From 2a2696fcbd9424a38e5c2a47f79218f255d3d94b Mon Sep 17 00:00:00 2001 From: Oliver Filla Date: Tue, 18 Feb 2025 14:53:33 +0100 Subject: [PATCH 01/11] Add CI: Build image weekly --- .github/workflows/docker-image.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .github/workflows/docker-image.yml diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml new file mode 100644 index 0000000..5e04e2b --- /dev/null +++ b/.github/workflows/docker-image.yml @@ -0,0 +1,22 @@ +name: Docker Image CI + +on: + push: + branches: [ "master" ] + pull_request: + branches: [ "master" ] + cron: + '@daily' # Runs at 00:00 daily + +jobs: + + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - name: Build the Docker image + run: docker build . --file Dockerfile --tag git-server:$(date -I) + - name: Build the Docker image with tag latest + run: docker build . --file Dockerfile --tag git-server:latest From 277e052138ffd42b2ea7c181b2d38422d7ec0d25 Mon Sep 17 00:00:00 2001 From: Oliver Filla Date: Tue, 18 Feb 2025 14:58:13 +0100 Subject: [PATCH 02/11] Update docker-image.yml: Try to fix schedule --- .github/workflows/docker-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 5e04e2b..8331596 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -5,8 +5,8 @@ on: branches: [ "master" ] pull_request: branches: [ "master" ] - cron: - '@daily' # Runs at 00:00 daily + schedule: + - cron: '0 0 * * *' # Runs at 00:00 daily jobs: From 5318f87d8c9da63363547617c282e5c394583c20 Mon Sep 17 00:00:00 2001 From: Oliver Filla Date: Tue, 18 Feb 2025 16:05:11 +0100 Subject: [PATCH 03/11] Update docker-image.yml: Publish image Publish the freshly generated image --- .github/workflows/docker-image.yml | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 8331596..f8b0326 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -9,14 +9,27 @@ on: - cron: '0 0 * * *' # Runs at 00:00 daily jobs: - - build: - + build-and-push: runs-on: ubuntu-latest + permissions: + contents: read + packages: write # Required to push to GitHub Container Registry + steps: - uses: actions/checkout@v4 - - name: Build the Docker image - run: docker build . --file Dockerfile --tag git-server:$(date -I) - - name: Build the Docker image with tag latest - run: docker build . --file Dockerfile --tag git-server:latest + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: . + file: ./Dockerfile + push: true + tags: ghcr.io/${{ github.actor }}/git-server-docker:latest From 6975f2f500618cd93ae762e92c921163b0837995 Mon Sep 17 00:00:00 2001 From: Oliver Filla Date: Tue, 18 Feb 2025 16:23:59 +0100 Subject: [PATCH 04/11] Use latest alpine version & update maintainer flag --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index b1c9d0a..c0ae4f4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ -FROM alpine:3.4 +FROM alpine:latest -MAINTAINER Carlos Bernárdez "carlos@z4studios.com" +LABEL org.opencontainers.image.authors="Oliver Filla , Carlos Bernárdez " # "--no-cache" is new in Alpine 3.3 and it avoid using # "--update + rm -rf /var/cache/apk/*" (to remove cache) From 460cd564b6c1bc36763f577188fe7d3ca4b9b33a Mon Sep 17 00:00:00 2001 From: Oliver Filla Date: Tue, 18 Feb 2025 16:25:04 +0100 Subject: [PATCH 05/11] Dockerfile: Simplify user creation --- Dockerfile | 24 ++++-------------------- start.sh | 2 ++ 2 files changed, 6 insertions(+), 20 deletions(-) diff --git a/Dockerfile b/Dockerfile index c0ae4f4..2d42577 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,35 +2,19 @@ FROM alpine:latest LABEL org.opencontainers.image.authors="Oliver Filla , Carlos Bernárdez " -# "--no-cache" is new in Alpine 3.3 and it avoid using -# "--update + rm -rf /var/cache/apk/*" (to remove cache) -RUN apk add --no-cache \ -# openssh=7.2_p2-r1 \ - openssh \ -# git=2.8.3-r0 - git - -# Key generation on the server -RUN ssh-keygen -A - -# SSH autorun -# RUN rc-update add sshd - -WORKDIR /git-server/ +RUN apk add --no-cache openssh git # -D flag avoids password generation # -s flag changes user's shell -RUN mkdir /git-server/keys \ - && adduser -D -s /usr/bin/git-shell git \ - && echo git:12345 | chpasswd \ - && mkdir /home/git/.ssh +RUN adduser -D -s /usr/bin/git-shell git \ + && mkdir -p /git-server/keys /git-server/repos ~git/.ssh # This is a login shell for SSH accounts to provide restricted Git access. # It permits execution only of server-side Git commands implementing the # pull/push functionality, plus custom commands present in a subdirectory # named git-shell-commands in the user’s home directory. # More info: https://git-scm.com/docs/git-shell -COPY git-shell-commands /home/git/git-shell-commands +COPY --chown=git:git git-shell-commands /home/git/git-shell-commands # sshd_config file is edited for enable access key and disable access password COPY sshd_config /etc/ssh/sshd_config diff --git a/start.sh b/start.sh index 6000392..da2b953 100644 --- a/start.sh +++ b/start.sh @@ -1,5 +1,7 @@ #!