NAME

git-daemon - A really simple server for Git repositories

SYNOPSIS

  1. git daemon [--verbose] [--syslog] [--export-all]
  2.          [--timeout=<n>] [--init-timeout=<n>] [--max-connections=<n>]
  3.          [--strict-paths] [--base-path=<path>] [--base-path-relaxed]
  4.          [--user-path | --user-path=<path>]
  5.          [--interpolated-path=<pathtemplate>]
  6.          [--reuseaddr] [--detach] [--pid-file=<file>]
  7.          [--enable=<service>] [--disable=<service>]
  8.          [--allow-override=<service>] [--forbid-override=<service>]
  9.          [--access-hook=<path>] [--[no-]informative-errors]
  10.          [--inetd |
  11.           [--listen=<host_or_ipaddr>] [--port=<n>]
  12.           [--user=<user> [--group=<group>]]]
  13.          [--log-destination=(stderr|syslog|none)]
  14.          [<directory>…​]

DESCRIPTION

A really simple TCP Git daemon that normally listens on port "DEFAULT_GIT_PORT"aka 9418. It waits for a connection asking for a service, and will servethat service if it is enabled.

It verifies that the directory has the magic file "git-daemon-export-ok", andit will refuse to export any Git directory that hasn’t explicitly been markedfor export this way (unless the —export-all parameter is specified). If youpass some directory paths as git daemon arguments, you can further restrictthe offers to a whitelist comprising of those.

By default, only upload-pack service is enabled, which servesgit fetch-pack and git ls-remote clients, which are invokedfrom git fetch, git pull, and git clone.

This is ideally suited for read-only updates, i.e., pulling fromGit repositories.

An upload-archive also exists to serve git archive.

OPTIONS

  • —strict-paths

  • Match paths exactly (i.e. don’t allow "/foo/repo" when the real path is"/foo/repo.git" or "/foo/repo/.git") and don’t do user-relative paths.git daemon will refuse to start when this option is enabled and nowhitelist is specified.

  • —base-path=

  • Remap all the path requests as relative to the given path.This is sort of "Git root" - if you run git daemon with—base-path=/srv/git on example.com, then if you later try to pullgit://example.com/hello.git, git daemon will interpret the pathas /srv/git/hello.git.

  • —base-path-relaxed

  • If —base-path is enabled and repo lookup fails, with this optiongit daemon will attempt to lookup without prefixing the base path.This is useful for switching to —base-path usage, while stillallowing the old paths.

  • —interpolated-path=

  • To support virtual hosting, an interpolated path template can beused to dynamically construct alternate paths. The templatesupports %H for the target hostname as supplied by the client butconverted to all lowercase, %CH for the canonical hostname,%IP for the server’s IP address, %P for the port number,and %D for the absolute path of the named repository.After interpolation, the path is validated against the directorywhitelist.

  • —export-all

  • Allow pulling from all directories that look like Git repositories(have the objects and refs subdirectories), even if theydo not have the git-daemon-export-ok file.

  • —inetd

  • Have the server run as an inetd service. Implies —syslog (may beoverridden with —log-destination=).Incompatible with —detach, —port, —listen, —user and —groupoptions.

  • —listen=

  • Listen on a specific IP address or hostname. IP addresses canbe either an IPv4 address or an IPv6 address if supported. If IPv6is not supported, then —listen=hostname is also not supported and—listen must be given an IPv4 address.Can be given more than once.Incompatible with —inetd option.

  • —port=

  • Listen on an alternative port. Incompatible with —inetd option.

  • —init-timeout=

  • Timeout (in seconds) between the moment the connection is establishedand the client request is received (typically a rather low value, sincethat should be basically immediate).

  • —timeout=

  • Timeout (in seconds) for specific client sub-requests. This includesthe time it takes for the server to process the sub-request and thetime spent waiting for the next client’s request.

  • —max-connections=

  • Maximum number of concurrent clients, defaults to 32. Set it tozero for no limit.

  • —syslog

  • Short for —log-destination=syslog.

  • —log-destination=

  • Send log messages to the specified destination.Note that this option does not imply —verbose,thus by default only error conditions will be logged.The must be one of:
  • stderr

  • Write to standard error.Note that if —detach is specified,the process disconnects from the real standard error,making this destination effectively equivalent to none.

  • syslog

  • Write to syslog, using the git-daemon identifier.

  • none

  • Disable all logging.

The default destination is syslog if —inetd or —detach is specified,otherwise stderr.

  • —user-path
  • —user-path=

  • Allow ~user notation to be used in requests. Whenspecified with no parameter, requests togit://host/~alice/foo is taken as a request to accessfoo repository in the home directory of user alice.If —user-path=path is specified, the same request istaken as a request to access path/foo repository inthe home directory of user alice.

  • —verbose

  • Log details about the incoming connections and requested files.

  • —reuseaddr

  • Use SO_REUSEADDR when binding the listening socket.This allows the server to restart without waiting forold connections to time out.

  • —detach

  • Detach from the shell. Implies —syslog.

  • —pid-file=

  • Save the process id in file. Ignored when the daemonis run under —inetd.

