diff options
Diffstat (limited to 'tmp/en-US/xml/git/secure-git-pull.xml')
-rw-r--r-- | tmp/en-US/xml/git/secure-git-pull.xml | 162 |
1 files changed, 0 insertions, 162 deletions
diff --git a/tmp/en-US/xml/git/secure-git-pull.xml b/tmp/en-US/xml/git/secure-git-pull.xml deleted file mode 100644 index 0875588..0000000 --- a/tmp/en-US/xml/git/secure-git-pull.xml +++ /dev/null @@ -1,162 +0,0 @@ -<?xml version='1.0' encoding='utf-8' ?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ -<!ENTITY YEAR "2014"> -<!ENTITY HOLDER "| You need to change the HOLDER entity in the en-US/Fedora_Cookbook.ent file |"> -<!ENTITY PRODUCT "Fedora Documentation"> -<!ENTITY BOOKID "cookbook"> -<!ENTITY BZURL "<ulink url='https://bugzilla.redhat.com/enter_bug.cgi?product=&PRODUCT;&component=&BOOKID;'>http://bugzilla.redhat.com/</ulink>"> - -]> -<section id="secure_git_pull" lang="en-US"> - <!-- Do not edit above this line --><!-- - Please provide some information so we can give you credit: - name: Pete Travis - fas_id: immanetize - email: immanetize@fedoraproject.org - --> <title>Secure deployment with Git and SSH</title> - <para> - Git, a distributed version control system, can be used to transfer software and other files to remote systems. By configuring the remote system to pull content from a git repository on a schedule, deployment can be accomplished with a simple local merge. Configuring the system that hosts the repository to restrict access from the remote system enhances security without affecting the method's usefulness. - </para> - <section id="secure_git_pull-ingredients"> - <title>Required Ingredients</title> - <!-- list packages, services, other recipes etc that are required --> <itemizedlist> - <listitem> - <para> - Two computers running Fedora with a working network connection. - </para> - </listitem> - <listitem> - <para> - Git installed on both systems, and a git repository on one. <!-- TODO: need git recipe! --> - </para> - </listitem> - <listitem> - <para> - A dedicated user account. - </para> - </listitem> - <listitem> - <para> - A dedicated <xref linkend="ssh-keygen">SSH authentication key</xref> - </para> - </listitem> - - </itemizedlist> - - </section> - - <section id="secure_git_pull-directions"> - <title>Directions</title> - <procedure> - <title>Configuring the host</title> - <step> - <para> - Create and configure a new user account to use for the transfer. For security reasons, this account will only be allowed to interact with git. - </para> - </step> - <substeps> - <step> - <para> - First, identify the path to your git repository. Store it in a shell variable, for convenience. - </para> - -<screen> - <command> <replaceable>repo_directory=/srv/repos/my-project.git</replaceable> </command> -</screen> - - </step> - <step> - <para> - Create the user account. - </para> - -<screen> - <command> useradd --home $repo_directory --shell /usr/bin/git-shell <replaceable>puller</replaceable> </command> -</screen> - <para> - The options given to <command>useradd</command> restrict the user's account. Refer to the explanation below, and <command>man useradd</command> for further insight. - </para> - <simplelist> - <member> <parameter>--home $repo_directory</parameter> - sets the account's home directory as the repository, using the shell variable from the previous step. </member> - <member> <parameter>--shell /usr/bin/git-shell</parameter> - Sets the login shell to <application>git shell</application>, a special utility provided with git that will only allow the user to execute git commands. </member> - <member> <parameter><replaceable>puller</replaceable></parameter> - The name of the user to create. Name the account something that will remind you of its purpose. </member> - - </simplelist> - - </step> - <step> - <para> - Copy the <literal>public</literal> half of your ssh key into the user's home directory. -<screen> - <command>mkdir $repo_directory/.ssh/</command> - <command> cp <replaceable>puller_id_rsa</replaceable>.pub $repo_direcory/.ssh/ </command> -</screen> - - </para> - - </step> - <step> - <para> - Give the user read only access to the repository - </para> - -<screen> - <command> <!-- appropriate setfacl invocations here --> </command> -</screen> - - </step> - <step> - <formalpara> - <title><emphasis>Optional:</emphasis> tell git to ignore the ssh key</title> - <para> - You can add the ssh public key to your git repository to share it, or tell git to ignore they key with the instructions below. -<screen> - <command>pushd $repo_directory</command> - <command>echo ".ssh/" >> .gitignore</command> - <command>git add .gitignore</command> - <command>git commit -m "Ignore $repo_directory/.ssh"</command> - <command>popd</command> -</screen> - - </para> - - </formalpara> - - </step> - - </substeps> - <step> - <para> - Configure the remote host to use your repository - </para> - </step> - - </procedure> - - - </section> - - <section> - <title>References</title> - <itemizedlist> - <listitem> - <para> - <ulink url="http://example.com">Upstream Documentation</ulink> - </para> - - </listitem> - <listitem> - <para> - <ulink url="http://example.com/myblog/posts/todays_date" /> - </para> - - </listitem> - - </itemizedlist> - - </section> - - -</section> - - |