/bin/sh +ssh-keygen -A + # If there is some public key in keys folder # then it copies its contain in authorized_keys file if [ "$(ls -A /git-server/keys/)" ]; then From 497fa578c3ad7c40f72c6e65c04c1a3f7b44282c Mon Sep 17 00:00:00 2001 From: Oliver Filla Date: Tue, 18 Feb 2025 16:25:55 +0100 Subject: [PATCH 06/11] sshd_config: Disable SSH for all users except git --- sshd_config | 150 +++------------------------------------------------- 1 file changed, 7 insertions(+), 143 deletions(-) diff --git a/sshd_config b/sshd_config index 8c9e576..fb6fcfb 100644 --- a/sshd_config +++ b/sshd_config @@ -1,145 +1,9 @@ -# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# The default requires explicit activation of protocol 1 -#Protocol 2 - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 - -# Ciphers and keying -#RekeyLimit default none - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -#PermitRootLogin prohibit-password -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -RSAAuthentication yes -PubkeyAuthentication yes - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys -#AuthorizedKeysFile /home/git/.ssh/authorized_keys - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! +# Disable SSH for all users except 'git' +PermitRootLogin no PasswordAuthentication no -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes - -# Kerberos options (deprecated) -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options (deprecated) -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -#UsePAM no - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -#PrintMotd yes -#PrintLastLog yes -#TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation sandbox -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS no -#PidFile /run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none - -# override default of no subsystems -Subsystem sftp /usr/lib/ssh/sftp-server - -# the following are HPN related configuration options -# tcp receive buffer polling. disable in non autotuning kernels -#TcpRcvBufPoll yes - -# disable hpn performance boosts -#HPNDisabled no - -# buffer size for hpn to non-hpn connections -#HPNBufferSize 2048 - +AllowUsers git -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server +Match User git + X11Forwarding no + AllowTcpForwarding no + ForceCommand git-shell From c0c11fa49eb62cc5ba436a45f1cd3633f41ed44a Mon Sep 17 00:00:00 2001 From: Oliver Filla Date: Tue, 18 Feb 2025 16:29:25 +0100 Subject: [PATCH 07/11] start.sh: Replace relative paths with absolute paths --- start.sh | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/start.sh b/start.sh index da2b953..d756f7c 100644 --- a/start.sh +++ b/start.sh @@ -2,23 +2,22 @@ ssh-keygen -A -# If there is some public key in keys folder +# If there are some public keys in keys folder # then it copies its contain in authorized_keys file if [ "$(ls -A /git-server/keys/)" ]; then cd /home/git - cat /git-server/keys/*.pub > .ssh/authorized_keys - chown -R git:git .ssh - chmod 700 .ssh - chmod -R 600 .ssh/* + cat /git-server/keys/*.pub > /home/git/.ssh/authorized_keys + chown -R git:git /home/git/.ssh + chmod 700 /home/git/.ssh + chmod -R 600 /home/git/.ssh/* fi # Checking permissions and fixing SGID bit in repos folder # More info: https://github.com/jkarlosb/git-server-docker/issues/1 if [ "$(ls -A /git-server/repos/)" ]; then - cd /git-server/repos - chown -R git:git . - chmod -R ug+rwX . - find . -type d -exec chmod g+s '{}' + + chown -R git:git /git-server/repos + chmod -R ug+rwX /git-server/repos + find /git-server/repos -type d -exec chmod g+s '{}' + fi # -D flag avoids executing sshd as a daemon From 6ae7b40616077911d91e001b2fcb9a50438d7151 Mon Sep 17 00:00:00 2001 From: Oliver Filla Date: Tue, 18 Feb 2025 16:32:26 +0100 Subject: [PATCH 08/11] docker-compose.yml: Change image to forked project @ghcr.io/ofilla --- docker-compose.