通过gitee钩子自动部署php代码
<p>首先去gitee下登录账号,进入设置页面(右上角头像鼠标悬停下拉菜单中的设置)</p><p>点击SSH公钥,然后去服务器上生成一个公私钥,(直接基于root账号生成即可,之后需要改变)</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 255, 1)">ssh-keygen</span> -t rsa -C <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">xx@xx.com</span><span style="color: rgba(128, 0, 0, 1)">"</span></pre>
</div>
<p>其中xx.xx.com是你的gitee账号的登录邮箱,然后点三次回车会在~/.ssh/目录下生成了一对公私钥,id_rsa,id_rsa.pub,打开id_rsa.pub公钥文件,将里面的所有内容复制处理然后去gitee中的SSH公钥页面中粘贴确定</p>
<p><img src="https://img2022.cnblogs.com/blog/469423/202208/469423-20220801113754859-704954471.png"></p>
<p> </p>
<p> 标题不需要管,会自动生成。然后去服务器中执行命令:</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 255, 1)">ssh</span> -T git@gitee.com</pre>
</div>
<p>得到如下反馈,代表成功:</p>
<p>Hi nickname! You've successfully authenticated, but GITEE.COM does not provide shell access.</p>
<p>然后就可以跳转到web跟目录去拉取代码了,此时就可以基于ssh方式拉取:</p>
<div class="cnblogs_code">
<pre>git clone git@gitee.com:xx/xx.git</pre>
</div>
<p>将代码全部拉取下来之后,就该去为www用户设置pull的权限了,因为网站自动化部署都是基于www用户去执行的,而非root用户,所以需要把root用户的.ssh目录复制一份给www目录:</p>
<div class="cnblogs_code">
<pre>cd /home/<span style="color: rgba(0, 0, 0, 1)">www
</span><span style="color: rgba(0, 0, 255, 1)">cp</span> -aR ~/.<span style="color: rgba(0, 0, 255, 1)">ssh</span> .</pre>
</div>
<p>复制成功之后,需要把这个目录的所有者全部赋给www:www用户才行,不然www用户无权使用这些文件</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 255, 1)">chown</span> -R www:www .<span style="color: rgba(0, 0, 255, 1)">ssh</span>/</pre>
</div>
<p>这里不需要再做chmod操作,需要保证之前生成的私钥文件的权限是600,不然拉取同步代码时会失败。</p>
<p> </p>
<p>然后编写钩子方法:</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)"> 1</span> <span style="color: rgba(0, 0, 255, 1)">if</span>(<span style="color: rgba(0, 128, 128, 1)">substr</span>(<span style="color: rgba(128, 0, 128, 1)">$_SERVER</span>['REMOTE_ADDR'],0,10) != '106.13.250'<span style="color: rgba(0, 0, 0, 1)">) {
</span><span style="color: rgba(0, 128, 128, 1)"> 2</span> <span style="color: rgba(0, 0, 255, 1)">echo</span> '非法IP:' . <span style="color: rgba(128, 0, 128, 1)">$_SERVER</span>['REMOTE_ADDR'<span style="color: rgba(0, 0, 0, 1)">];
</span><span style="color: rgba(0, 128, 128, 1)"> 3</span> <span style="color: rgba(0, 0, 255, 1)">exit</span>(0<span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 128, 128, 1)"> 4</span> <span style="color: rgba(0, 0, 0, 1)"> }
</span><span style="color: rgba(0, 128, 128, 1)"> 5</span> <span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)"> 获取请求参数
</span><span style="color: rgba(0, 128, 128, 1)"> 6</span> <span style="color: rgba(0, 128, 0, 1)"> //$headers = getallheaders();</span>
<span style="color: rgba(0, 128, 128, 1)"> 7</span> <span style="color: rgba(128, 0, 128, 1)">$body</span> = json_decode(<span style="color: rgba(0, 128, 128, 1)">file_get_contents</span>("php://input"), <span style="color: rgba(0, 0, 255, 1)">true</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 128, 128, 1)"> 8</span> <span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)"> 请求密码</span>
<span style="color: rgba(0, 128, 128, 1)"> 9</span> <span style="color: rgba(128, 0, 128, 1)">$password</span> = 'pwd'<span style="color: rgba(0, 0, 0, 1)">;
</span><span style="color: rgba(0, 128, 128, 1)">10</span> <span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)"> 验证提交分支是否为master</span>
<span style="color: rgba(0, 128, 128, 1)">11</span> <span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$body</span>['ref']) || <span style="color: rgba(128, 0, 128, 1)">$body</span>['ref'] !== 'refs/heads/master'<span style="color: rgba(0, 0, 0, 1)">) {
</span><span style="color: rgba(0, 128, 128, 1)">12</span> <span style="color: rgba(0, 0, 255, 1)">echo</span> '非主分支' .(<span style="color: rgba(128, 0, 128, 1)">$body</span>['ref'<span style="color: rgba(0, 0, 0, 1)">]);
