

Gitlab 5.0 released, Gitolite now gone - Spiritus
http://blog.gitlab.org/gitlab-5-dot-0-has-been-released/

======
__david__
So I've been poking around the upgrade instructions for moving to gitlab-shell
[1] and I notice you ask the user to do this:

    
    
        sudo chsh -s /bin/bash git
    

I don't see it changing to anything else later in the instructions.

Isn't that a _huge_ security downgrade from using gitolite? Am I missing
something?

[1] <https://github.com/gitlabhq/gitlabhq/wiki/From-4.2-to-5.0>

~~~
Hello71
If GitLab security were to be perfect, then this change would not affect
security in any which way.

However, if the .ssh/authorized_keys file were to be written erroneously, it
is possible that this change may increase the likelihood of receiving a shell
with the privileges of the git user and thus being able to affect
repositories. However, it should not be possible on a system otherwise secured
for such a user to obtain access to the rest of they system.

~~~
__david__
> If GitLab security were to be perfect, then this change would not affect
> security in any which way.

Yes, it does: right now users can use ssh to push and pull repos on my machine
using gitolite but they do not have shell access to the computer. "ssh
git@gitlab.example.com" just prints a short message and exits. With this
change they can all just ssh into the computer and have a bash prompt. Trying
to make that secure requires a whole different level of paranoia than just not
letting people in in the first place.

It also means that every gitlab user has access to every repo that's hosted
and the permissions in the web interface are just for show.

If this is really the case and the attitude of the devs then I don't think I
will be updating any time soon...

However, I still feel I must be missing something because the gitlab guys host
private repos at gitlab.com and so they _must_ have worked these security
things out, right? I can't create an account at gitlab.com and just ssh into
their server. At least, I really hope I can't.

~~~
Hello71
Question: What happens when you type `ssh git@github.com /bin/bash`?

That command doesn't use the shell set in /etc/passwd at all, and you
authenticate successfully, so it _must_ give you a shell, right? No.

~~~
teraflop
> That command doesn't use the shell set in /etc/passwd at all

Yes it does.
[https://github.com/SimonWilkinson/openssh/blob/master/sessio...](https://github.com/SimonWilkinson/openssh/blob/master/session.c#L1815)

~~~
Hello71
Regardless:

    
    
      AUTHORIZED_KEYS FILE FORMAT
      ....
          command="command"
                 Specifies that the command is executed whenever this key is used for
                 authentication.  The command supplied by the user (if any) is
                 ignored.  The command is run on a pty if the client requests a pty;
                 otherwise it is run without a tty.  If an 8-bit clean channel is
                 required, one must not request a pty or should specify no-pty.  A
                 quote may be included in the command by quoting it with a backslash.
                 This option might be useful to restrict certain public keys to per‐
                 form just a specific operation.  An example might be a key that per‐
                 mits remote backups but nothing else.  Note that the client may
                 specify TCP and/or X11 forwarding unless they are explicitly prohib‐
                 ited.  The command originally supplied by the client is available in
                 the SSH_ORIGINAL_COMMAND environment variable.  Note that this
                 option applies to shell, command or subsystem execution.  Also note
                 that this command may be superseded by either a sshd_config(5)
                 ForceCommand directive or a command embedded in a certificate.

~~~
__david__
Got it, so the shell is still /bin/bash but they specify the command in the
.ssh/authorize_keys file which means it cannot be overridden by the user. (I
was under the mistaken impression that gitolite overrode the shell and not the
command)

So your original point was correct: as long as the authorized_keys file is not
corrupted, everything is good. Thanks for helping me understand!

------
buster
Last time i was installing gitlab after having the nightmare to install and
maintain a gitorious installation and was really depressed that it felt like
the same nightmare. Pages of pages of copy&paste instructions, followed by
half a dozen issues that needed post-install fixing... no, never again..

I ended up installing gitblit and was amazed by the quick installation and
features. Unpack&run! I can recommend gitblit to everyone who needs a
quick&easy to install Git web frontend..

