Quickly setup git server with gitolite, gitweb, ssh and http auth

by jagbir on March 30, 2012

As per the official definition, Git is a free & open source, distributed version control system designed to handle everything from small to very large projects with speed and efficiency. I am describing here steps which I followed to setup a Git server along with Gitolite, Gitweb, ssh and http auth in RHEL5 machine. I have done the installations using RPMs (lazy men’s method) which I got from here: http://pkgs.repoforge.org/git/

Step 1: Download the required RPMs or install using source

Here are the RPMs I downloaded from source mentioned above (of course, download the latest version of these RPMs when you wants to do installation):


You may also need to have some perl dependencies which you can install through CPAN or can also download the RPMs for them, I needed below ones:

perl-TermReadKey-2.30-3.el5.rf.x86_64.rpm (Optional)
perl-Error-0.17017-1.el5.rf.noarch.rpm (Optional)

Step 2: Install the RPMs:

$ rpm -ivh perl-DBI-1.617-1.el5.rfx.x86_64.rpm perl-TermReadKey-2.30-3.el5.rf.x86_64.rpm perl-Error-0.17017-1.el5.rf.noarch.rpm git- perl-Git-  gitolite- gitweb-

We have Git, Gitolite and Gitweb installed now.

Step 3: Configure Gitolite for authentication/authorization:

We need to configure Gitolite and the information for that is already described here so I am skipping that part.

Step 4: (Optional) Test Git with Gitolite:

Its worth a try to quickly test Git with Gitolite you just installed/configured. Jump to your pc and if you have Linux, generate public/private keys using ssh-keygen utility in case you already don’t have, for testing purposes, you can use following command:

/usr/bin/ssh-keygen -N '' -t rsa -f /root/.ssh/id_rsa

In case you are using Windows (which unfortunately I am using as of now), you can use puttygen utility and can refer a good tutorial here for exact process.

Copy your public key file to Git server, rename it to yourname.pub and put it in this directory so that Gitolite can refer/read them when needed: /var/lib/gitolite/.gitolite/keydir/

Time to clone gitolite-admin repository now, for Linux, just use:

$ git clone git@serverip:gitolite-admin

For Windows, you can install msysgit and optionally you can install a cool Git client like TortoiseGit from here. To Clone the gitolite-admin repository now, browse any directory, right click, choose Git Clone… and put required information. A sample screenshot is below:

Clone should get successful and you will get gitolite-admin repository in your pc. Go inside and update gitolite.conf to add new repositories/users. This process is described here if you want to continue testing.

Step 5: Configure Gitweb, http access of Git

This process is also documented by original author here but that is for OpenSuSE and while following that, I ran in some issues, so here posting information to setup this in RHEL machine which is working for me. You may want to refer that documentation in case things are not very clear reading my instructions because I am not diving in details and focus is more on practical execution.

Add following line in /var/lib/gitolite/.gitolite.rc file:

$GL_GITCONFIG_KEYS = "gitweb.url receive.denyNonFastforwards receive.denyDeletes";

Add some config entries in gitolite.conf file along with entry for daemon user. My gitolite.conf looks like below:

$ cat /var/lib/gitolite/.gitolite/conf/gitolite.conf
repo    gitolite-admin
RW+     =   git daemon
repo    tproject
RW      = git jagbir daemon
R       = @all
config  gitweb.url = git@serverip:tproject
config  receive.denyNonFastforwards = true
config  receive.denyDeletes         = true
repo    @all
R       =   daemon gitweb

Don’t forget to add daemon in all repositories, whether for Read write or just read to enabling browsing through http.

Step 6: Configure Apache under SuExec:
Apache runs under Apache user while our Git repositories are under Gitolite user. We have to use SuExec module in Apache so that it will also run under Gitolite user and be able to update information in repositories. Confirm that SuExec module is there in you Apache by running: $ httpd –M command and you should have suexec_module (shared) line in output.

Update permissions of suexec program. We also needs to have a wrapper script and to know where to put it check options of suexec, here are commands:

$ chgrp apache /usr/sbin/suexec
$ chmod 4750 /usr/sbin/suexec
$ /usr/sbin/suexec -V
-D AP_DOC_ROOT="/var/www"
-D AP_HTTPD_USER="apache"
-D AP_LOG_EXEC="/var/log/httpd/suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_USERDIR_SUFFIX="public_html"

So path for our wrapper script and Gitweb is /var/www as shown above in AP_DOC_ROOT value. Create a wrapper script in /var/www/bin/ directory (create bin directory first). My script looks like below which you can copy as is:

$ cat /var/www/bin/gitolite-suexec-wrapper.sh
export GIT_PROJECT_ROOT="/var/lib/gitolite/repositories"
export GITOLITE_HTTP_HOME="/var/lib/gitolite"
exec /usr/bin/gl-auth-command $USER

Because Gitweb will also runs under gitolite user, copy all of its files to /var/www directory and make sure the owner of /var/www directory (along with all subdirectories/files should be gitolite user), here are commands:

$ cp -r /usr/share/gitweb /var/www
$ chown –R gitolite.gitolite /var/www

Update gitweb.conf file to point to gitolite directory where all repositories are there, below line should be there in /etc/gitweb.conf file:

our $projectroot = "/var/lib/gitolite";

