> + <!-- list packages, services, other recipes etc that are required --> + <itemizedlist> + <listitem><para> + Two computers running Fedora with a working network connection. + </para></listitem> + <listitem><para> + Git installed on both systems, and a git repository on one. + <!-- TODO: need git recipe! --> + </para></listitem> + <listitem><para> + A dedicated user account. + </listitem></para> + <listitem><para> + A dedicated <xref linkend="section-id">SSH authentication key</section> + </para></listitem> + </itemizedlist> + </section> + <section id="secure_git_pull-directions"> + <title>Directions</title> + <procedure> + <title>Configuring the host</title> + <step><para> + Create and configure a new user account to use for the transfer. For security reasons, this account will only be allowed to interact with git. + <substeps> + <step> + <para>First, identify the path to your git repository. Store it in a shell variable, for convenience.</para> + <screen> + <command> + <replaceable>repo_directory=/srv/repos/my-project.git</replaceable> + </command> + </screen> + </step> + <step> + <para>Create the user account.</para> + <screen> + <command> + useradd --home $repo_directory --shell /usr/bin/git-shell <replaceable>puller</replaceable> + </command> + </screen> + <para> + The options given to <command>useradd</command> restrict the user's account. Refer to the explanation below, and <command>man useradd</command> for further insight. + </para> + <simplelist> + <member> + <parameter>--home $repo_directory</parameter> - sets the account's home directory as the repository, using the shell variable from the previous step. + </member> + <member> + <parameter>--shell /usr/bin/git-shell</parameter> - Sets the login shell to <application>git shell</application>, a special utility provided with git that will only allow the user to execute git commands. + </member> + <member> + <parameter><replaceable>puller</replaceable></parameter> - The name of the user to create. Name the account something that will remind you of its purpose. + </member> + </simplelist> + </step> + <step> + <para> + Copy the <literal>public</literal> half of your ssh key into the user's home directory. + <screen> + <command>mkdir $repo_directory/.ssh/</command> + <command> + cp <replaceable>puller_id_rsa</replaceable>.pub $repo_direcory/.ssh/ + </command> + </screen> + </para> + </step> + <step> + <para>Give the user read only access to the repository</para> + <screen> + <command> + <!-- appropriate setfacl invocations here --> + </command> + </screen> + </step> + <step> + <formalpara> + <title><emphasis>Optional:</emphasis> tell git to ignore the ssh key</title> + <para> + You can add the ssh public key to your git repository to share it, or tell git to ignore they key with the instructions below. + <screen> + <command>pushd $repo_directory</command> + <command>echo ".ssh/" >> .gitignore</command> + <command>git add .gitignore</command> + <command>git commit -m "Ignore $repo_directory/.ssh"</command> + <command>popd</command> + </screen> + </para> + </formalpara> + </step> + </substeps> + <step> + <para> + Configure the remote host to use your repository + </para></step> + <step> + <para /> + </step> + <step> + <para /> + </step> + <step> + <para /> + </step> + </procedure> + </section> + + <section> + <title>References</title> + <itemizedlist> + <listitem> + <para><ulink url="http://example.com">Upstream Documentation</ulink></para> + </listitem> + <listitem> + <para><ulink url="http://example.com/myblog/posts/todays_date" /></para> + </listitem> + </itemizedlist> + </section> + +</section> + + |