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index cded791..282c82f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,9 +1,6 @@ -version: '2' - services: - git-server: - image: jkarlos/git-server-docker + image: ghcr.io/ofilla/git-server-docker:latest #build: . restart: always container_name: git-server From ff410a3a21f69320161863cb7a681a5e8862a2fd Mon Sep 17 00:00:00 2001 From: Oliver Filla Date: Tue, 18 Feb 2025 16:38:02 +0100 Subject: [PATCH 09/11] Add repo path as variable --- README.md | 37 +++++++++++++++++++++++-------------- docker-compose.yml | 4 ++-- 2 files changed, 25 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 168a01f..cffe27e 100644 --- a/README.md +++ b/README.md @@ -7,70 +7,79 @@ A lightweight Git Server Docker image built with Alpine Linux. Available on [Git How to run the container in port 2222 with two volumes: keys volume for public keys and repos volume for git repositories: - $ docker run -d -p 2222:22 -v ~/git-server/keys:/git-server/keys -v ~/git-server/repos:/git-server/repos jkarlos/git-server-docker + `$ docker run -d -p 2222:22 -v ~/git-server/keys:/git-server/keys -v ~/git-server/repos:/git-server/repos jkarlos/git-server-docker` How to use a public key: Copy them to keys folder: - - From host: $ cp ~/.ssh/id_rsa.pub ~/git-server/keys - - From remote: $ scp ~/.ssh/id_rsa.pub user@host:~/git-server/keys + - From host: `$ cp ~/.ssh/id_rsa.pub ~/git-server/keys` + - From remote: `$ scp ~/.ssh/id_rsa.pub user@host:~/git-server/keys` You need restart the container when keys are updated: - $ docker restart + `$ docker restart ` How to check that container works (you must to have a key): + ``` $ ssh git@ -p 2222 ... Welcome to git-server-docker! You've successfully authenticated, but I do not provide interactive shell access. ... + ``` How to create a new repo: + ``` $ cd myrepo $ git init --shared=true $ git add . $ git commit -m "my first commit" $ cd .. $ git clone --bare myrepo myrepo.git + ``` How to upload a repo: From host: - $ mv myrepo.git ~/git-server/repos + `$ mv myrepo.git ~/git-server/repos` From remote: - $ scp -r myrepo.git user@host:~/git-server/repos + `$ scp -r myrepo.git user@host:~/git-server/repos` How clone a repository: - $ git clone ssh://git@:2222/git-server/repos/myrepo.git + `$ git clone ssh://git@:2222/git-server/repos/myrepo.git` ### Arguments * **Expose ports**: 22 * **Volumes**: - * */git-server/keys*: Volume to store the users public keys - * */git-server/repos*: Volume to store the repositories + * `/git-server/keys`: Volume to store the users public keys + * `/git-server/repos`: Volume to store the repositories ### SSH Keys How generate a pair keys in client machine: - $ ssh-keygen -t rsa + `$ ssh-keygen -t rsa` How upload quickly a public key to host volume: - $ scp ~/.ssh/id_rsa.pub user@host:~/git-server/keys + `$ scp ~/.ssh/id_rsa.pub user@host:~/git-server/keys` ### Build Image How to make the image: - $ docker build -t git-server-docker . - + `$ docker build -t git-server-docker .` + ### Docker-Compose You can edit docker-compose.yml and run this container with docker-compose: - $ docker-compose up -d + `$ docker-compose up -d` + +Arguments: + + * `GIT_SERVER_KEYS_DIR`: Path to public keys to accept, on the host + * `GIT_SERVER_REPO_DIR`: Path to repositories, on the host diff --git a/docker-compose.yml b/docker-compose.yml index 282c82f..b2a7d37 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,6 +7,6 @@ services: ports: - "2222:22" volumes: - - ~/git-server/keys:/git-server/keys - - ~/git-server/repos:/git-server/repos + - ${GIT_SERVER_KEYS_DIR:-~/git-server/keys}:/git-server/keys:ro + - ${GIT_SERVER_REPO_DIR:-~/git-server/repos}:/git-server/repos From f874643a7e1f252c7402acbd4708e6ad20309cb9 Mon Sep 17 00:00:00 2001 From: Oliver Filla Date: Wed, 19 Feb 2025 10:41:08 +0100 Subject: [PATCH 10/11] README: Fix formatting & update references to repo --- README.md | 97 ++++++++++++++++++++++++++++++++----------------------- 1 file changed, 57 insertions(+), 40 deletions(-) diff --git a/README.md b/README.md index cffe27e..ac4e373 100644 --- a/README.md +++ b/README.md @@ -1,85 +1,102 @@ # git-server-docker -A lightweight Git Server Docker image built with Alpine Linux. Available on [GitHub](https://github.com/jkarlosb/git-server-docker) and [Docker Hub](https://hub.docker.com/r/jkarlos/git-server-docker/) +A lightweight Git Server Docker image built with Alpine Linux. Available on [GitHub](https://github.com/ofilla/git-server-docker) and [GitHub Container Registry](https://github.com/ofilla/git-server-docker/pkgs/container/git-server-docker). -!