add: git smart HTTP daemon

This removes the need for running `git update-server-info` on the
repositories regularly (or on update), possibly speeds up clones (at
least, git clone can now show progress information), and almost
certainly improves reliability on a pull concurrent with a push to the
same repository (the git daemon can respect lock files, nginx can’t).

(We can also probably remove /srv/git from front-nginx, but I’ll do that
in a separate change.)

Change-Id: Iaf67d8f9f7dbe3b95338d9bb548e7c18bf9f0d0a

diff --git a/environments/production/manifests/gitweb.pp b/environments/production/manifests/gitweb.pp
index fc13d5fdab9a5e19281a1bf4c820f8ce6d6688c2..a13d2a6a556eaacbed14900b1fac424142592781 100644 (file)
--- a/environments/production/manifests/gitweb.pp
+++ b/environments/production/manifests/gitweb.pp
@@ -7,6 +7,9 @@ node gitweb {
   package{ 'libcgi-fast-perl':
     ensure => 'installed'
   }
+  package{ 'fcgiwrap':
+    ensure => 'installed'
+  }
   user{'git':
     ensure => 'present',
     system => 'yes',
@@ -53,4 +56,30 @@ node gitweb {
     provider => 'systemd',
     enable => true
   }
+  file{ '/etc/systemd/system/fcgiwrap.socket.d':
+    ensure => 'directory'
+  }
+  file{ '/etc/systemd/system/fcgiwrap.socket.d/ListenStream.conf':
+    ensure => 'file',
+    source => 'puppet:///modules/gitweb/fcgiwrap-ListenStream.conf',
+    notify => Service['fcgiwrap.socket']
+  }
+  file{ '/etc/systemd/system/fcgiwrap.service.d':
+    ensure => 'directory'
+  }
+  file{ '/etc/systemd/system/fcgiwrap.service.d/sandbox.conf':
+    ensure => 'file',
+    source => 'puppet:///modules/gitweb/fcgiwrap-sandbox.conf',
+    notify => Service['fcgiwrap.socket']
+  }
+  file{ '/etc/default/fcgiwrap':
+    ensure => 'file',
+    source => 'puppet:///modules/gitweb/fcgiwrap-default',
+    notify => Service['fcgiwrap.socket']
+  }
+  service{'fcgiwrap.socket':
+    ensure => 'running',
+    provider => 'systemd',
+    enable => true
+  }
 }

diff --git a/environments/production/manifests/root.pp b/environments/production/manifests/root.pp
index e2b5d6b11417c6023ad656dd3158f0d46548c49e..db84e8d9653c8b7d3e0d6f55623fe2ede60ce051 100644 (file)
--- a/environments/production/manifests/root.pp
+++ b/environments/production/manifests/root.pp
@@ -101,12 +101,13 @@ if $signerLocation == 'self' {
     lxc::container { 'front-nginx':
         contname => 'front-nginx',
         ip => $ips[front-nginx],
-        dir => ["/data", "/data-crl", '/data-crl-gigi', '/gitweb-socket', '/srv/git'],
+        dir => ["/data", "/data-crl", '/data-crl-gigi', '/gitweb-socket', '/git-smart-http-socket', '/srv/git'],
         bind => {
           "/data/nginx" => {target => "data", option => ",ro"},
           "/data/crl" => {target => "data-crl", option => ",ro"},
           "/data/gigi-crl" => {target => "data-crl-gigi", option => ",ro"},
           "/run/gitweb-socket" => {target => 'gitweb-socket'},
+          "/run/git-smart-http-socket" => {target => 'git-smart-http-socket'},
           "/data/git" => { 'target' => "srv/git", option => ",ro"}
         },
         require => File['/data/nginx', '/data/crl/htdocs', '/data/gigi-crl']
@@ -192,12 +193,16 @@ if $signerLocation == 'self' {
     file{'/run/gitweb-socket':
         ensure => 'directory'
     }
+    file{'/run/git-smart-http-socket':
+        ensure => 'directory'
+    }
     lxc::container { 'gitweb':
-        require => File['/data/git', '/run/gitweb-socket'],
+        require => File['/data/git', '/run/gitweb-socket', '/run/git-smart-http-socket'],
         contname => 'gitweb',
-        dir => ['/gitweb-socket', '/srv/git'],
+        dir => ['/gitweb-socket', '/git-smart-http-socket', '/srv/git'],
         bind => {
           "/run/gitweb-socket" => { 'target' => "gitweb-socket"},
+          "/run/git-smart-http-socket" => { 'target' => "git-smart-http-socket"},
           "/data/git" => { 'target' => "srv/git", option => ",ro"}
         },
         ip => $ips[gitweb]

diff --git a/modules/gitweb/files/fcgiwrap-ListenStream.conf b/modules/gitweb/files/fcgiwrap-ListenStream.conf
new file mode 100644 (file)
index 0000000..73e90f4
--- /dev/null
+++ b/modules/gitweb/files/fcgiwrap-ListenStream.conf
@@ -0,0 +1,3 @@
+[Socket]
+ListenStream=
+ListenStream=/git-smart-http-socket/fcgiwrap.socket

diff --git a/modules/gitweb/files/fcgiwrap-default b/modules/gitweb/files/fcgiwrap-default
new file mode 100644 (file)
index 0000000..4e56b37
--- /dev/null
+++ b/modules/gitweb/files/fcgiwrap-default
@@ -0,0 +1,2 @@
+# override -f option from service file
+DAEMON_OPTS=

diff --git a/modules/gitweb/files/fcgiwrap-sandbox.conf b/modules/gitweb/files/fcgiwrap-sandbox.conf
new file mode 100644 (file)
index 0000000..fefe18f
--- /dev/null
+++ b/modules/gitweb/files/fcgiwrap-sandbox.conf
@@ -0,0 +1,16 @@
+[Service]
+StandardError=journal
+User=nobody
+Group=nogroup
+
+# sandboxing options, see systemd.exec(5)
+NoNewPrivileges=yes
+PrivateNetwork=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=yes
+ReadOnlyDirectories=/
+SystemCallArchitectures=native
+RestrictRealtime=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes

diff --git a/modules/gitweb/templates/nginx.epp b/modules/gitweb/templates/nginx.epp
index b7db2d450e367bc9825b59b73c0005d0bf9e2fcd..219b94bbca1d8d37211940cbd15881dd369f947d 100644 (file)
--- a/modules/gitweb/templates/nginx.epp
+++ b/modules/gitweb/templates/nginx.epp
@@ -16,6 +16,11 @@ server {
         alias /usr/share/gitweb/static;
     }
     location / {
-        root /srv/git;
+        fastcgi_pass unix:/git-smart-http-socket/fcgiwrap.socket;
+        fastcgi_param SCRIPT_FILENAME   /usr/lib/git-core/git-http-backend;
+        fastcgi_param PATH_INFO         $uri;
+        fastcgi_param GIT_PROJECT_ROOT  /srv/git;
+        fastcgi_param GIT_HTTP_EXPORT_ALL "";
+        include fastcgi_params;
     }
 }