I am wondering if anyone has a better strategy for this scenario.
I am currently hosting my own remote git repo on the same box as the webserver.
All git repos are under the git user.
sudo -uwww-data -gwww-data git --git-dir=/var/www/website/.git --work-tree=/var/www/website pull
I have a cron job running as root every minute that executes this command. The git repo in the web folder is cloned from the same box to git's home dir where it's stored instead of through ssh.
So my question: Since git doesn't own the web files, it can't move the site using a git hook. I would assume I don't want git to have sudo, nor would that work via a git hook, right? Is there something that will deploy the site faster than every minute? I don't want the operation to be very expensive.
Is there some kind of daemon root could run and listen for some kind of notification? Like having it watch a file's last modified time?
Note that this article (in French, translated through Google) reports that sudo works with your approach:
change sudo to allow the gitosis user to use this command as www-data.
To do this, by running "visudo" add the line:
git ALL = (www-data) NOPASSWD: /usr/local/bin/pullhere
Then, in each repository where necessary, add the next hook in a post-receive file:
sudo -u www-data /usr/local/bin/pullhere /html/u/user/here
eg in / home/git/repositories/projet1.git/hooks/post-receive
This might interest you if you're still looking at a way to perform automatic deploys after a git push:
https://github.com/JamesBrooks/git-runner (with the git-runner-deploy gem).
Related
The title is general, but I have more specific questions. I am deep in a permissions nightmare trying to set up a "push-to-deploy" system using Git.
From my local machine, I push by SSH to the server (Ubuntu 14.04). I have the server set up as the remote
git remote add development devuser#development.server:/home/dummyuser/bare/repo.git
This bare repository is within the home folder of a dummy user dummyuser that we use to handle deployment tasks. devuser is my own account on the development server.
I have a post-receive hook set up within the remote repository (development.server:/home/dummyuser/bare/repo.git/hooks/post-receive) that's intended to deploy files via git checkout to a web server directory on the same server, call it webfolder/. That folder currently has permissions
drwxr-xr-x dummyuser www-data webfolder/
where www-data is the group associated with the Apache user.
If I have the post-receive hook script use the command
git --work-tree=/var/www/webfolder --git-dir=/home/dummyuser/bare/repo.git checkout -f
I get errors that it can't write to webfolder/, which is predictable since I assume the script is running as me (devuser) since I did the instigating push via SSH, and devuser doesn't have any permissions on webfolder/.
However, if I change the script to act as dummyuser,
sudo -u dummyuser git --work-tree=/var/www/webfolder --git-dir=/home/dummyuser/bare/repo.git checkout -f
just to see what happens, I have the error
warning: unable to access '/home/devuser/.config/git/attributes': Permission denied
There's a couple of things I don't understand about this:
1) Neither /home/devuser/.config/ nor /home/dummyuser/.config/ exist. That's fine, but if Git needs to access a .config/ folder, why wasn't it complaining before when I was setting up bare repos and executing hooks as devuser?
2) Now that I'm trying to act as dummyuser, why is Git looking in ~devuser/ for a .config/ folder? Why isn't it looking in ~dummyuser/?
I've been working on this tiny slice of one single problem in the maddening shitshow that is "using Git" for coming up on four hours now, and my brain is fuzzy, so please use small words.
The problem is something involving sudo -u dummyuser not setting the environment variables that Git expects. If I add HOME=/home/dummyuser to the post-receive hook, the deployment works as expected.
If anyone can provide more details about what's happening or a better solution, write it as an answer and I'll accept it. Couple of notes:
dummyuser doesn't have a login, so using sudo -iu dummyuser in the post-receive script won't work
After setting HOME=/home/dummyuser manually and successfully executing the script, I find that echo $HOME from the terminal returns /home/devuser, so there's no permanent change to $HOME
After successfully executing the hook script, neither ~devuser/ nor ~dummyuser/ nor /root/ have a .config/ folder. So... I still have no idea why Git was hung up on it.
