en-US/git/secure-git-pull.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

<?xml version='1.0' encoding='utf-8' ?>
 <!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" 
  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % BOOK_ENTITIES SYSTEM "Fedora_Cookbook.ent">
    %BOOK_ENTITIES;
]>
<!-- Do not edit above this line -->
<!-- 
     Please provide some information so we can give you credit:
     name: Pete Travis
     fas_id: immanetize
     email: immanetize@fedoraproject.org
-->

<section id="secure_git_pull">
  <title>Secure deployment with Git and SSH</title>
  <para>
    Git, a distributed version control system, can be used to transfer software and other files to remote systems. By configuring the remote system to pull content from a git repository on a schedule, deployment can be accomplished with a simple local merge.  Configuring the system that hosts the repository to restrict access from the remote system enhances security without affecting the method's usefulness.
  </para>
  <section id="secure_git_pull-ingredients">
    <title>Required Ingredients</title>
    <!-- list packages, services, other recipes etc that are required -->
    <itemizedlist>
      <listitem><para>
          Two computers running Fedora with a working network connection.
      </para></listitem>
      <listitem><para>
        Git installed on both systems, and a git repository on one.
        <!-- TODO: need git recipe! -->
      </para></listitem>
      <listitem><para>
          A dedicated user account.
      </para></listitem>
      <listitem><para>
          A dedicated <xref linkend="ssh-keygen">SSH authentication key</xref>
      </para></listitem>
    </itemizedlist>
  </section>
  <section id="secure_git_pull-directions">
  <title>Directions</title>
    <procedure>
      <title>Configuring the host</title>
      <step><para>
          Create and configure a new user account to use for the transfer.  For security reasons, this account will only be allowed to interact with git.
      </para></step>
          <substeps>
            <step>
              <para>First, identify the path to your git repository. Store it in a shell variable, for convenience.</para>
              <screen>
                <command>
                  <replaceable>repo_directory=/srv/repos/my-project.git</replaceable>
                </command>
              </screen>
            </step>
            <step>
              <para>Create the user account.</para>
              <screen>
                <command>
                  useradd --home $repo_directory --shell /usr/bin/git-shell <replaceable>puller</replaceable>
                </command>
              </screen>
              <para>
                The options given to <command>useradd</command> restrict the user's account. Refer to the explanation below, and <command>man useradd</command> for further insight.
              </para>
              <simplelist>
                <member>
                  <parameter>--home $repo_directory</parameter> - sets the account's home directory as the repository, using the shell variable from the previous step.
                </member>
                <member>
                  <parameter>--shell /usr/bin/git-shell</parameter> - Sets the login shell to <application>git shell</application>, a special utility provided with git that will only allow the user to execute git commands.
                </member>
                <member>
                  <parameter><replaceable>puller</replaceable></parameter> - The name of the user to create.  Name the account something that will remind you of its purpose.
                </member>
              </simplelist>
            </step>
            <step>
              <para>
                Copy the <literal>public</literal> half of your ssh key into the user's home directory.
                <screen>
                  <command>mkdir $repo_directory/.ssh/</command>
                  <command>
                    cp <replaceable>puller_id_rsa</replaceable>.pub $repo_direcory/.ssh/
                  </command>
                </screen>
              </para>
            </step>
            <step>
              <para>Give the user read only access to the repository</para>
              <screen>
                <command>
                  <!-- appropriate setfacl invocations here -->
                </command>
              </screen>
            </step>
            <step>
              <formalpara>
                <title><emphasis>Optional:</emphasis> tell git to ignore the ssh key</title>
                <para>
                  You can add the ssh public key to your git repository to share it, or tell git to ignore they key with the instructions below.
                <screen>
                  <command>pushd $repo_directory</command>
                  <command>echo ".ssh/" &gt;&gt; .gitignore</command>
                  <command>git add .gitignore</command>
                  <command>git commit -m "Ignore $repo_directory/.ssh"</command>
                  <command>popd</command>
                </screen>
              </para>
            </formalpara>
          </step>
        </substeps>
        <step>
          <para>
            Configure the remote host to use your repository
       </para></step>
     </procedure>
  </section>

  <section>
    <title>References</title>
    <itemizedlist>
      <listitem>
        <para><ulink url="http://example.com">Upstream Documentation</ulink></para>
      </listitem>
      <listitem>
        <para><ulink url="http://example.com/myblog/posts/todays_date" /></para>
      </listitem>
    </itemizedlist>
  </section>

</section>