I'm trying to get a fairly simple deploy process going for a Node app using Gitolite. I have Gitolite setup and working on my server, and I'm able to push to it fine.
Gitolite is running under a user called git, and I've setup a node user that I'm hoping to use to run the Node app.
My plan is to push the Node app to Gitolite, and then use a post-receive hook script to move the app files to the directory where the app lives, in this case /var/local/node-apps/my-node-app/. I created the Node app folder like this:
sudo mkdir -p /var/local/node-apps/my-node-app
sudo chown node /var/local/node-apps/my-node-app
The problem is that I'm a Unix noob and I haven't got my head round file/folder permissions and wotnot.
/var/local/node-apps (and also /var/local/node-apps/my-node-app) is owned by the node user, so when the git user tries to checkout to this location I get a bunch of permission denied errors. The command I'm using in the post-receive is:
GIT_WORK_TREE=/var/local/node-apps/my-node-app git checkout -f
And I get errors like this:
remote: error: git checkout-index: unable to create file XXXX (Permission denied)
remote: fatal: cannot create directory at 'XXXX': Permission denied
What's the best way to resolve this? Do I need to grant the git user password-less sudo rights to su as the node user? Or can this be somehow fixed by changing groups and folder permissions? Or a different approach entirely? I'm lost!
Thanks!
Using sudo would certainly work, you have one example at "post-receive hook permission denied “unable to create file” error", wrapping the git commands in a script.
Changed post-receive to:
sudo sh /usr/local/sbin/prgetsimpleappscom
Changed sudoers with visudo
git ALL = (root) NOPASSWD: /bin/sh /usr/local/sbin/prgetsimpleappscom
The other approach would be a cron job as node user regularly fetching and (if there are new commit) pulling in the destination repo.
Related
The title is general, but I have more specific questions. I am deep in a permissions nightmare trying to set up a "push-to-deploy" system using Git.
From my local machine, I push by SSH to the server (Ubuntu 14.04). I have the server set up as the remote
git remote add development devuser#development.server:/home/dummyuser/bare/repo.git
This bare repository is within the home folder of a dummy user dummyuser that we use to handle deployment tasks. devuser is my own account on the development server.
I have a post-receive hook set up within the remote repository (development.server:/home/dummyuser/bare/repo.git/hooks/post-receive) that's intended to deploy files via git checkout to a web server directory on the same server, call it webfolder/. That folder currently has permissions
drwxr-xr-x dummyuser www-data webfolder/
where www-data is the group associated with the Apache user.
If I have the post-receive hook script use the command
git --work-tree=/var/www/webfolder --git-dir=/home/dummyuser/bare/repo.git checkout -f
I get errors that it can't write to webfolder/, which is predictable since I assume the script is running as me (devuser) since I did the instigating push via SSH, and devuser doesn't have any permissions on webfolder/.
However, if I change the script to act as dummyuser,
sudo -u dummyuser git --work-tree=/var/www/webfolder --git-dir=/home/dummyuser/bare/repo.git checkout -f
just to see what happens, I have the error
warning: unable to access '/home/devuser/.config/git/attributes': Permission denied
There's a couple of things I don't understand about this:
1) Neither /home/devuser/.config/ nor /home/dummyuser/.config/ exist. That's fine, but if Git needs to access a .config/ folder, why wasn't it complaining before when I was setting up bare repos and executing hooks as devuser?
2) Now that I'm trying to act as dummyuser, why is Git looking in ~devuser/ for a .config/ folder? Why isn't it looking in ~dummyuser/?
I've been working on this tiny slice of one single problem in the maddening shitshow that is "using Git" for coming up on four hours now, and my brain is fuzzy, so please use small words.
The problem is something involving sudo -u dummyuser not setting the environment variables that Git expects. If I add HOME=/home/dummyuser to the post-receive hook, the deployment works as expected.
If anyone can provide more details about what's happening or a better solution, write it as an answer and I'll accept it. Couple of notes:
dummyuser doesn't have a login, so using sudo -iu dummyuser in the post-receive script won't work
After setting HOME=/home/dummyuser manually and successfully executing the script, I find that echo $HOME from the terminal returns /home/devuser, so there's no permanent change to $HOME
After successfully executing the hook script, neither ~devuser/ nor ~dummyuser/ nor /root/ have a .config/ folder. So... I still have no idea why Git was hung up on it.
Git expects a .config folder in the user's home directory. If $HOME isn't set correctly, e.g. if it points to a different user's home, Git will try to access $HOME/.config, not knowing that it actually doesn't even exist. However, since the user, and thus Git, doesn't have access to that $HOME, you will receive an error saying Permission denied.
