Running servers (and services) well is not trivial

June 22, 2018

It all started with a Reddit comment thread called The "mass exodus" from Github to GitLab: 10 days later. In it, someone commented that they didn't understand why there was a need for cloud Git services in the first place, since running your own Git server for your company was easy enough. I think that part of this view is due to the difference between 'on premise' and 'off premise' approaches to environments, but as a sysadmin I had a twitchy reaction to the 'it's easy' part.

These days, it's often relatively easy to 'just set up a server' or a service, especially if you already work in the cloud. Spin up a VM or a Docker image, install some stuff, done, right? Well, not if you want this to be reliable infrastructure. So let's run down what you or I would have to do to set up a general equivalent of Github for internal company use:

  • Figure out the Git server software you want to use, including whether you want the full Github experience or a web Git thing that people in can pull from and push to. Or you could go very old school and demand that people use SSH logins to a Unix machine where they do filesystem level git operations, although I'm not sure that would work well for very long.
  • Possibly figure out how to configure this Git server software for your particular requirements, setup, and available other pieces.

  • Figure out how you're going to handle authentication for this Git service. Do you have a company authentication system? How will you tie this service to any 2FA that you use (and you probably want to consider 2FA)?

    If you can't outsource all authentication to some other system in your company, you've just taken on an ongoing maintenance task of adding, removing, and updating users and groups (and any other things that have to authenticate to the Git server). Failure to do this well, or failure to be hooked into other aspects of the company's authentication and HR systems, can result in fun things like fired employees still retaining high-privilege access to your Git server (ie the company's Git server). You probably don't want that.

    (Non-integrated authentication causes sufficiently many problems that it's featured in a sysadmin test.)

  • Install a 'server' to run all of the necessary components on. In the best case, you use Docker or something that uses Docker images and there's a pre-packaged Docker image that you can throw on. In the worst case, you get to find and install a physical server for this, including hooking it into any fleet-wide management systems so that it automatically gets kept up to date on security patches, and then install a host of un-packaged software from source (or install random binaries you download from the Internet, if you feel like doing that).

    If you're using Docker or a VPS in the cloud, don't forget to figure out how you're going to get persistent storage.

  • Figure out how to back up the important data on the system. Even if you have persistent cloud storage, you want some form of backups or ability to roll back in time, because sooner or later someone will accidentally do something destructive to a bit of the system (eg 'oops, I mass-deleted a bunch of open issues by mistake') and you'll need to fix it.

    Once you have backups set up, make sure that you're monitoring them on an ongoing basis so that you can find out if they break.

  • If your company has continuous integration systems and similar development automation, or has production servers that pull from your Git repos (or that get pushed to by them), you're going to need to figure out how to connect all of this to the Git server software. This includes things like how to authenticate various parties to each other, unless everyone can pull anything from your Git server.

I'm going to generously assume that the system never has performance problems (which you'd have to troubleshoot) and never experiences software issues with your chosen Git server and any databases and the like that it may depend on (which you'd have to troubleshoot too). Once set up, it stays quietly running in the corner and doesn't actively require your attention. This is, shall we say, not always the experience that you actually get.

(I'm also assuming that you can just get TLS certificates from Let's Encrypt and that you know how to do this. Or perhaps the Git server stuff you picked does this all for you.)

Unfortunately we're not done, because the world is not a nice place. Even with the service just working, we still have more things to worry about:

  • Figure out how to get notified if there are security issues or important bugfixes in either the Git server software or the underlying environment that it runs on. You can be confident that there will be some, sooner or later.

  • Even without security problems, someday you're going to have to update to a new version of the Git server software. Will it be fully compatible as a drop-in replacement? If your Git server is important to your company, you don't really want to just drop the new version in and hope for the best; you're going to have to spend time building out an environment to test the new version in (with something like your data).

    New versions may require changes to other bits of the system, any local customizations, or to things you integrated the old version with. Updates are often a pain but at the same time you have to do them sooner or later.

  • In general you need to worry about how to secure both the Git server software and the underlying environment it runs on. The defaults are not necessarily secure and are not necessarily appropriate for your company.

  • You may want to set up some degree of monitoring for things like disk space usage. If this Git server is important, people will notice right away if it goes down, but they may not notice in time if the disk space is just quietly getting closer and closer to running out because more and more people in the company are using it for more stuff.

If this is something that matters to the company and the company is more than a few people, it's also not just 'you' (a single person) who will be looking after the server. The company needs at least a few people involved so that you can go on vacation or even just get sick without the company running the risk of the central Git server that all the developers use just falling over and no one knowing how to bring it back.

In some environments this Git server will either be exposed to the Internet (even if it's only used by company people) or at least available across multiple 'internal network' locations because, say, your developers are not really on the same network as your production servers in the cloud. This will likely raise additional network security issues and perhaps authentication issues. This is very especially the case if you have to expose this Git service to the Internet. Mere obscurity and use only by company insiders is not enough any more these days; there are systems that mass scan the entire IPv4 Internet and keep world-accessible databases of what they find. If you have open ports or services, you have problems, and that means you're going to have to do the work to close things down.

Basically all of this applies to pretty much any service, not just Git. If you want to run a mailer, or an IMAP server, or a web server hosting a blog or CMS, or a DNS server, or whatever, you will have to face all of these issues and often more. Under the right circumstances, the initial setup can appear extremely trivial; you grab a Docker image, you start it somewhere, you make your internal DNS point a name to it, and you can call it up in your browser or otherwise start poking it. But that's just the start of a long and tiresome journey to a reliable, secure service that can be sustained over the long haul and won't blow up in your face someday.

I'm naturally inclined toward the 'on premise' view of things where we do stuff internally. But all of this is why, if someone approached me at work about setting up a Github-like service locally, I would immediately ask 'is there some reason we can't pay Github to do this for us?' I'm pretty confident that Github'll do it better, and if staff time isn't free they'll probably do it cheaper.

PS: I've probably missed some things you'd need to think about and tackle, which just goes to show how non-trivial this really is.


Comments on this page:

Indeed. Setting up GitLab (without depending directly on a random internet binary) wasn't trivial. I can't remember if I spent one day or two on failing to do it.

We ended up using gitolite on an existing pet server, using our regular SSH keys for auth, and forgoing the web interface entirely. It was easy enough to get started, but eventually I realized I wasn't paying attention to updates.

At that point, AWS had just introduced CodeCommit with almost no features. But we'd already given up on features with gitolite, and there was a lot of political support for "aws for ALL the things!" So we migrated.

CodeCommit does more stuff now, but we still don't use those features, and the important bit is slower than ever (push/pull is about 10 seconds in us-east-1 for us these days), and all of our tech team, including the CIO, have GitHub accounts already.

tl;dr: it's not clear we have saved anything at all by not paying GitHub, regardless of how "easy" it was to sacrifice features and host our own.

As an update to my above comment: I think I meant "Gitorious" rather than GitLab. It's been quite a while since we did that; I think it coincided with our migration from Subversion to Git, which was in July 2012.

Written on 22 June 2018.
« Revising my view on Python 3 for new code again: you should use it
When you make changes, ZFS updates much less stuff than I thought »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Jun 22 00:54:37 2018
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.