Jenkins : Gitolite

Gitolite Architecture

Gitolite is a wrapper around a base git installation which facilitates the secure management of project repositories and of the user privileges governing access to those repositories.  Its simple configuration is well documented in a short README in the distribution.  Essentially, those sys-admins charged with administration of the central git installation clone the gitolite configuration directory, make their changes to the configuration files and push those back to origin.  A post-commit hook in the gitolite installation deploys the new configuration, creating and modifying project repositories as required and installing, revoking or updating the keys for authorized users as appropriate.

The gitolite configuration consists of conf/gitolite.conf used to define project repositories and the group and user privileges which apply to it; and a directory of ssh public keys in the form: keydir/User_name.pub.

11:33:04 (master) ~/gitolite-admin$ ls -Rl
.:
total 0
drwxr-xr-x 2 hesco hesco  80 Dec  8 17:48 conf
drwxr-xr-x 2 hesco hesco 208 Dec  8 17:46 keydir

./conf:
total 4
-rw-r--r-- 1 hesco hesco 299 Dec  8 17:48 gitolite.conf

./keydir:
total 20
-rw-r--r-- 1 hesco hesco 396 Sep 30 12:12 bob.pub
-rw-r--r-- 1 hesco hesco 419 Dec  8 13:27 carol.pub
-rw-r--r-- 1 hesco hesco 397 Sep 30 12:08 alice.pub
-rw-r--r-- 1 hesco hesco 397 Sep 30 12:08 mdarc.pub

The security model depends on the creation of a single user with privileges over the git installation and the project repositories it hosts.  By default, this user is called git.  Only the git user may interact with the projects.  

The user privilege model is built on ssh key pairs.  Each developer or tester with need for access to a project repository hosted by gitolite generates a key pair, traditionally done using ssh-keygen, and provides their public key (.ssh/id_rsa.pub by default) to the administrator of the repository.  The gitolite administrator then adds the public key to their cloned gitolite configuration, runs `git add keydir/new_user.pub` then `git commit` then `git push origin` to enable the new user.  

The syntax used in conf/gitolite.conf is documented in the linked README above.

Integrating Jenkins with Gitolite

Applying what we no know of the Gitolite architecture then requires the following steps:

generate an ssh key-pair

Generate an ssh key-pair with an empty passphrase on the jenkins server for the jenkins server

 hesco@jenkins:~$ cd /var/lib/jenkins
hesco@jenkins:/var/lib/jenkins$ sudo -u jenkins ssh-keygen
[sudo] password for hesco:
Generating public/private rsa key pair.
Enter file in which to save the key (/var/lib/jenkins/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in .ssh/id_rsa.
Your public key has been saved in .ssh/id_rsa.pub.
The key fingerprint is:
91:0a:2c:e1:73:4f:93:5e:22:f9:bf:12:2b:72:2e:10 jenkins@jenkins.example.com
The key's randomart image is:
+--[ RSA 2048]----+
|  .              |
| . o . . .       |
|  + * = +        |
|E  + B = .       |
| .    = S        |
|.     ..         |
| .     o.        |
|  o o o  .       |
|   =.. ..        |
+-----------------+

It is important to use an empty passphrase, or the CI server will pause until it times out waiting for the entry of the passphrase.  

Next harvest that public key for the next step:

 hesco@pbx:/var/lib/jenkins$ sudo -u jenkins cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8OEjcUj . . . nPkOUXCjScyw== jenkins@jenkins.example.com

create a gitolite user for jenkins

create a gitolite user for jenkins like so:

 11:52:51 (master) ~/gitolite-admin$ vim keydir/jenkins.pub

Paste the jenkins public key into this file, ensuring that it is on a single line, collapsing line feeds if it wrapped when you pasted it into the file.  

extend privileges to the jenkins user to each relevant project repository 

Extend privileges to the jenkins user to each relevant project repository like so:

 12:04:37 (master) ~/gitolite-admin$ vim conf/gitolite.conf
@development_team = bob carol ted alice

repo gitolite-admin
    RW+     =   hesco

repo myproject
    RW+     =   hesco
    RW      =   @development_team
    R       =   jenkins

Read only privileges are sufficient to permit jenkins to clone the directory.

push changes to gitolite configuration

push changes to gitolite configuration like so:

12:13:14 {master} ~/gitolite-admin$ git add keydir/jenkins.pub conf/gitolite.conf


12:13:28 (master) ~/gitolite-admin$ git commit keydir/jenkins.pub conf/gitolite.conf
[master ba84830] Added public key for jenkins@jenkins.example.com and added jenkins to myproject
 1 files changed, 5 insertions(+), 3 deletions(-)


12:13:43 (master) ~/gitolite-admin$ git push origin
Counting objects: 12, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (8/8), 1.10 KiB, done.
Total 8 (delta 2), reused 0 (delta 0)

add /etc/hosts entry for git repository

If the same IP hosts both gitolite and jenkins, you next want to add an entry to /etc/hosts for the git repository on the jenkins server.

 hesco@pbx:/var/lib/jenkins$ sudo vim /etc/hosts
127.0.0.1       git.example.com git

add gitolite ssh fingerprint to jenkins' .ssh/known_hosts

Add the gitolite repository's ssh fingerprint to the jenkins user's .ssh/known_hosts file in their home directory on the jenkins' server like so:

hesco@jenkins:/var/lib/jenkins/workspace/myproject$ sudo -u jenkins git clone git@git.example.com:myproject
Cloning into 'myproject'...
The authenticity of host 'git.example.com (127.0.0.1)' can't be established.
RSA key fingerprint is 25:ac:4b:23:22:6c:5d:11:82:c9:4f:65:73:6a:90:0c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'git.example.com' (RSA) to the list of known hosts.
remote: Counting objects: 1005, done.
remote: Compressing objects: 100% (434/434), done.
remote: Total 1005 (delta 412), reused 1005 (delta 412)
Receiving objects: 100% (1005/1005), 880.75 KiB, done.
Resolving deltas: 100% (412/412), done.


hesco@pbx:/var/lib/jenkins/workspace/myproject$ cd ..


hesco@pbx:/var/lib/jenkins/workspace$ sudo -u jenkins rmdir myproject

Make sure you clean up after the fingerprint is captured, so you are ready for the next build.  

configure the git credentials in jenkins for the Project

 

Configure the git credentials in Jenkins for the Project.  If the gitolite and jenkins installations are hosted at the same IP and you set up the entry in /etc/hosts, then you can use the same credentials and url as you would to clone the project in your local sandbox.  Otherwise you will need to repeat the .ssh/known_hosts step above for localhost or 127.0.0.1. 

Attachments: