My Site
Categories
Bazitis: Gitosis for Bzr (Baazar)

At work, I use git. For Exaile I use bzr. I like them both quite a bit. At work, we use Gitosis to manage our repositories and I have to say, it's pretty damn cool. Nothing quite like this exists for bzr, so I ported Gitosis to bzr and called it Bazitis. The launchpad project page can be found here. Here are the instructions on how to use Bazitis:

First off, I'd like to give credit to some people. Tommi Virtanen is the author of Gitosis. Bazitis is a copy of the Gitosis code, all except for the parts where I had to get a little hacky with bzrlib. His website is http://eagain.net. The other person I'd like to thank is Garry Dolley, who wrote a great blog post on how to use Gitosis, which can be found here: hosting git repositories the easy and secure way. Garry has given me permission to copy his instructions and modify them for Bazitis, as long as I give him kudos, which I have done in this paragraph. Thanks guys!

Install bazitis

bazitis is a tool for hosting bzr repositories (I'm repeating myself for those who skim :)

The first thing to do is grab a copy of bazitis and install it on your server:

cd ~/src
bzr branch lp:bazitis

Next, install it like so:

cd bazitis
python setup.py install

Don't use --prefix unless you like self-inflicted pain. It is possible to install bazitis in a non-standard location, but it's not nice. Read the Caveats section at the bottom and then come back here.

If you get this error:

-bash: python: command not found

or

Traceback (most recent call last):
  File "setup.py", line 2, in ?
    from setuptools import setup, find_packages
ImportError: No module named setuptools

You have to install Python setuptools. On Debian/Ubuntu systems, it's just:

sudo apt-get install python-setuptools

For other systems, someone tell me or leave a comment, so I can update this section and improve this tutorial.

The next thing to do is to create a user that will own the repositories you want to manage. This user is usually called bzr, but any name will work, and you can have more than one per system if you really want to. The user does not need a password, but does need a valid shell (otherwise, SSH will refuse to work).

sudo adduser \
    --system \
    --shell /bin/sh \
    --gecos 'bzr version control' \
    --group \
    --disabled-password \
    --home /home/bzr \
    bzr

You may change the home path to suit your taste. A successful user creation will look similar to:

Adding system user `bzr'...
Adding new group `bzr' (211).
Adding new user `bzr' (211) with group `bzr'.
Creating home directory `/home/bzr'.

You will need a public SSH key to continue. If you don't have one, you may generate one on your local computer:

ssh-keygen -t rsa

The public key will be in $HOME/.ssh/id_rsa.pub. Copy this file to your server (the one running bazitis).

Next we will run a command that will sprinkle some magic into the home directory of the bzr user and put your public SSH key into the list of authorized keys.

sudo -H -u bzr bazitis-init < /tmp/id_rsa.pub

id_rsa.pub above is your public SSH key that you copied to the server. I recommend you put it in /tmp so the bzr user won't have permission problems when trying to read it.

Here some cool magic happens. Run this on your local machine:

bzr branch bzr+ssh://bzr@YOUR_SERVER_HOSTNAME/bazitis-admin
cd bazitis-admin

You will now have a bazitis.conf file and keydir/ directory:

~/dev/bazitis-admin (master) $ ls -l
total 8
-rw-r--r--   1 garry  garry  104 Nov 13 05:43 bazitis.conf
drwxr-xr-x   3 garry  garry  102 Nov 13 05:43 keydir/

This repository that you just cloned contains all the files (right now, only 2) needed to create repositories for your projects, add new users, and defined access rights. Edit the settings as you wish, commit, and push. Once pushed, bazitis will immediately make your changes take effect on the server. So we're using Bzr to host the configuration file and keys that in turn define how our Bzr hosting behaves. That's just plain cool.

From this point on, you don't need to be on your server. All configuration takes place locally and you push the changes to your server when you're ready for them to take effect.

Creating new repositories

This is where the fun starts. Let's create a new repository to hold our project codenamed FreeMonkey.

Open up bazitis.conf and notice the default configuration:

[bazitis]                  

[group bazitis-admin]
writable = bazitis-admin
members = jdoe

Your "members" line will hold your key filename (without the .pub extension) that is in keydir/. In my example, it is "jdoe", but for you it'll probably be a combination of your username and hostname.

To create a new repo, we just authorize writing to it and push. To do so, add this to bazitis.conf:

[group myteam]
members = jdoe
writable = free_monkey

This defines a new group called "myteam", which is an arbitrary string. "jdoe" is a member of myteam and will have write access to the "free_monkey" repo.

