1.安装git
yum install git
#查看git安装路径
[root@localhost ~]# whereis git
git: /usr/bin/git /usr/share/man/man1/git.1.gz
AI 代码解读
2.创建git用户并设置密码
useradd -m -d /home/git -U git passwd gitAI 代码解读
3.客户机生成管理员密钥
进入客户机用户主目录中存放密钥的目录,请确认客户机已经安装了git,windows安装git自带ssh-keygen,linux需先安装openssh
cd ~/.ssh
AI 代码解读
下面是生成的过程,三次回车便可。-f指定文件名,不指定默认id_rsa,-C指定备注信息
ssh-keygen -t rsa -f admin -C "admin key"
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in admin.
Your public key has been saved in admin.pub.
The key fingerprint is:
SHA256:LDUsBMGwy7M6ATvFKwwTEVAGDoXWXwxvT8OHfIzvX/M admin key
The key's randomart image is:
+---[RSA 2048]----+
|BB*oo++ |
|=o o...+o + |
|.+. . oo+B + |
|+.o. ..+o.= |
|+++. . S. . |
|=..o . . |
| +. . o |
|.. . . o|
|.. . E|
+----[SHA256]-----+
AI 代码解读
同样方法生成一个普通用户的密钥,以供后续测试
ssh-keygen -t rsa -f testdev -C "testdev key"
AI 代码解读
创建配置文件config,没有扩展名哦,之后的文件列表应该是这样子的
PS C:\Users\xxx\.ssh> ls
目录: C:\Users\xxx\.ssh
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2018/12/29 19:32 1675 admin
-a---- 2018/12/29 19:32 392 admin.pub
-a---- 2018/12/29 19:30 0 config
-a---- 2018/12/29 19:32 1675 testdev
-a---- 2018/12/29 19:32 394 testdev.pub
AI 代码解读
config文件写入如下信息,不同用户指定不同密钥
host gitadmin hostname 192.168.75.134 port 22 identityfile ~/.ssh/admin host gittest hostname 192.168.75.134 port 22 identityfile ~/.ssh/testdevAI 代码解读
4.scp或rz命令将admin.pub公钥上传至服务器/tmp目录下,这步只上传管理员的密钥
[root@localhost tmp]# ls
admin.pub yum.log
AI 代码解读
5.安装gitolite依赖
yum install perl opensshAI 代码解读
6.克隆gitolite仓库并安装
切换git用户
su gitAI 代码解读
进入git主目录
cd $HOME
AI 代码解读
克隆
git clone https://github.com/sitaramc/gitolite
AI 代码解读
创建bin目录
mkdir bin
AI 代码解读
安装到bin目录
gitolite/install -to $HOME/bin
AI 代码解读
把管理员的公钥setup到gitolite中
cd $HOME
$HOME/bin/gitolite setup -pk /tmp/admin.pub
AI 代码解读
7.克隆管理员仓库
#查看gitolite初始的两个仓库
ls repositories
gitolite-admin.git #管理员仓库
testing.git #测试仓库
AI 代码解读
克隆gitolite-admin.git仓库到客户机,也可以直接在服务器上克隆管理
$ git clone git@gitadmin:gitolite-admin
Cloning into 'gitolite-admin'...
The authenticity of host '192.168.75.134 (192.168.75.134)' can't be established.
RSA key fingerprint is SHA256:+pmq2Ry0m51xMwo0NGAIolV0W4VEhOqT9dm0RKZ2abE.
Are you sure you want to continue connecting (yes/no)?
#选择yes,本次请求公钥会被记录在~.ssh/known_hosts中
Warning: Permanently added '192.168.75.134' (RSA) to the list of known hosts.
remote: Counting objects: 6, done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 6 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (6/6), done.
AI 代码解读
查看目录
$ ls
gitolite-admin/
xxx@DESKTOP-CR69BB6 MINGW64 /e/repository
$ cd gitolite-admin/
xxx@DESKTOP-CR69BB6 MINGW64 /e/repository/gitolite-admin (master)
$ ls
conf/ keydir/
AI 代码解读
8.使用gitolite-admin仓库对git进行权限管理
进入keydir目录
$ cd keydir/
xxx@DESKTOP-CR69BB6 MINGW64 /e/repository/gitolite-admin/keydir (master)
$ ls
admin.pub
AI 代码解读
我们刚才上传到服务器/tmp目录下的管理员公钥被安装在了这里...???
因为gitolite是托管git的工具,客户机对服务器的所有git操作都由gitolite来接收,然后传达给git服务器,gitolite将用户的操作请求交给git服务器之前,会先做鉴权
所以在clone时,仓库地址一定按照gitolite要求的规则写,比如clone管理仓库
$ git clone git@gitadmin:gitolite-admin
AI 代码解读
如果客户机只有一个用户操作git服务器,生成密钥时,-f参数可以不写(并且不需要在config中设置规则),默认会生成id_rsa
ssh-keygen -t rsa -C "admin key"
AI 代码解读
客户机向git服务器发出clone请求时,会在~/.ssh目录中优先寻找id_rsa密钥,那么clone就可以这么写
$ git clone git@192.168.75.134:gitolite-admin
AI 代码解读
二者是等效的,当然仓库名你也可以带上.git
虽然gitolite-admin.git仓库存在于服务器/home/git/repositories/gitolite-admin.git中,但你不能这样克隆
$ git clone git@192.168.75.134:/home/git/repositories/gitolite-admin.git
AI 代码解读
重要的事情说三遍...不能这样克隆...不能这样克隆...不能这样克隆...