But gitlab definitely looks nicer, probably can do even more.. it has pull
requests which are (yet) missing in gitblit.

~~~
picomancer
Installation is actually a problem with Rails, and web app development as a
whole.

Think about PHP: Drop files in the web server directory, add a database and
user, edit the app configuration file to point to said database and user, and
you're done.

Then there's Rails apps. Gitolite is actually fairly typical: Install a ton of
packages (including ssh, redis, and postfix daemons which need to be secured),
compile your own Ruby (and keep it up to date), install the Bundler gem,
configure Gitlab, configure Gitlab shell, configure Unicorn, configure the
database, install gems with bundler, bundle exec rake gitlab:setup
RAILS_ENV=production (I have no idea what this does), install an init script,
update your rc.d, then set up an nginx reverse proxy [1].

If you're used to setting up web apps, this is typical, and very well-
described by the provided instructions. If you're used to the PHP experience,
or you've only ever installed distro-packaged apps with apt-get or equivalent,
this process feels really unreasonably long and painful.

I remember that the Discourse folks said that they were aware that
installation was a pain point, and they were working on making it easier.

Lowering the barriers to installation is actually something that web
applications written in Ruby/Python/Node.js really need to do in order to
begin to compete with PHP solutions among more casual administrators.

A big part of the problem is isolation from the system package manager. I have
a Redmine install on the same server as Gitolite, which I manage via apt-get.
I'd really like to have a version of the Gitlab instructions that keeps non-
system packages (like the self-compiled Ruby) self-contained in /home/git, so
they don't break anything else.

[1]
[https://github.com/gitlabhq/gitlabhq/blob/5-0-stable/doc/ins...](https://github.com/gitlabhq/gitlabhq/blob/5-0-stable/doc/install/installation.md)

~~~
dewiz
...compete with PHP, seriously?

Many of the points above apply to any language. Ruby might have
maintainability issue but PHP is far far from perfect.

~~~
sorbits
The point is very valid.

The person who has to install some third party web application is mainly
concerned with “how easy is this to install”.

Not only have I steered clear of installing things with too many alien
prerequisites, I’m often writing in PHP only because deployment is just so
much easier.

------
sytse
Sytse Sijbrandij from GitLab.com here. Thank you for submitting this. We hope
people like the change. We put a lot of hard working in making GitLab more
stable and scaling it. Let us know what you think.

~~~
Argorak
Hi Sytse,

Just for future reference:

Its common courtesy to give attributions next to contributed changes in the
changelog. I gladly sponsored development of one of them (API: improved return
codes and docs, <https://github.com/gitlabhq/gitlabhq/pull/2835>) and a short
nod to the involved persons would be nice.

Keep up the good work, thank you!

~~~
sytse
Hi Arhorak,

Thank you for the reference. I think attributing the authors is a good idea.
I've created <https://github.com/gitlabhq/gitlabhq/pull/3303>

What do you think? Is it ok to attribute to the full name?

Best regards, Sytse

~~~
Argorak
Hi,

in the Padrino project, we usually attribute by (GH) nickname, because thats
what most programmers build their identity around. Also, all involved are
mentioned. In that case, it would be:

\- API: improved return codes and docs. (Xylakant, justahero)

See ours:

[https://github.com/padrino/padrino-
framework/blob/master/CHA...](https://github.com/padrino/padrino-
framework/blob/master/CHANGES.rdoc)

~~~
sytse
Good points. I've added Sebastian Ziebell.

About mentioning usernames, I figured it might get a bit confusing when we get
public projects on GitLab.com, you would have to guess which platform the
username belongs to. What do you think?

~~~
sytse
Thanks for understanding in
[https://github.com/gitlabhq/gitlabhq/pull/3303#discussion_r3...](https://github.com/gitlabhq/gitlabhq/pull/3303#discussion_r3493319)

The attribution was merged and is live on
[https://github.com/gitlabhq/gitlabhq/blob/master/CHANGELOG#L...](https://github.com/gitlabhq/gitlabhq/blob/master/CHANGELOG#L27)

~~~
Argorak
And thanks to you from our side :)!

------
aus_
I'd like to thank the developers for this great project. I finally convinced
my team to switch over from SVN to git after I showed them Gitlab. (GitHub was
never an option due to corporate data security policies. Even for GitHub
private repos.)

~~~
ergo14
have you heard of <http://rhodecode.org/> ? It supports both HG and git.

------
_JamesA_
This is great news as Gitolite was the one thing that prevented me from giving
Gitlab a try.

What are the minimum requirements for a light Gitlab installation? I can't
find any recommendations on the site.

The thought of deploying Gitlab on a Linode 512 for $20 a month with virtually
unlimited private repositories is very exciting.

~~~
sytse
We don't have minimum requirements. We run GitLab.com with 3000+ users on a
moderate (c1.medium, 1.7 GiB) instance. I think you will do fine with GitLab
5.0 and the 512 Linode. Might have to tune the default parameters a bit to
have less processes running.

~~~
randx
In order to run GitLab w/o any tweaks you need 1GB Linode. You can start it on
512 but you need to setup unicorn to use only 1 worker and you need at least
200MB of swap

~~~
nonpme
Is 1GB really requred for personal use? I thought about buying 256/512 VPS
exclusively for GitLab, don't you think it will be enough for personal
projects?

Maybe someone who has the knowledge can write tutorial about configuring GL to
run on average VPS?

~~~
sytse
A post about tuning GitLab for low memory consumption would be very useful
indeed.

~~~
nonpme
Maybe someone will write one someday ;).

And, as I have the chance, I want to thank you and whole GitLab team for a
really great work! I'm using GL localy and I'm very pleased with it.

~~~
sytse
Thanks nonpme, good to hear you are enjoying GitLab.

------
ergo14
There is also <http://rhodecode.org/> which i highly recommend

------
bentaber
The speed at which this project is evolving is quite impressive. I find myself
looking forward the the 22nd every month with anticipation for the next
release! Thank you Gitlab team.

~~~
sytse
We look forward to the friendly HN comments after the release :-)

------
cmurphycode
I set up gitlab for some "skunkworks" projects at my day job, and it's been
really great. The Gitolite dep never bothered me (the gitlab install is well
documented), but seems like a good thing.

Thanks for your hard work, guys and gals!

~~~
sytse
You're welcome, hope your skunkworks project becomes the golden standard :-)

------
pedoh
From the front page of gitlab.org: "A fast, secure and stable solution based
on Rails & Gitolite."

Gitolite is gone, long live gitolite?

~~~
sytse
Dmitriy merged my change and updated <http://gitlab.org/>

------
m4tthumphrey
I have been using Gitlab since version 3 and have found it a joy to work with
and I too look forward to the 22nd every month. We use it in our internal
network along with Jenkins for CI and a custom built deployment application.
It all works very well with 15 developers and QA personnel. The new gitlab-
shell hasn't made any difference whatsoever over gitolite and the update went
as smoothly as possible.

gitlabhq also offer Vagrant/Chef VM recipes to quickly get set up.

I encourage anyone considering a change to their VCS/deployment set up to give
it a try!

~~~
sytse
Thank you for the kind comment m4tthumphrey!

You probably are aware of GitLab CI that is a simpler alternative for Jenkins
but I wanted to mention it just to make sure.

------
jamesmoss
The move away from Gitolite is great as I know it was the source of many of
install and upgrade headaches however the new component they've replaced it
with is very very closely coupled to GitLab.

This could have been a great chance to create a lightweight alternative to
Gitolite for other projects to use too.

~~~
sytse
Yes, we hope to make installing and upgrading GitLab much easier this way.

We wanted to allow other projects to use GitLab-shell too, that is why we made
it a separate project <https://github.com/gitlabhq/gitlab-shell>

~~~
jamesmoss
I know that but much of the authentication and post receive stuff is hard
coded to point at the GitLab API.

If you could abstract this it'd be great.

~~~
sytse
We are open to proposals and pull requests to do this. It is not very
productive to abstract things without a few examples of projects it should be
generalized for.

------
jbrooksuk
Annoyingly there don't seem to be instructions or migrating from 4.2 to 5.0
when using MySQL and Apache.

<https://github.com/gitlabhq/gitlabhq/wiki/From-4.2-to-5.0>

~~~
jameswritescode
What parts are you getting snagged at?

------
mattdeboard
I really want to give this a go but would like to have it set up to shadow the
state of our repos in Github. Anyone have any experience with doing this?

Also, when will the docs be updated to reflect the obviation of gitolite?

~~~
pjungwir
For a big team you might want something else, but it's possible to configure
two repos as one "remote" so that a push goes to both:

    
    
        http://stackoverflow.com/questions/165092/can-i-push-to-more-than-one-repository-in-a-single-command-in-git

~~~
mattdeboard
Interesting, thanks.

------
whalesalad
I think its hilarious that all the Gitlab development is occurring on Github.

~~~
sytse
We're pragmatic about the development of GitLab. A lot of people want public
projects, it is the most popular request for GitLab
[http://gitlab.uservoice.com/forums/176466-general/suggestion...](http://gitlab.uservoice.com/forums/176466-general/suggestions/3159951-allow-
public-repositories)

~~~
timmow
Public projects and the need to add every single developer to every single
project they needed access to (no concept of teams) were the main reasons we
moved from Gitlab to Github Enterprise

~~~
sytse
FYI GitLab has teams of users, groups of projects and public clone now.
Completely public repo's is being discussed
[http://gitlab.uservoice.com/forums/176466-general/suggestion...](http://gitlab.uservoice.com/forums/176466-general/suggestions/3159951-allow-
public-repositories)

------
josephlord
Congratulations, the project looks good. I will keep it in mind. I didn't
install sometime ago partially because I was already running a Gitolite
instance and wasn't sure it would play nice.

Great to see Postgres support, can I ask why MySql is the recommended DB?

The install instructions are still quite long but it is really good to see
them done properly with a separate non-root user. The suggested Ruby version
isn't the latest (even on the 1.9.3 branch) although I'm not sure that
matters.

~~~
sytse
About MySql, it is the db that most existing installations use and it is well
tested. Also we had problems with deadlocks on Postgres during integration
tests on Travis CI. I must admit that I think Postgres has the momentum and
look forward to recommending it in the future.

Good point about the ruby version, I made a pull request
<https://github.com/gitlabhq/gitlabhq/pull/3305>

~~~
sytse
The pull request was merged into master

------
rektide
Just yesterday our workplace gained an interest in setting up Gitlab- can we
still use our existing Gitolite install, or do we now _have_ to migrate to
Gitlab-shell?

We've been extremely happy with gitolite, and I do not see us moving off of
that software.

~~~
pfg
I don't think it's possible to use Gitolite with GitLab >= 5

~~~
jameswritescode
You're correct. gitlab-shell is required in 5.

~~~
rektide
Welp, there goes an obvious good thing we had high hopes would help enrich our
infrastructure! Monday is going to be a very depressing day in the office for
everyone: we're going to have to go to cgit or some such, and there'll
probably be screaming and crying and whaling and self flagellation over that
one.

Ya'll should provide an easy to use configuration for using gitlab as a RO
mirror of any arbitrary git repository.

Hope you have a lot of great new things in the pipe that gitlab-shell is
providing. If configuration was the problem, why not try and scrape gitolite's
configuration directly and run gitlab from that? There's certainly another
acceptable path- the one you took, creating your own repo server- but I have a
hard time qualifying this- as this press release does- as a feature: it's a
migration, a lateral jump: there's nothing new that happens, nothing better,
it's just a different configuration routine to do what Gitlab and Gitosis.

I wont be suckered by such suavity, but there's a lot of people who would be
more enticed by "new super configurable way better than gitolite repo server"
as a sales pitch that probably were happy enough running Gitlabs at it used to
run that don't really see this as a feature, as they were already on top of
it. When releasing features, put the featureful ones foremost.

~~~
sytse
I'm sorry to hear we ruined your upcoming Monday. Which features are not in
GitLab 5.0 that you really need?

~~~
rektide
Only feature missing from pre 5.0 is an upgrade path, but that's an important
one for us.

------
aeontech
Any news on supporting a single gitlab instance fronting several load-balanced
git servers as backend? Or do both git repositories and gitlab still have to
live on same machine?

~~~
sytse
No news on this, the repo's need to be on a single volume (can be NFS drive or
AWS EBS drive). I'm curious to know why you want this. We are looking into
sharded file servers for GitLab.com Cloud but that seems a bit different from
what you are proposing. If you don't feel comfortable commenting please email
support@gitlab.com

------
cs02rm0
I'll look forward to bitnami building an installer for it.

~~~
sytse
BitNami just released an installer. We hope they upgrade it to 5.0 soon
[http://blog.bitnami.com/2013/03/gitlab-now-part-of-
bitnami.h...](http://blog.bitnami.com/2013/03/gitlab-now-part-of-bitnami.html)

------
chacham15
I am running Gitlab on an AWS micro-instance which has memory problems with
the previous version. Thanks for working hard and improving performance!

~~~
sytse
You're welcome, thanks for posting!

------
xipho
The installation guide link on the homepage that takes you to Git is borked at
present?!

~~~
sytse
Good point, we're looking into it. For now you can use
[https://github.com/gitlabhq/gitlabhq/blob/5-0-stable/doc/ins...](https://github.com/gitlabhq/gitlabhq/blob/5-0-stable/doc/install/installation.md)

~~~
sytse
And it is fixed now.

------
moneypenny
HURRAH! Gitlab is an excellent product but Gitolite and Resque were making the
baby Jesus cry, ran off with your girlfriend and kicked a kid over on his
bicycle.

V5: Thanks very much, team Gitlab.

------
randx
+1