To test that, try to run as dummyuser:
[ -d /home/devuser/.config ] && echo '.config exists!'
You're trying to test if the directory /home/devuser/.config exists. However, since you don't have the needed permissions, you get Permission denied, and you still don't know whether the directory exists or not.
Instead of setting $HOME manually, you could possibly use -H or --set-home:
sudo -Hu dummyuser git --work-tree=/var/www/webfolder --git-dir=/home/dummyuser/bare/repo.git checkout -f
Error:
Failed to connect to repository : Command "/usr/bin/git ls-remote -h file:///home/myuser/path/to/project HEAD" returned status code 128:
stdout:
stderr: fatal: 'home/myuser/path/to/project' does not appear to be a git repository
fatal: The remote end hung up unexpectedly
I have tried the following:
chmod 777 to the repo folder(folder containing .git directory)
chowned to jenkins:jenkins on the repo folder
tried to clone into another folder from this local repo folder: this works!
When I run the above command: /usr/bin/git ls-remote -h file:///home/myuser/path/to/project HEAD on cmd I get the branches.
My questions are:
why is git ls-remote -h ... command called when it should be git clone ...?
How to configure jenkins git plugin to fetch code from local repo
My environment:
RHEL 5.9
Jenkins 1.519 installed as a service(no Web container)
Git plugin
When installing Jenkins as a service, by default, Jenkins does not create a user directory as in: /home/jenkins. Jenkins default home directory is set to /var/lib/jenkins. From my work-around, as you would expect, jenkins has trouble accessing local resources from other users directory.
I moved my cloned repo under Jenkins default home directory i.e. under /var/lib/jenkins so my Repository URLin Jenkins Project configuration looks like: file:///${JENKINS_HOME}/repo/<myprojectname>
UPDATE:
The above works fine ...but I found a better way to do it from this blog
The steps are outlined here:
look up /etc/init.d/jenkins script. There are a few $JENKINS variables defined
. This should lead you to the sysconfig for jenkins i.e. /etc/sysconfig/jenkins.
Stop your jenkins instance:
sudo /sbin/service jenkins stop
Take a backup
cp /etc/sysconfig/jenkins /etc/sysconfig/jenkins.bak
In this file, change the following property:
$JENKINS_USER="<your desired user>"
Change ownership of all related Jenkins directories:
chown -R <your desired user>:<your user group> /var/lib/jenkins
chown -R <your desired user>:<your user group> /var/cache/jenkins
chown -R <your desired user>:<your user group> /var/log/jenkins
Restart jenkins and that error should disappear
sudo /sbin/service jenkins start
This error should go away now!
It's been a while since this question was asked, but I had this problem today and there are very few resources. Most probably, because people tend to connect to git repositories remotely.
I checked using strace what exactly jenkins was doing and yes, it was a problem with permissions.
But I solved it in a simpler way than answer #2 - by adding jenkins to the git server group - in my case, git1:
root# gpasswd -a jenkins git1
root# service jenkins restart
I'm running Jenkins on Windows and had the same problem. I was able to solve this by having the Jenkins service log in as my user on my laptop.
(Windows 7)
Open Task Manager (Ctrl + Shift + Escape)
(Windows 10 only) Click on More Details in the lower left corner of the pop up window
Go to the Services tab
Click the Services... button
Find "Jenkins" in the list of services
Right-click "Jenkins" and click on Properties
Click the Log On tab in the Jenkins Properties window
Choose This account: under Log on as:
Enter your username and password
Click OK
Restart the Jenkins service
Then Bob's your uncle.
Jenkins uses git clone command only for the first time when a workspace is configured for a project. Further instances uses the git ls-remote command.
I had the same issue when I configured Jenkins. It was resolved by playing around with the SSH Keys. This looks like a configuration issue as well. Check if SSH Keys are setup for the Jenkins account.
Also, see the step by step procedure of configuration of SSH in the link provided. This might not give you exact solution, but can point you to the solution.
http://oodlestechnologies.com/blogs/How-to-setup-Jenkins-With-Grails-on-Ubuntu
I find that the other solutions are a bit "hacky" for me. What I did was move the Jenkins Home folder from /Users/Shared/ to /Users/[myacccount]/. This way, my Jenkins will have access to my repos and to my Android SDK (because that's where I use Jenkins for). Then change the JENKINS_HOME environment variable. I did this by entering the JENKINS_HOME in my .bash_profile (but there are other ways to do this).