Git expects a .config folder in the user's home directory. If $HOME isn't set correctly, e.g. if it points to a different user's home, Git will try to access $HOME/.config, not knowing that it actually doesn't even exist. However, since the user, and thus Git, doesn't have access to that $HOME, you will receive an error saying Permission denied.
To test that, try to run as dummyuser:
[ -d /home/devuser/.config ] && echo '.config exists!'
You're trying to test if the directory /home/devuser/.config exists. However, since you don't have the needed permissions, you get Permission denied, and you still don't know whether the directory exists or not.
Instead of setting $HOME manually, you could possibly use -H or --set-home:
sudo -Hu dummyuser git --work-tree=/var/www/webfolder --git-dir=/home/dummyuser/bare/repo.git checkout -f
I have a Git repository on Bitbucket named "foo-apps". I have a Linux web server with a local clone of this repository, and I want this server's associated Apache web page to do some Git commands with this repository, such as git pull and git checkout, via a Bash script. The problem is, only the user "foo" has permission to associate with the "foo-apps" repository, and the web page runs as the Apache user, "www-data".
It seems that www-data can do git log and some other commands on the local repository, but not the git pull or the git checkout command. (Just so you know my system: I have an HTML file that contains JavaScript, which contains an AJAX request, which calls a PHP file, which calls my Bash script, which has the Git commands in it.)
What are some ways that I can successfully get those Git commands to work when the process is triggered by the web interface? I am not opposed to any working suggestions, even if they include a complete overhaul of my system... however, I would like to have the simplest effective solution with what I've already got.
Here are some ideas I've thought of and tried out a bit. None of them seem to work, but keep in mind that I've only "half tried" them as I didn't have confidence I was using preferred methods:
Giving www-data permission on my Bitbucket repository
Giving Apache access to foo's ssh keys
Somehow switching to user foo in the script, like with sudo, su, etc.. (I think this type of thinking is more along the lines of what I want... I don't have a lot of control over the settings of the Bitbucket repository. I am fine putting a password in a script, too.)
This web server is on a closed network, and security is not a very high concern for me.
I don't know if it's useful, but here are some of the main Git related errors I've received when trying these methods:
error: cannot open .git/FETCH_HEAD: Permission denied
fatal: BUG: get_tempfile_fd() called for inactive object
/usr/bin/git: /usr/bin/git: cannot execute binary file
I found the answer on this page (thanks odyniec).
I had to add this line to the /etc/sudoers file:
www-data ALL=(foo) NOPASSWD: /var/www/html/my_bash_script.sh
This let Apache have the permission to run that specific script I wanted. And then from my PHP file, instead of running
shell_exec("/var/www/html/my_bash_script.sh");
I had to run
shell_exec("sudo -u foo /var/www/html/my_bash_script.sh");
This answer seems secure and simple.
SOLUTION BELOW - How to use git to push to cpanel server
I finally got somewhere with setting up Git between my localhost (WAMP setup on Windows 8.1) and my Linux server (CentOS 6.6 x64 with cPanel 11.46.2).
Locally I created a bare clone: git clone --bare my_project my_project.git
NOTE: my_project is an example name, not the real name, and from this doc here: http://git-scm.com/book/en/v2/Git-on-the-Server-Getting-Git-on-a-Server
I copied the my_project.git folder to my server's root directory /home/myuser/public_html/
so now in the root directory I have:
cgi-bin
my_project.git
This is one area I am unsure of. Do I have to do an init (using putty) on my server in the public_html directory? I read something about a bare init? I just want to push (from my PC) the website I already have under Git control, to the server. When I make a change to 1 file, push that change to the server so it's updated live with a push. The website is DONE and ready to be live. I have already manually moved back and forth for live testing on the server. My last step is to get the Git setup correctly, so any further changes I can just push them to the server without the need of FTP.