Step 7: Configure Virtualhost in Apache:
Here is my apache virtual host file, which you can copy as is (of course, change ServerName, Alias etc as per your values):

cat /etc/httpd/conf.d/git.conf
<VirtualHost *:80>
ServerName  git.mydomain.com
ServerAlias git
DocumentRoot /var/www/gitweb
SuexecUserGroup gitolite gitolite
SetEnv GIT_PROJECT_ROOT /var/lib/gitolite/projects
SetEnv GITOLITE_HTTP_HOME /var/lib/gitolite
ScriptAliasMatch \
"(?x)^/(.*/(HEAD | \
info/refs | \
objects/(info/[^/]+ | \
[0-9a-f]{2}/[0-9a-f]{38} | \
pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
git-(upload|receive)-pack))$" \
<Directory "/var/www/gitweb">
Options ExecCGI
AllowOverride None
AddHandler cgi-script .cgi
DirectoryIndex gitweb.cgi
Order allow,deny
Allow from all
<Directory "/var/www/bin">
<Files "gitolite-suexec-wrapper.sh">
Order allow,deny
Allow from all
<Location />
AuthType Basic
AuthName "Git Access"
Require valid-user
AuthUserFile /var/www/gitweb/authfile

As you can see we are using basic authentication here and for that, you need to create file which will have auth information, create file and sample user (gitolite) to test it:

$ htpasswd -cmd /var/lib/gitolite/authfile gitolite
New password:
Re-type new password:
Adding password for user gitolite
$ cat /var/lib/gitolite/authfile

Make sure you have initialize the repository to enable its access via http, let’s prepare testing repository for this purpose:

$ cd /var/lib/gitolite/repositories/testing.git
$ sudo -u gitolite git --bare init
$ sudo -u gitolite git update-server-info
$ mv hooks/post-update.sample hooks/post-update
$ chmod +x hooks/post-update

The above steps are needed for http access otherwise you will get error like below in your apache error logs when trying to clone:

[Tue Apr 10 15:34:16 2012] [error] [client 10.100.xx.xx] Repository not exported: '/var/lib/gitolite/repositories/testing'

All files under /var/www should have gitolite as owner, let’s update permissions once more:

$  chown -R gitolite:gitolite /var/www

Step 7: Test it out:
Restart apache and try to browse your server now: http://serverip. It should ask username/password and after supply correct, you should be able to see gitweb interface showing your repositories where you can traverse in them.

In case you see a blank page, then it might be issue with SuExec. Check suexec log file:  /var/log/httpd/suexec.log. You may see a message like:

[2012-03-30 04:14:26]: cannot run as forbidden uid (100/gitweb.cgi)

This means suexec won’t execute under user/group have userid/groupid less than 500 (system). In this case you can change this id for our gitolite user as per below:

$ usermod -u 650 gitolite
$ groupmod -g 650 gitolite

650 is just an example here, you can use any value above 500 in case 650 is already used by existing user/group. As user/group id get changed, you need to set permissions again for your directories:

$ chown –R gitolite:gitolite /var/www

Try now and you should be able to browse smoothly. Please put a comment below if you are still facing any issues, I would try to help you out.

Update: If you want to perform authentication using LDAP for git which I have described in next article, you can access it using below link:

* Setup Git auth using LDAP

  • Julio

    I only reach your 4th step, And I have several discrepances:
    I’m trying in a Centos 5.8, using epel repository to install git/gitolite/gitweb

    1.- I have no /var/lib/gitolite/.gitolite directory. Just /var/lib/gitolite/.ssh. So what?
    2.- If I try git clone git@miserver:gitolite-admin I’m asked for the password (i already did what you said, and also added my rsa key to /var/lib/gitolite/.ssh/authorized_keys just in case)
    3.- If I try to git clone root@myserver:gitolite-admin I get: fatal: ‘gitolite-admin’ does not appear to be a git repository
    fatal: The remote end hung up unexpectedly

    So up to this point, I don’t think if everything mentioned here ‘d work to anyone.. OR just people with certain configurations.
    What do you think?

  • http://linuxadminzone.com jagbir

    Hi Julio,
    sorry to hear that it didn’t work on your system. If your installation is fine, you should get .gitolite directory under /var/lib/gitolite also you don’t have to add your ssh keys in /var/lib/gitolite/.ssh/authorized_keys instead should put key file in /var/lib/gitolite/.gitolite/keydir/ and then try to clone gitolite-admin repository. Could you check again package versions and try out once?

  • Pingback: Computer Repair Services, Montreal Networking Services, IT Solutions

  • Pingback: A CentOS Git server « 0ddn1x: tricks with *nix

  • Pingback: Build a Git server (CentOS) « 0ddn1x: tricks with *nix

  • ben


    for some reason i am missing /usr/bin/gl-auth-command file..

    where do you get it from?

  • cwbuege

    Your links in steps 3 and 5 are no longer valid. Thought that you’d want to know.

    • http://linuxadminzone.com jagbir

      Thanks cwbuege for your comment and info. I will update the article accordingly.

Previous post:

Next post: