系统概述
GitHub Enterprise Server is your organization's private copy of GitHub contained within a virtual appliance, hosted on premises or in the cloud, that you configure and control.
本文内容
存储架构
GitHub Enterprise Server requires two storage volumes, one mounted to the root filesystem path (/) and the other to the user filesystem path (/data/user). 这种架构将运行软件环境与持久应用程序数据分离,从而可以简化升级、回滚和恢复程序。
根文件系统包含在分布式机器映像中。 它包含基本操作系统和 GitHub Enterprise Server 应用程序环境。 根文件系统应被视为临时性的。 升级到今后的 GitHub Enterprise Server 版本时,根文件系统中的所有数据都将被替代。
根文件系统包含:
- 自定义证书颁发机构 (CA) 证书(/usr/local/share/ca-certificates 中)
- 自定义网络配置
- 自定义防火墙配置
- 复制状态
用户文件系统包含用户配置和数据,例如:
- Git 仓库
- 数据库
- 搜索索引
- 在 GitHub 页面 站点上发布的内容
- Git Large File Storage 中的大文件
- 预接收挂钩环境
部署选项
您可以将 GitHub Enterprise Server 部署为一个虚拟设备,也可采用高可用性配置。 更多信息请参阅“配置 GitHub Enterprise Server 以实现高可用性”。
某些拥有成千上万名开发者的组织还会从使用 GitHub Enterprise Server 集群中受益。 For more information, see "Clustering overview."
数据保留和数据中心冗余
在生产环境中使用 GitHub Enterprise Server 之前,我们强烈建议您设置备份和灾难恢复计划。 For more information, see "Configuring backups on your appliance."
GitHub Enterprise Server 支持通过 GitHub Enterprise Server 备份实用程序 进行在线和增量备份。 您可以通过安全网络链接(SSH 管理端口)远距离为场外或地理上分散的存储生成增量快照。 You can restore snapshots over the network into a newly provisioned appliance at time of recovery in case of disaster at the primary datacenter.
除网络备份外,在设备处于离线或维护模式时,还支持用户存储卷的 AWS (EBS) 和 VMware 磁盘快照。 如果您的服务级别要求允许定期离线维护,可以将定期卷快照用作低成本、低复杂性的方案,代替通过 GitHub Enterprise Server 备份实用程序 进行网络备份。
For more information, see "Configuring backups on your appliance."
安全
GitHub Enterprise Server is a virtual appliance that runs on your infrastructure and is governed by your existing information security controls, such as firewalls, IAM, monitoring, and VPNs. Using GitHub Enterprise Server can help you avoid regulatory compliance issues that arise from cloud-based solutions.
GitHub Enterprise Server also includes additional security features.
- Operating system, software, and patches
- Network security
- Application security
- External services and support access
- Encrypted communication
- Users and access permissions
- 身份验证
- Audit and access logging
Operating system, software, and patches
GitHub Enterprise Server runs a customized Linux operating system with only the necessary applications and services. GitHub manages patching of the appliance's core operating system as part of its standard product release cycle. Patches address functionality, stability, and non-critical security issues for GitHub applications. GitHub also provides critical security patches as needed outside of the regular release cycle.
Network security
GitHub Enterprise Server's internal firewall restricts network access to the appliance's services. Only services necessary for the appliance to function are available over the network. For more information, see "Network ports."
Application security
GitHub's application security team focuses full-time on vulnerability assessment, penetration testing, and code review for GitHub products, including GitHub Enterprise Server. GitHub also contracts with outside security firms to provide point-in-time security assessments of GitHub products.
External services and support access
GitHub Enterprise Server can operate without any egress access from your network to outside services. You can optionally enable integration with external services for email delivery, external monitoring, and log forwarding. For more information, see "Configuring email for notifications," "Setting up external monitoring," and "Log forwarding."
You can manually collect and send troubleshooting data to GitHub 支持. For more information, see "Providing data to GitHub 支持."
Encrypted communication
GitHub designs GitHub Enterprise Server to run behind your corporate firewall. To secure communication over the wire, we encourage you to enable Transport Layer Security (TLS). GitHub Enterprise Server supports 2048-bit and higher commercial TLS certificates for HTTPS traffic. For more information, see "Configuring TLS."
By default, the appliance also offers Secure Shell (SSH) access for both repository access using Git and administrative purposes. For more information, see "About SSH" and "Accessing the administrative shell (SSH)."
Users and access permissions
GitHub Enterprise Server provides three types of accounts.
- The
adminLinux user account has controlled access to the underlying operating system, including direct filesystem and database access. A small set of trusted administrators should have access to this account, which they can access over SSH. For more information, see "Accessing the administrative shell (SSH)." - User accounts in the appliance's web application have full access to their own data and any data that other users or organizations explicitly grant.
- Site administrators in the appliance's web application are user accounts that can manage high-level web application and appliance settings, user and organization account settings, and repository data.
For more information about GitHub Enterprise Server's user permissions, see "Access permissions on GitHub."
身份验证
GitHub Enterprise Server provides four authentication methods.
- SSH public key authentication provides both repository access using Git and administrative shell access. For more information, see "About SSH" and "Accessing the administrative shell (SSH)."
- Username and password authentication with HTTP cookies provides web application access and session management, with optional two-factor authentication (2FA). For more information, see "Using built-in authentication."
- External LDAP, SAML, or CAS authentication using an LDAP service, SAML Identity Provider (IdP), or other compatible service provides access to the web application. For more information, see "Authenticating users for your GitHub Enterprise Server instance."
- OAuth and Personal Access Tokens provide access to Git repository data and APIs for both external clients and services. For more information, see "Creating a personal access token for the command line."
Audit and access logging
GitHub Enterprise Server stores both traditional operating system and application logs. The application also writes detailed auditing and security logs, which GitHub Enterprise Server stores permanently. You can forward both types of logs in realtime to multiple destinations via the syslog-ng protocol. For more information, see "Log forwarding."
Access and audit logs include information like the following.
Access logs
- Full web server logs for both browser and API access
- Full logs for access to repository data over Git, HTTPS, and SSH protocols
- Administrative access logs over HTTPS and SSH
Audit logs
- User logins, password resets, 2FA requests, email setting changes, and changes to authorized applications and APIs
- Site administrator actions, such as unlocking user accounts and repositories
- Repository push events, access grants, transfers, and renames
- Organization membership changes, including team creation and destruction
GitHub Enterprise Server 的开源依赖项
要查看您的设备 GitHub Enterprise Server 版本中依赖项的完整列表以及每个项目的许可,请访问 http(s)://HOSTNAME/site/credits。
您的设备上提供包含依赖项和关联元数据完整列表的 tarball:
- 要查看所有平台通用的依赖项,请访问
/usr/local/share/enterprise/dependencies-<GHE version>-base.tar.gz - 要查看平台特有的依赖项,请访问
/usr/local/share/enterprise/dependencies-<GHE version>-<platform>.tar.gz
还提供包含依赖项和元数据完整列表的 tarball,地址为 https://enterprise.github.com/releases/<version>/download.html。