Providing git:// (protocol) access to repos using GitLab

I mirror a bunch of open source projects in a local GitLab instance which works well.

By default, GitLab only provides https and ssh access to repositories, which can be a pain for continuous integration (especially if you were to use self-signed certificates).

However, it’s relatively easy to configure your GitLab server to run a git daemon and provide read-only access to anyone on any repos that you choose.

On my CentOS box, I installed git-daemon which includes systemd git@.service and git.socket files. I copied these to make a new service called git-daemon, like so:

[root@gitlab ~]# cp /usr/lib/systemd/system/git@.service \
/etc/systemd/system/git-daemon@.service
[root@gitlab ~]# cp /usr/lib/systemd/system/git.socket \
/etc/systemd/system/git-daemon.socket
[root@gitlab ~]# systemctl daemon-reload

Then I edited the git-daemon.socket to point it to the git repositories, /var/opt/gitlab/git-data/repositories/, which is the default location when using the GitLab omnibus package.
[Unit]
Description=Git Repositories Server Daemon
Documentation=man:git-daemon(1)
 
[Service]
User=git
ExecStart=-/usr/libexec/git-core/git-daemon \
--base-path=/var/opt/gitlab/git-data/repositories/ \
--syslog --inetd --verbose
StandardInput=socket

Now start and enable the service:
[root@gitlab ~]# systemctl start git-daemon.socket
[root@gitlab ~]# systemctl enable git-daemon.socket

As per the git-daemon.service systemd file, you should now have git-daemon listening on port 9418, however you may need to open the port through the firewall:

[root@gitlab ~]# firewall-cmd --permanent --zone=public --add-port=9418/tcp
[root@gitlab ~]# systemctl reload firewalld

Now, to enable git:// access to any given repository, you need to touch a file called git-daemon-export-ok in that repo’s git dir (it should be owned by your gitlab user, which is probably git). For example, a mirror of the Linux kernel:

-sh-4.2$ touch /var/opt/gitlab/git-data/repositories/mirror/linux.git/git-daemon-export-ok

From your local machine, test your git:// access!

[12:15 chris ~]$ git ls-remote git://gitlab/mirror/linux.git |head -1
46e595a17dcf11404f713845ecb5b06b92a94e43 HEAD

Success!

If you wanted to, you could set up a cron job to make sure that any new mirrors that come along are exported without manual intervention.

First, create an executable script somewhere, like /usr/local/bin/export_git-daemon_repos.sh (note, this excludes any wiki git repos).

#!/bin/bash
 
set -eo pipefail
 
if [[ "$USER" != "git" ]]; then
    echo "Only run this as the git user."
    exit 1
fi
 
cd /var/opt/gitlab/git-data/repositories/mirror
for x in $(ls -d * |grep -v \.wiki\.git) ; do
    pushd ${x}
    if [[ ! -e "git-daemon-export-ok" ]]; then
        touch git-daemon-export-ok
    fi
    popd
done

Then add it as a cron job for the git user on your gitlab server to run every two hours, or whatever suits you, e.g.:
-sh-4.2$ crontab -l
0 */2 * * * /usr/local/bin/export_git-daemon_repos.sh >/dev/null

4 Responses to “Providing git:// (protocol) access to repos using GitLab”


Leave a Reply