因为这样clone不符合gitolite要求,绕过了gitolite直接请求了git,那么gitolite的鉴权就没有被执行,后续的钩子也会失败...等灯等灯
并且/home/git/.ssh/authorized_keys这个认证密钥文件也必须交给gitolite来维护
新增普通用户并设置权限
我们在安装gitolite时就设定了admin是管理用户,现在我们将testdev和admin用户都设置为可对testing.git测试仓库进行读写,但testdev用户不能推送和回滚master分支
将testdev用户的公钥拷贝到keydir目录必须是testdev.pub
$ ls
admin.pub testdev.pub
AI 代码解读
配置conf目录中的gitolite.conf如下
@leader = admin @developer = testdev repo gitolite-admin RW+ = @leader repo testing R = @developer - master = @developer RW = @developer RW+ = @leaderAI 代码解读
repo代表仓库的意思,如果新添加一个repo,代表服务端新建一个空仓库,仓库push到服务端后会自动创建。
RW 代表可读可写
RW+代表可读可写可回滚
-代表拒绝
@leader定义管理组宏
@developer定义开发组宏
@all则代表所有人
master代表分支
进入仓库根目录,推送
$ cd gitolite-admin/
xxx@DESKTOP-CR69BB6 MINGW64 /e/repository/gitolite-admin (master)
$ ls
conf/ keydir/
xxx@DESKTOP-CR69BB6 MINGW64 /e/repository/gitolite-admin (master)
$ git add .
xxx@DESKTOP-CR69BB6 MINGW64 /e/repository/gitolite-admin (master)
$ git commit -m "admin test"
[master 8e7cd13] admin test
2 files changed, 4 insertions(+), 1 deletion(-)
create mode 100644 keydir/testdev.pub
xxx@DESKTOP-CR69BB6 MINGW64 /e/repository/gitolite-admin (master)
$ git push
Enumerating objects: 10, done.
Counting objects: 100% (10/10), done.
Delta compression using up to 12 threads
Compressing objects: 100% (5/5), done.
Writing objects: 100% (6/6), 794 bytes | 794.00 KiB/s, done.
Total 6 (delta 0), reused 0 (delta 0)
To gitadmin:gitolite-admin
aa44037..8e7cd13 master -> master
AI 代码解读
进入服务器查看testdev的密钥是否已经添加进去了
[git@localhost ~]$ cat /home/git/.ssh/authorized_keys
#gitolite start
command="/home/git/bin/gitolite-shell admin",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3Nza......PdyoooNQYpL admin key
command="/home/git/bin/gitolite-shell testdev",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3N......gHolS/1QLUp testdev key
#gitolite end
AI 代码解读
客户机结合本地config配置测试权限是否正确
PS C:\Users\xxx\.ssh> ssh git@gitadmin PTY allocation request failed on channel 0 hello admin, this is git@localhost running gitolite3 v3.6.10-2-g64aa53b on git 1.7.1 R W gitolite-admin R W testing Connection to 192.168.75.134 closed. PS C:\Users\xxx\.ssh> ssh git@gittest PTY allocation request failed on channel 0 hello testdev, this is git@localhost running gitolite3 v3.6.10-2-g64aa53b on git 1.7.1 R W testing Connection to 192.168.75.134 closed.AI 代码解读
9.testdev用户克隆testing.git仓库(这个仓库是空的哦,管理员需要pull下来,新建个空文件README.md,再commit,push上去并创建master分支)
clone下来,在README.md中随便写点什么
$ git clone git@gittest:testing.git
AI 代码解读
推送
$ git add .
xxx@DESKTOP-CR69BB6 MINGW64 /e/repository/testing (master)
$ git commit -m "new commit"
[master (root-commit) 6310141] new commit
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 README.md
xxx@DESKTOP-CR69BB6 MINGW64 /e/repository/testing (master)
$ git push
Enumerating objects: 8, done.
Counting objects: 100% (8/8), done.
Delta compression using up to 12 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (4/4), 410 bytes | 410.00 KiB/s, done.
Total 4 (delta 0), reused 0 (delta 0)
remote: FATAL: W refs/heads/master testing testdev DENIED by refs/heads/master
remote: error: hook declined to update refs/heads/master
To gittest:testing.git
! [remote rejected] master -> master (hook declined)
error: failed to push some refs to 'git@gittest:testing.git'
AI 代码解读
是不是对master的push被拒绝了,ok...
部署过程中要严格按照gitolite要求的规则来,操作时只要提示输入密码,这就是错误的,应该去检查客户机和服务器上gitolite托管的密钥是否正确
原文地址:https://www.jmsite.cn/blog-242.html