Save this addition to bazitis.conf, commit and push it:

bzr commit -m "Allow jdoe write access to free_monkey"
bzr push bzr+ssh://bzr@YOUR_SERVER_HOSTNAME/bazitis-admin

Note: You only have to add the path to the bazitis-admin repo the first time you push. After that, it will be remembered and you can just type "bzr push"

Now the user "jdoe" has access to write to the repo named "free_monkey", but we still haven't created a repo yet. What we will do is create a new repo locally, and then push it:

mkdir free_monkey
cd free_monkey
bzr init

# do some work, bzr add and commit files

bzr push bzr+ssh://bzr@YOUR_SERVER_HOSTNAME/free_monkey

With the final push, you're off to the races. The repository "free_monkey" has been created on the server (in /home/bzr/repositories) and you're ready to start using it like any ol' bzr repo.

Adding users

The next natural thing to do is to grant some lucky few commit access to the FreeMonkey project. This is a simple two step process.

First, gather their public SSH keys, which I'll call "alice.pub" and "bob.pub", and drop them into keydir/ of your local bazitis-admin repository. Second, edit bazitis.conf and add them to the "members" list.

cd bazitis-admin
cp ~/alice.pub keydir/
cp ~/bob.pub keydir/
bzr add keydir/alice.pub keydir/bob.pub
Note that the key filename must have a ".pub" extension.

bazitis.conf changes:

[group myteam]
- members = jdoe
+ members = jdoe alice bob
  writable = free_monkey

Commit and push:

bzr commit -m "Granted Alice and Bob commit rights to FreeMonkey"
bzr push

That's it. Alice and Bob can now clone the free_monkey repository like so:

bzr branch bzr+ssh://bzr@YOUR_SERVER_HOSTNAME/free_monkey

Alice and Bob will also have commit rights.

Limitations

  • Currently, bazitis doesn't support everything that gitosis does, like public readonly access. This is planned for the future.
  • I haven't tested bazitis with shared bzr repositories. I have no idea if it will work. If you try this, let me know how it goes.
  • Bazitis works best with bzr 1.9. It works with earlier versions, but if you try to access a repository that you do no have permission for, a huge ugly exception is thrown that would probably lead a user to think something is wrong with bzr. This is handled a lot better in later versions of bzr.

And that's all. Let me know how it works out for you!

Filed under: Programming, Python, Administration
Comments:

From Hannes on Jan. 21 @ 2:25 p.m. 2009

Hey Adam,
thanks for the work and effort porting gitosis for bazaar.
I tried it today on a ubuntu 8.04 server and bazaar version 1.11 and I think everything works fine except I get the following error:
"bzr: ERROR: Permission denied: "bazitis-admin": : You do not have read access for this repository."
aber entering this command:
"bzr branch bzr+ssh://bzr@brawur.dyndns.org:92/bazitis-admin"
I the serverlogs I see that my publickey is accepted.
Perhaps you may hint me in the right direction to solve this issue.
Thanks in advance,
Hannes
From Hannes on Jan. 22 @ 5:05 a.m. 2009

Hi again Adam,
just wanted to tell you, that I solved the issue.
The accountnames must not contain an "@". After removing this it all did function properly.
Greetings and thanks again,
Hannes
From synic on Jan. 22 @ 9:12 a.m. 2009

Ah, I should put a check in for that. Thanks for the find.

Adam
From cal on Jan. 22 @ 5:57 p.m. 2009

@Hannes, I'm having the same problem, where did you remove the '@' symbol from? I removed it from bazitis.conf and no luck, so I figured I would need to change the name of my key to cut off the '@' and everything after...

[bazitis]

[group bazitis-admin]
writable = bazitis-admin
members = caolan

and I've renamed my key to:
keydir/caolan.pub

...still no luck.

I've been looking for something like this for a while and I'm really excited about giving it a go! :)
From Hannes on Jan. 23 @ 1:03 a.m. 2009

Hi Cal,
the changes you made are correct. But you have to edit some files on your server too. I mean the ssh files bazitis created when initializing. You have to go to the home-directory of the "bzr" (or whoever you called the user) and look for a folder ".ssh" (it is a hiden one). In this folder there is a file "authorized_keys". Edit this and change "command="bazitis-serve yourname@..."" to
command="bazitis-serve caolan" and then (still in this file) change the comment at the end of the publickey-string too (it is separated by a whitespace).
Now you are done and everything should work well.
Good look and feel free to ask again, if there are questions left (and if we don't spam adam's blog ;-) )

Cheers,
Hannes
From David Knell on Feb. 8 @ 7:06 a.m. 2009

The following error may be experienced on default installations for some Linux distributions after running python setup.py install

error: invalid Python installation: unable to open /usr/lib/python2.5/config/Makefile (No such file or directory)

To fix this on a CentOS, Redhat, or Fedora systems, you must install the python-devel package.

Run this command to install the package:
sudo yum install python-devel


Add a comment:
captcha

Optional, for comment reply notifications
 
Note: If you enter your email address, you will be subscribed to this article and will recieve comment updates via email. This is the only thing your address will be used for. A link will be provided at the end of each email that will allow you to unsubscribe should you need to, or you can go to http://synicworld.com//unsubscribe to unsubscribe from any/all updates.