  • —user=

  • —group=
  • Change daemon’s uid and gid before entering the service loop.When only —user is given without —group, theprimary group ID for the user is used. The values ofthe option are given to getpwnam(3) and getgrnam(3)and numeric IDs are not supported.

Giving these options is an error when used with —inetd; usethe facility of inet daemon to achieve the same before spawninggit daemon if needed.

Like many programs that switch user id, the daemon does not resetenvironment variables such as $HOME when it runs git programs,e.g. upload-pack and receive-pack. When using this option, youmay also want to set and export HOME to point at the homedirectory of <user> before starting the daemon, and make sure anyGit configuration files in that directory are readable by <user>.

  • —enable=
  • —disable=

  • Enable/disable the service site-wide per default. Notethat a service disabled site-wide can still be enabledper repository if it is marked overridable and therepository enables the service with a configurationitem.

  • —allow-override=

  • —forbid-override=

  • Allow/forbid overriding the site-wide default with perrepository configuration. By default, all the servicesmay be overridden.

  • —[no-]informative-errors

  • When informative errors are turned on, git-daemon will reportmore verbose errors to the client, differentiating conditionslike "no such repository" from "repository not exported". Thisis more convenient for clients, but may leak information aboutthe existence of unexported repositories. When informativeerrors are not enabled, all errors report "access denied" to theclient. The default is —no-informative-errors.

  • —access-hook=

  • Every time a client connects, first run an external commandspecified by the with service name (e.g. "upload-pack"),path to the repository, hostname (%H), canonical hostname(%CH), IP address (%IP), and TCP port (%P) as its command-linearguments. The external command can decide to decline theservice by exiting with a non-zero status (or to allow it byexiting with a zero status). It can also look at the $REMOTE_ADDRand $REMOTE_PORT environment variables to learn about therequestor when making this decision.

The external command can optionally write a single line to itsstandard output to be sent to the requestor as an error message whenit declines the service.

  • A directory to add to the whitelist of allowed directories. Unless—strict-paths is specified this will also include subdirectoriesof each named directory.

SERVICES

These services can be globally enabled/disabled using thecommand-line options of this command. If finer-grainedcontrol is desired (e.g. to allow git archive to be runagainst only in a few selected repositories the daemon serves),the per-repository configuration file can be used to enable ordisable them.

  • upload-pack

  • This serves git fetch-pack and _git ls-remote_clients. It is enabled by default, but a repository candisable it by setting daemon.uploadpack configurationitem to false.

  • upload-archive

  • This serves git archive —remote. It is disabled bydefault, but a repository can enable it by settingdaemon.uploadarch configuration item to true.

  • receive-pack

  • This serves git send-pack clients, allowing anonymouspush. It is disabled by default, as there is _no_authentication in the protocol (in other words, anybodycan push anything into the repository, including removalof refs). This is solely meant for a closed LAN settingwhere everybody is friendly. This service can beenabled by setting daemon.receivepack configuration item totrue.

EXAMPLES

  • We assume the following in /etc/services 
  1. $ grep 9418 /etc/services
  2. git        9418/tcp        # Git Version Control System
  • git daemon as inetd server
  • To set up git daemon as an inetd service that handles anyrepository under the whitelisted set of directories, /pub/fooand /pub/bar, place an entry like the following into/etc/inetd all on one line:
  1.     git stream tcp nowait nobody  /usr/bin/git
  2.         git daemon --inetd --verbose --export-all
  3.         /pub/foo /pub/bar
  • git daemon as inetd server for virtual hosts
  • To set up git daemon as an inetd service that handlesrepositories for different virtual hosts, www.example.comand www.example.org, place an entry like the following into/etc/inetd all on one line:
  1.     git stream tcp nowait nobody /usr/bin/git
  2.         git daemon --inetd --verbose --export-all
  3.         --interpolated-path=/pub/%H%D
  4.         /pub/www.example.org/software
  5.         /pub/www.example.com/software
  6.         /software

In this example, the root-level directory /pub will containa subdirectory for each virtual host name supported.Further, both hosts advertise repositories simply asgit://www.example.com/software/repo.git. For pre-1.4.0clients, a symlink from /software into the appropriatedefault repository could be made as well.

  • git daemon as regular daemon for virtual hosts
  • To set up git daemon as a regular, non-inetd service thathandles repositories for multiple virtual hosts based ontheir IP addresses, start the daemon like this:
  1.     git daemon --verbose --export-all
  2.         --interpolated-path=/pub/%IP/%D
  3.         /pub/192.168.1.200/software
  4.         /pub/10.10.220.23/software

In this example, the root-level directory /pub will containa subdirectory for each virtual host IP address supported.Repositories can still be accessed by hostname though, assumingthey correspond to these IP addresses.

  • selectively enable/disable services per repository
  • To enable git archive —remote and disable git fetch againsta repository, have the following in the configuration file in therepository (that is the file config next to HEAD, refs andobjects).
  1.     [daemon]
  2.         uploadpack = false
  3.         uploadarch = true

ENVIRONMENT

git daemon will set REMOTE_ADDR to the IP address of the clientthat connected to it, if the IP address is available. REMOTE_ADDR willbe available in the environment of hooks called whenservices are performed.

GIT

Part of the git[1] suite