From: Lucas Werkmeister Date: Tue, 28 Mar 2017 09:14:57 +0000 (+0200) Subject: add: git smart HTTP daemon X-Git-Url: https://code.wpia.club/?p=infra.git;a=commitdiff_plain;h=b9831c0a779e038d8bb4f3650c91d64be63a932d add: git smart HTTP daemon This removes the need for running `git update-server-info` on the repositories regularly (or on update), possibly speeds up clones (at least, git clone can now show progress information), and almost certainly improves reliability on a pull concurrent with a push to the same repository (the git daemon can respect lock files, nginx can’t). (We can also probably remove /srv/git from front-nginx, but I’ll do that in a separate change.) Change-Id: Iaf67d8f9f7dbe3b95338d9bb548e7c18bf9f0d0a --- diff --git a/environments/production/manifests/gitweb.pp b/environments/production/manifests/gitweb.pp index fc13d5f..a13d2a6 100644 --- a/environments/production/manifests/gitweb.pp +++ b/environments/production/manifests/gitweb.pp @@ -7,6 +7,9 @@ node gitweb { package{ 'libcgi-fast-perl': ensure => 'installed' } + package{ 'fcgiwrap': + ensure => 'installed' + } user{'git': ensure => 'present', system => 'yes', @@ -53,4 +56,30 @@ node gitweb { provider => 'systemd', enable => true } + file{ '/etc/systemd/system/fcgiwrap.socket.d': + ensure => 'directory' + } + file{ '/etc/systemd/system/fcgiwrap.socket.d/ListenStream.conf': + ensure => 'file', + source => 'puppet:///modules/gitweb/fcgiwrap-ListenStream.conf', + notify => Service['fcgiwrap.socket'] + } + file{ '/etc/systemd/system/fcgiwrap.service.d': + ensure => 'directory' + } + file{ '/etc/systemd/system/fcgiwrap.service.d/sandbox.conf': + ensure => 'file', + source => 'puppet:///modules/gitweb/fcgiwrap-sandbox.conf', + notify => Service['fcgiwrap.socket'] + } + file{ '/etc/default/fcgiwrap': + ensure => 'file', + source => 'puppet:///modules/gitweb/fcgiwrap-default', + notify => Service['fcgiwrap.socket'] + } + service{'fcgiwrap.socket': + ensure => 'running', + provider => 'systemd', + enable => true + } } diff --git a/environments/production/manifests/root.pp b/environments/production/manifests/root.pp index e2b5d6b..db84e8d 100644 --- a/environments/production/manifests/root.pp +++ b/environments/production/manifests/root.pp @@ -101,12 +101,13 @@ if $signerLocation == 'self' { lxc::container { 'front-nginx': contname => 'front-nginx', ip => $ips[front-nginx], - dir => ["/data", "/data-crl", '/data-crl-gigi', '/gitweb-socket', '/srv/git'], + dir => ["/data", "/data-crl", '/data-crl-gigi', '/gitweb-socket', '/git-smart-http-socket', '/srv/git'], bind => { "/data/nginx" => {target => "data", option => ",ro"}, "/data/crl" => {target => "data-crl", option => ",ro"}, "/data/gigi-crl" => {target => "data-crl-gigi", option => ",ro"}, "/run/gitweb-socket" => {target => 'gitweb-socket'}, + "/run/git-smart-http-socket" => {target => 'git-smart-http-socket'}, "/data/git" => { 'target' => "srv/git", option => ",ro"} }, require => File['/data/nginx', '/data/crl/htdocs', '/data/gigi-crl'] @@ -192,12 +193,16 @@ if $signerLocation == 'self' { file{'/run/gitweb-socket': ensure => 'directory' } + file{'/run/git-smart-http-socket': + ensure => 'directory' + } lxc::container { 'gitweb': - require => File['/data/git', '/run/gitweb-socket'], + require => File['/data/git', '/run/gitweb-socket', '/run/git-smart-http-socket'], contname => 'gitweb', - dir => ['/gitweb-socket', '/srv/git'], + dir => ['/gitweb-socket', '/git-smart-http-socket', '/srv/git'], bind => { "/run/gitweb-socket" => { 'target' => "gitweb-socket"}, + "/run/git-smart-http-socket" => { 'target' => "git-smart-http-socket"}, "/data/git" => { 'target' => "srv/git", option => ",ro"} }, ip => $ips[gitweb] diff --git a/modules/gitweb/files/fcgiwrap-ListenStream.conf b/modules/gitweb/files/fcgiwrap-ListenStream.conf new file mode 100644 index 0000000..73e90f4 --- /dev/null +++ b/modules/gitweb/files/fcgiwrap-ListenStream.conf @@ -0,0 +1,3 @@ +[Socket] +ListenStream= +ListenStream=/git-smart-http-socket/fcgiwrap.socket diff --git a/modules/gitweb/files/fcgiwrap-default b/modules/gitweb/files/fcgiwrap-default new file mode 100644 index 0000000..4e56b37 --- /dev/null +++ b/modules/gitweb/files/fcgiwrap-default @@ -0,0 +1,2 @@ +# override -f option from service file +DAEMON_OPTS= diff --git a/modules/gitweb/files/fcgiwrap-sandbox.conf b/modules/gitweb/files/fcgiwrap-sandbox.conf new file mode 100644 index 0000000..fefe18f --- /dev/null +++ b/modules/gitweb/files/fcgiwrap-sandbox.conf @@ -0,0 +1,16 @@ +[Service] +StandardError=journal +User=nobody +Group=nogroup + +# sandboxing options, see systemd.exec(5) +NoNewPrivileges=yes +PrivateNetwork=yes +PrivateDevices=yes +PrivateTmp=yes +ProtectHome=yes +ReadOnlyDirectories=/ +SystemCallArchitectures=native +RestrictRealtime=yes +ProtectControlGroups=yes +ProtectKernelModules=yes diff --git a/modules/gitweb/templates/nginx.epp b/modules/gitweb/templates/nginx.epp index b7db2d4..219b94b 100644 --- a/modules/gitweb/templates/nginx.epp +++ b/modules/gitweb/templates/nginx.epp @@ -16,6 +16,11 @@ server { alias /usr/share/gitweb/static; } location / { - root /srv/git; + fastcgi_pass unix:/git-smart-http-socket/fcgiwrap.socket; + fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; + fastcgi_param PATH_INFO $uri; + fastcgi_param GIT_PROJECT_ROOT /srv/git; + fastcgi_param GIT_HTTP_EXPORT_ALL ""; + include fastcgi_params; } }