</span><span style="color: rgba(0, 128, 128, 1)">13</span> <span style="color: rgba(0, 0, 255, 1)">exit</span>(0<span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 128, 128, 1)">14</span> <span style="color: rgba(0, 0, 0, 1)"> }
</span><span style="color: rgba(0, 128, 128, 1)">15</span> <span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)"> 验证提交密码是否正确</span>
<span style="color: rgba(0, 128, 128, 1)">16</span> <span style="color: rgba(0, 0, 255, 1)">if</span> (!<span style="color: rgba(0, 0, 255, 1)">isset</span>(<span style="color: rgba(128, 0, 128, 1)">$body</span>['password']) || <span style="color: rgba(128, 0, 128, 1)">$body</span>['password'] !== <span style="color: rgba(128, 0, 128, 1)">$password</span><span style="color: rgba(0, 0, 0, 1)">) {
</span><span style="color: rgba(0, 128, 128, 1)">17</span> <span style="color: rgba(0, 0, 255, 1)">echo</span> '密码错误'<span style="color: rgba(0, 0, 0, 1)">;
</span><span style="color: rgba(0, 128, 128, 1)">18</span> <span style="color: rgba(0, 0, 255, 1)">exit</span>(0<span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 128, 128, 1)">19</span> <span style="color: rgba(0, 0, 0, 1)"> }
</span><span style="color: rgba(0, 128, 128, 1)">20</span> <span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)"> 验证成功,拉取代码</span>
<span style="color: rgba(0, 128, 128, 1)">21</span> <span style="color: rgba(128, 0, 128, 1)">$path</span> = <span style="color: rgba(128, 0, 128, 1)">$body</span>['project']['path'<span style="color: rgba(0, 0, 0, 1)">];
</span><span style="color: rgba(0, 128, 128, 1)">22</span> <span style="color: rgba(128, 0, 128, 1)">$result</span> = <span style="color: rgba(128, 0, 128, 1)">$th</span>is->pull('git_pull', <span style="color: rgba(128, 0, 128, 1)">$path</span>);<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">伪代码,调用nodejs</span>
<span style="color: rgba(0, 128, 128, 1)">23</span> <span style="color: rgba(0, 0, 255, 1)">echo</span> 'git pull执行结果:' . <span style="color: rgba(128, 0, 128, 1)">$result</span>;</pre>
</div>
<p> </p>
<p> </p>
<p>并且将钩子方法的全URL复制到项目的webhook地址中,此时如果提交代码做测试,那么可能会出现下面的问题:</p>
<p> </p>
<h4 id="articleContentId" class="title-article">insufficient permission for adding an object to repository database ./objects</h4>
<p> </p>
<p>这个问题是因为项目目录下的.git目录中的文件没有归给www:www用户,解决方法是:在项目根目录下执行chown -R www:www .git</p>
<p>需要注意,在服务器上生成公私钥之后,去gitee上绑定公钥之后,需要把.ssh目录拷贝到/home/www目录下面,并且把目录归给www:www用户,且给里面的文件的权限是600</p>
<p>再就是可以使用php的shell_exec函数去执行git pull指令去同步代码,但需要在php.ini解锁这个函数,这样有一定的安全隐患,</p>
<p>所以可以让php做前置拦截,(比如目标服务器的IP判断和hook密码),过了验证再调用nodejs的api,通过nodejs的exec命令执行sh文件,在sh文件中去做cd目录和git pull拉取,这样相对就安全很多</p>
<p>笔者使用的是nodejs当下比较流行的koa框架,基于restfulApi去调接口执行,需要注意的是操作shell时需要安装的特定优化包,再就是使用shell时不能随意写,比如cd到任意的一个目录下去执行命令,而只能在项目跟目录下去执行一些py或者sh脚本。</p>
<div class="cnblogs_code">
<pre>cnpm i --save child-process-promise</pre>
</div>
<p>代码:</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 255, 1)">const</span> { exec } = require(<span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(128, 0, 0, 1)">child-process-promise</span><span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 0, 255, 1)">const</span> { stdout, stderr } = <span style="color: rgba(0, 0, 255, 1)">await</span> exec(<span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(128, 0, 0, 1)">sh a.sh</span><span style="color: rgba(128, 0, 0, 1)">'</span>);</pre>
</div>
<p> shell脚本:</p>
<div class="cnblogs_code">
<pre>echo <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">git pull:</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">
cd </span>/home/www/<span style="color: rgba(0, 0, 0, 1)">xx
git pull </span><span style="color: rgba(128, 0, 128, 1)">2</span>>&<span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)">
chown </span>-R www:www /home/www/xx</pre>
</div>
<p> </p><br><br>
来源:https://www.cnblogs.com/cx850116/p/16535526.html
頁:
[1]