GIT_SSH and mirror not working with git 2.30.1

GIT_SSH and mirror not working with git 2.30.1

[Lamborn, Peter Craig]

We have some machines behind firewalls and gateways that cannot access git repos directly.  We have been using GIT_SSH and mirror to push and pull git request through a less restricted machine.  This has been working for a while, specifically both git 2.24.1 and git 2.28 can handle the method we have been doing. 


When you try the same thing with git 2.30.1, the "git push" commands still succeed.  But "git pull" returns this:


$ git pull <mirror name>
hint: Pulling without specifying how to reconcile divergent branches is
hint: discouraged. You can squelch this message by running one of the following
hint: commands sometime before your next pull:
hint:
hint:   git config pull.rebase false  # merge (the default strategy)
hint:   git config pull.rebase true   # rebase
hint:   git config pull.ff only       # fast-forward only
hint:
hint: You can replace "git config" with "git config --global" to set a default
hint: preference for all repositories. You can also pass --rebase, --no-rebase,
hint: or --ff-only on the command line to override the configured default per
hint: invocation.


ssh: connect to host <destination machine> port 22: Operation timed out
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
$

Does git 2.30.1 change something about mirrors and/or GIT_SSH that would cause git pulls to fail?  Do we need to adjust our current process?

Our method:

destination_machine$ mkdir <DZPATH>
destination_machine$ cd <DZPATH>
destination_machine$ git --bare init

...

workstation$ cat ssh-hop.sh
#!/bin/bash
  
MACHINE_REGEXP="<...>"
  
if [[ $1 =~ $MACHINE_REGEXP ]]; then
  
  exec ssh <gateway> ssh "$@"
  
else
  exec ssh "$@"
fi

workstation$ chmod u+x ssh-hop.sh
workstation$ export GIT_SSH=<path to>/ssh-hop.sh
workstation$ cd <git repo>
workstation$ git remote add --mirror <mirror name> <destination_machine>:<DZPATH>
workstation$ git push <mirror name>
workstation$ git pull <mirror name>



Thank you,

Peter

Re: GIT_SSH and mirror not working with git 2.30.1

[Andreas Schwab]

On Mär 16 2021, Lamborn, Peter Craig wrote:

> workstation$ cat ssh-hop.sh
> #!/bin/bash
>   
> MACHINE_REGEXP="<...>"
>   
> if [[ $1 =~ $MACHINE_REGEXP ]]; then
>   
>   exec ssh <gateway> ssh "$@"
>   
> else
>   exec ssh "$@"
> fi

FWIW, it might be easier to use the ProxyJump configuration setting of
ssh instead.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
"And now for something completely different."

Re: GIT_SSH and mirror not working with git 2.30.1

[Jeff King]

On Tue, Mar 16, 2021 at 06:53:24PM +0000, Lamborn, Peter Craig wrote:

> We have some machines behind firewalls and gateways that cannot access
> git repos directly.  We have been using GIT_SSH and mirror to push and
> pull git request through a less restricted machine.  This has been
> working for a while, specifically both git 2.24.1 and git 2.28 can
> handle the method we have been doing.
> [...]
> workstation$ cat ssh-hop.sh
> #!/bin/bash
>   
> MACHINE_REGEXP="<...>"
>   
> if [[ $1 =~ $MACHINE_REGEXP ]]; then
>   
>   exec ssh <gateway> ssh "$@"
>   
> else
>   exec ssh "$@"
> fi

I suspect the problem is that your script blindly matches "$1". Doing
so makes the assumption that Git will never pass any other options to
ssh. Traditionally Git _usually_ wouldn't do so (unless it needed
specific options like "-p", "-4/-6", etc).

But in Git's newer "v2" protocol, we have to pass an environment
variable across the wire, which requires using "-o". E.g.:

  [using v2.28]
  $ GIT_TRACE2_BRIEF=1 GIT_TRACE2=1 git ls-remote git@github.com:nosuch/repo 2>&1 | grep child_start
  child_start[0] ssh git@github.com 'git-upload-pack '\''nosuch/repo'\'''

  [using v2.29]
  $ GIT_TRACE2_BRIEF=1 GIT_TRACE2=1 git ls-remote git@github.com:nosuch/repo 2>&1 | grep child_start
  child_start[0] ssh -o SendEnv=GIT_PROTOCOL git@github.com 'git-upload-pack '\''nosuch/repo'\'''

> When you try the same thing with git 2.30.1, the "git push" commands
> still succeed.  But "git pull" returns this:

Using the new protocol became the default in v2.29. It also is only used
for fetching, not pushing. So that explains why it's a problem in
v2.30.1, and also why "git push" isn't affected.

> ssh: connect to host <destination machine> port 22: Operation timed out
> fatal: Could not read from remote repository.

This part is presumably just what happens when the "hop" behavior of
your script doesn't kick in. A straight "ssh" is run under the hood, but
your firewall probably times it out.

> Does git 2.30.1 change something about mirrors and/or GIT_SSH that
> would cause git pulls to fail?  Do we need to adjust our current
> process?

Adjusting your script to look for the hostname in the second-to-last
argument would probably be more robust. But as Andreas noted, using
ssh's ProxyJump feature would be better still.

-Peff