["image git server docker" "git server docker"](https://raw.githubusercontent.com/jkarlosb/git-server-docker/master/git-server-docker.jpg) +!["image git server docker" "git server docker"](https://raw.githubusercontent.com/ofilla/git-server-docker/master/git-server-docker.jpg) + +This image is built daily, based on `alpine:latest`. ### Basic Usage How to run the container in port 2222 with two volumes: keys volume for public keys and repos volume for git repositories: - `$ docker run -d -p 2222:22 -v ~/git-server/keys:/git-server/keys -v ~/git-server/repos:/git-server/repos jkarlos/git-server-docker` +``` +$ docker run -d \ + -p 2222:22 \ + -v ~/git-server/keys:/git-server/keys \ + -v ~/git-server/repos:/git-server/repos \ + ghcr.io/ofilla/git-server-docker +``` How to use a public key: - Copy them to keys folder: - - From host: `$ cp ~/.ssh/id_rsa.pub ~/git-server/keys` - - From remote: `$ scp ~/.ssh/id_rsa.pub user@host:~/git-server/keys` - You need restart the container when keys are updated: - `$ docker restart ` - +* Copy them to keys folder: + * From host: `$ cp ~/.ssh/id_rsa.pub ~/git-server/keys` + * From remote: `$ scp ~/.ssh/id_rsa.pub user@host:~/git-server/keys` +* You need restart the container when keys are updated: `$ docker restart ` + How to check that container works (you must to have a key): - ``` - $ ssh git@ -p 2222 - ... - Welcome to git-server-docker! - You've successfully authenticated, but I do not - provide interactive shell access. - ... - ``` +``` +$ ssh git@ -p 2222 +... +Welcome to git-server-docker! +You've successfully authenticated, but I do not +provide interactive shell access. +... +``` How to create a new repo: - ``` - $ cd myrepo - $ git init --shared=true - $ git add . - $ git commit -m "my first commit" - $ cd .. - $ git clone --bare myrepo myrepo.git - ``` +``` +$ cd myrepo +$ git init --shared=true +$ git add . +$ git commit -m "my first commit" +$ cd .. +$ git clone --bare myrepo myrepo.git +``` How to upload a repo: - From host: - `$ mv myrepo.git ~/git-server/repos` - From remote: - `$ scp -r myrepo.git user@host:~/git-server/repos` +* From host: `$ mv myrepo.git ~/git-server/repos` +* From remote: `$ scp -r myrepo.git user@host:~/git-server/repos` How clone a repository: - `$ git clone ssh://git@:2222/git-server/repos/myrepo.git` +``` +$ git clone ssh://git@:2222/git-server/repos/myrepo.git +``` ### Arguments * **Expose ports**: 22 * **Volumes**: - * `/git-server/keys`: Volume to store the users public keys - * `/git-server/repos`: Volume to store the repositories + * `/git-server/keys`: Volume to store the users public keys + * `/git-server/repos`: Volume to store the repositories ### SSH Keys How generate a pair keys in client machine: - `$ ssh-keygen -t rsa` +``` +$ ssh-keygen -t rsa +``` How upload quickly a public key to host volume: - `$ scp ~/.ssh/id_rsa.pub user@host:~/git-server/keys` +``` +$ scp ~/.ssh/id_rsa.pub user@host:~/git-server/keys +``` + ### Build Image How to make the image: - `$ docker build -t git-server-docker .` +``` +$ docker build -t git-server-docker . +``` + ### Docker-Compose -You can edit docker-compose.yml and run this container with docker-compose: +You can edit `docker-compose.yml` and run this container with docker-compose: - `$ docker-compose up -d` +``` +$ docker-compose up -d +``` -Arguments: +Environment Variables: - * `GIT_SERVER_KEYS_DIR`: Path to public keys to accept, on the host - * `GIT_SERVER_REPO_DIR`: Path to repositories, on the host +* `GIT_SERVER_KEYS_DIR`: Path to public keys to accept, on the host +* `GIT_SERVER_REPO_DIR`: Path to repositories, on the host From 1b39af25729c6db2906a6daf7db9991799a7c8ad Mon Sep 17 00:00:00 2001 From: Oliver Filla Date: Wed, 19 Feb 2025 19:01:08 +0100 Subject: [PATCH 11/11] GitHub CI: Build both amd64 and arm64 images --- .github/workflows/docker-image.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index f8b0326..58ffb6a 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -19,6 +19,9 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Log in to GitHub Container Registry uses: docker/login-action@v3 with: @@ -26,10 +29,11 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push Docker image + - name: Build and push Docker image (multi-arch) uses: docker/build-push-action@v5 with: context: . file: ./Dockerfile push: true + platforms: linux/amd64,linux/arm64 # Multi-platform support tags: ghcr.io/${{ github.actor }}/git-server-docker:latest