Note: I use OSX
Instead of file:/// you can also use ssh:// as in this answer:
ssh://YOUR_USER#localhost/PATH_TO_YOUR_PROJECT
Note that you need to do the standard ssh setup:
Generate a keypair using ssh-keygen if you don't already have one in ~/.ssh
Paste private key (default ~/.ssh/id_rsa) into Jenkins (project settings, git repo, credentials)
Paste public key into ~/.ssh/authorized_keys
I am using Amazon EC2 to host a website which is deployed to the server via git. I used this tutorial previously on the same kind of EC2 Ubuntu Linux Server instance, and it has worked flawlessly. However, when I try and push to the server, I receive the following error trace:
Tutorial: http://toroid.org/ams/git-website-howto
Trace:
$ git push origin master
Counting objects: 5, done.
Writing objects: 100% (3/3), 250 bytes, done.
Total 3 (delta 0), reused 0 (delta 0)
remote: error: unable to create file index.html (Permission denied)
To ssh://ubuntu#myserv.er/var/www/website.git
8068aac..04eae11 master -> master
I only have one file inside the repository at the moment, which is index.html.
The error trace is showing that the permission is being denied to create the file. Please can you tell me where I am going wrong?
I believe if you run
sudo chown -R git:git /srv/git/
this is coming from How to fix permission denied for .git/ directory when performing git push?
You probably didn't do this part of the tutorial:
First, the work tree (/var/www/www.example.org above) must be writable by the user who runs the hook (or the user needs sudo access to run git checkout -f, or something similar).
FYI, I had this error because I made a hook to update files in a separate website root directory. For example:
/var/www/project.git # (where we push updates)
/var/www/project.com # (where the website exists)
I forgot to add the group permission to the project.com directory. This made it all work, index.html appeared in the /var/www/project.com directory once I did the next commit/push!
Full code to make it work assuming you added your user to the "developers" group:
sudo chmod -R g+ws /var/www/project_name.git
sudo chgrp -R developers /var/www/project_name.git
sudo chmod -R g+ws /var/www/project_name
sudo chgrp -R developers /var/www/project_name
And the git setting for shared repository:
git config core.sharedRepository group
Your anti virus or some ot her program may be preventing that file from being written to your folder. If you observe carefully, you would realize that all other files have been created except the one for which the permission is denied.
You may be having a protection software that is preventing creation of certain file types and no matter the user type you are logged-in, the file won't be created until you disable that software.
So check that your antivirus software isn't behind this for those running windows.
I am wondering if anyone has a better strategy for this scenario.
I am currently hosting my own remote git repo on the same box as the webserver.
All git repos are under the git user.
sudo -uwww-data -gwww-data git --git-dir=/var/www/website/.git --work-tree=/var/www/website pull
I have a cron job running as root every minute that executes this command. The git repo in the web folder is cloned from the same box to git's home dir where it's stored instead of through ssh.
So my question: Since git doesn't own the web files, it can't move the site using a git hook. I would assume I don't want git to have sudo, nor would that work via a git hook, right? Is there something that will deploy the site faster than every minute? I don't want the operation to be very expensive.
Is there some kind of daemon root could run and listen for some kind of notification? Like having it watch a file's last modified time?
Note that this article (in French, translated through Google) reports that sudo works with your approach:
change sudo to allow the gitosis user to use this command as www-data.
To do this, by running "visudo" add the line:
git ALL = (www-data) NOPASSWD: /usr/local/bin/pullhere
Then, in each repository where necessary, add the next hook in a post-receive file:
sudo -u www-data /usr/local/bin/pullhere /html/u/user/here
eg in / home/git/repositories/projet1.git/hooks/post-receive
This might interest you if you're still looking at a way to perform automatic deploys after a git push:
https://github.com/JamesBrooks/git-runner (with the git-runner-deploy gem).
I have set up a git repository on my server. Created a new user 'git'. My repos are located in /srv/git/example.git. I was able to git remote add origin git#domain/srv/git/example.git then I added and committed my changes.
However when I tried git push origin master it failed on:
fatal: unable to create temporary file: permission denied' and 'fatal: sha1 file write error: invalid argument'
On the server I ran:
sudo chown -R git:git /srv/git/`
This fixed my problem but I am wondering if this was the correct thing to do?
On the server I ran sudo chown -R git:git /srv/git/ - this fixed my problem but I am wondering if this was the correct thing to do?
Absolutely. The problem previously was that the git user, who you're logging in as via SSH, could not write to the repository.
Depending on your needs, you may consider different combinations of users and SSH keys, or one of the many additional programs (gitolite etc) that can be used to more finely control access.
First, fix file permissions in your remote .git dir e.g.
sudo chmod -R ug+w /var/www/.git
sudo chown -R git:git /var/www/.git
or root:root if you want to assign members of root group for push access.
Then git repository on the destination host needs to be set as shared, so the following command on remote needs to be run:
git config core.sharedRepository group