I added a remote origin: git remote add origin ssh://myuser#thedomain.com/home/myuser/public_html/my_project.git
I tried to push to it, and got "Permission denied (publickey)". I already had an id_rsa and id_rsa.pub key locally on my PC, so I copied them and renamed them to id_rsa.myname id_rsa.myname.pub (where myname is my first name). I then copied them to the .ssh folder through FTP (FTP as cpanel user, and it's the directory your dumped into, above public_html), same as /home/myuser/.ssh/ directory.
Once they where there, I added them to 'authorized_keys' using Putty logged in as the cpanel user (my private ppk) by doing:
cd .ssh
cat id_rsa.myname >> ~/.ssh/authorized_keys
cat id_rsa.myname.pub >> ~/.ssh/authorized_keys
After doing that, a push appeared to work. Because I was having a key/auth issue, I used Git Gui version, which was setup and worked fine locally. I added the origins through Git Bash though. When I did "Remote > Push" in the Gui version, I got:
Pushing to ssh://theregistrybank#theregistrybank.com/home/theregistrybank/public_html/yiire gistrybank.git
stdin: is not a tty
To ssh://myuser#thedomain.com/home/myuser/public_html/my_project.git
44ae034..0388a05 master -> master
updating local tracking ref 'refs/remotes/origin/master'
Before doing the push, the only file modified (diff from the bare clone I transferred to the server) was my .gitignore file. I added 2 more exclusions to it, and committed it locally. So I was trying to push the change in that file. After I did the push, it said "success" in green and appeared to work. However, when I check the file in FileZilla, the .gitignore file is not the updated one that I just committed locally.
I think I am close, but missed a step somewhere. I tried to be as descriptive as possible.
And putting the source on GitHub is not an option as the client does not want the source public, and does not want to pay for the private repos. I should be able to push from my local setup to the cPanel server so I don't have to transfer thousands of files every time. I actually transfer a zip file, and unzip on the server lol.
Server Info
cPanel 11.46.2 build 0
CentOS 6.6 x86_64 kvm build01
Yes, Git is setup on the server, and working, and git --version reports:git version 1.7.1
Git on my PC: git version 1.9.4.msysgit.2
Thank you in advance.
SOLUTION
Thanks to #VonC I was able to get this to work :)
You need somewhere for your git repo to sit. I created a 'git-repos' folder in '/home/cpaneluser/git-repos' to house my repos for this cpanel user.
First step is to create a bare repo: http://git-scm.com/book/en/v2/Git-on-the-Server-Getting-Git-on-a-Server - I only followed the first step, basically created the bare repo 'my-project.git'
Before putting it on your server, rename 'my-project.git/hooks/post-receive.sample' to just 'post-receive' so it will be ran. Edit it with your editor, and add the line that #VonC gave us in his chosen answer:
#!/bin/sh
umask 0022
GIT_WORK_TREE=/home/cpaneluser/public_html GIT_DIR=/home/cpaneluser/git-repos/my-project.git git checkout -f
Note: I am using cpanel, so your path's may be different, and your umask could be different. 0022 is for 0644 file permissions. Without the umask, I was getting 500 Internal Server Errors, because the files were created with 0664 permissions instead.
Using FTP or whatever you like, copy the 'my-project.git' bare repo to your server to '/home/cpaneluser/git-repos'. Then go into 'my-project.git/hooks' and change the permissions of post-receive to have execute permissions. For me, 0744 worked fine. This was the magic sauce :)
Locally, add your remote (must be in your git project): git remote set-url origin ssh://cpaneluser#yourdomain.com/home/cpaneluser/git-repos/my-project.git
Now if you try to push now, it won't put the files in 'public_html' because the git tree (terminology?) matches and is up to date. If they are up to date, it seems to skip over executing your 'post-receive' hook. That means your bash script never ran, and it never checked out the files to your working tree.
We need to manually run the 'post-receive' bash script to create all the files of our project in the 'public_html' directory.
cd to '/home/cpaneluser/git-repos/my-project.git/hooks'
Run: ./post-receive
Boom, all your files are in 'public_html'. Now you can work locally, then push to your cpanel server as expected :)
I had a similar problem with my cPanel account, git was set up but for some reason I couldn't push to it. After a lot of head-banging I realized that the root of the problem is like you pointed out that although git is set up, the repo is empty so there's nothing for it to track.
This happens when you set up an empty repo in cPanel and then try pushing a local repo that you've already created, as opposed to cloning it first from github or your local repo (which is what happened to me because for some reason I couldn't access my github from the cPanel git interface even though I had set up a SSH key)
The simple solution that I found is to manually clone the repo using the terminal in your cPanel account
On your cPanel dashboard, under the "advanced" section, you'll find the terminal. You'll get a warning saying that you could mess up your server if you don't know what you're doing, click ok and you're in.
Now you just have to clone your repo the same way you would if you're cloning onto a local machine.
Navigate to where git was set up in your cPanel
cd repositories/<nameOfYourRepo>
And run the clone command
git clone <URLofYourGithubReop>
You'll be asked for your github username and password if it's a private repository
And that's it, you're good to go
What you have copied (my_project.git) is a bare repo, meaning one without a working tree (the actual checked out files).
Read for instance "Git workflow - Setting up a build process".
That means pushing to if won't change anything in /home/myuser/public_html/
The missing piece is a post-receive hook (in /home/myuser/public_html/my_project.git/hooks/post-receive, make sure it is executable: chmod +x), in order to checkout the repo in /home/myuser/public_html/.
#!/bin/sh
GIT_WORK_TREE=/home/myuser/public_html GIT_DIR=/home/myuser/public_html/my_project.git git checkout -f
I use a mercurial repository for global configuration. The system config files are linked to /opt/config which is a hg repo owned by root.
I d like all users to be able to update settings from repo i.e. to call hg pull -u in /opt/config
I tried to create the following script
# -rwsr-x--x 1 root users 343 Mar 15 14:10 /bin/update_config
#! /bin/bash
cd /opt/config
hg pull -u
(Pay attention, the s-bit is set) . In this case, hg does not read the settings from /root/.hgrc which contain the HTTP login parameter (user cannot does not know the parameters)
even if I do export HOME=/root the hgrc file is not read.
How should I change my script to make it possible?
EDIT
It seems to be a general permission problem. I use sles11. The line touch /root/bla does not work in this script, why?
Mercurial being a distributed versioning system, it seems to me that you are not using it correctly. If users are required to modify the repository, every user should handle its own repository and then configure it to push into your desired location (/opt/config). Hence, the mercurial workflow will handle the merge problems. If they are only consumers of the repository, you should either 1) create a cron entry to update it automatically or 2) use a continuous integration system like Jenkins or TeamCity that will automatically update the repository when something is pushed to it.
If you still want to realize what you asked, you should look into the sudo command for this purpose. Make the /opt/config ownership to a new passwordless user, configure sudo to allow the switch to this user without password and make the configuration only in ~theuser/.hgrc . This will make it easier to maintain (only a single .hgrc to handle).
Can I create with git files owned by root without using root to push?
I use git user to push on the webserver. But /var/www is owned by root or www-data with no write access for other user.
I can pull in an other directory and use "hook/post-receive" but still this hook is executed with the git user...
For the moment I log in the webserver and do a sudo git pull origin. But it will be more efficient if I was hable to do a git pull server from my laptop.
Thanks
Just putting my comment here as answer, since as far as I know, it will completely fix the problem:
Make a symlink in /var/www to a map owned by the git user (e.g. /home/git/www). Then push your files to this /home/git/www map. No problems with permissions anymore.
My solution was to give all files to git by way of the www-pub group with read permission for everyone—except settings files with the MySQL password.
I push to /home/git/repository/project and checkout to /var/www/project using hook/post-receive.