Git勾子githook

角色

测试的一共用三台机器 角色如下 
pc（代码提交,my debian ） 192.168.1.158
git 服务器 gogs  120.76.209.8
game  120.76.247.53   user mgame

pc(git client)

这个没什么说的 就是 下面这个命令触发hook 
git push origin master 

ssh-keygen -C "test git key";
#ssh-keygen -f gitpull   -C "test git key"

game 120.76.247.53

 #adduser "$1"  #echo "$2" | passwd "$1" --stdin
useradd mgame ; echo "ops#$%e24@125" |passwd mgame --stdin #evan1234

su - mgame

 生成key  ;
 ssh-keygen  -C  "git key"

 # 可以先生成 

[root@game .ssh]# cat /home/mgame/.ssh/wrapper.sh;
#!/bin/bash
# 这个是调用的脚本 其实流程很简单 ssh用密钥方式 在远程执行
#进入相关目录执行git pull 命令
#cat /home/mgame/.ssh/wrapper.sh  这个秘钥只能和这个命令先关联

#example: ssh -i key [email protected] website
#~/.ssh/authorized_keys  on servcer   git server只有那个hook和对应的key 其它啥也没有了

#command="~/.ssh/wrapper.sh",no-port-forwarding,no-x11-

#网站根目录
documentroot=/data/www
#获取SSH发过来的命令
args="$SSH_ORIGINAL_COMMAND"
[ -z "args" ] && echo "args is none" && exit 

#更新
updatesite(){
      [ "$#" -ne 1 ] && echo "error args num" && exit 
	  local www="$1"
	  local wwwroot=/data/www/$www
	  #local wwwroot=${documenmtroot}/$www

    [ ! -d "${wwwroot}" ] && echo -e "\033[31m更新失败,网站不存在:\033[0m\033[33m$www\033[0m" && exit
    #cd $wwwroot && git pull
    cd $wwwroot && sudo git pull
     sudo chown -R www:www $wwwroot
	  }
echo -e "updatesite: \033[32m$args\033[0m"
updatesite $args

chmod +x /home/mgame/.ssh/wrapper.sh


 

 #  also on game vm 

 #game
 command="~/.ssh/wrapper.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty 

 [mgame@iZwz9ct3cbrxx8f4og9nazZ .ssh]$ cat /home/mgame/.ssh/authorized_keys 

command="~/.ssh/wrapper.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwG9rdQ//94aIkejb6oGnb+R0IgXs11X11u9o2qbUqEoRDOYsS7Xlx4chEgtWquOMcjLWqzPw71DXaWIxdVxmY3/bQIc8FHQuT5FfjES35qsz7wml/gQJGuadxJ2MuR/auamj6JZgmBy5vwyJ+cSSx= test git key

 
[root@-web-01 ~]# cat /root/.ssh/config 
host gitserver_web
     user git
     hostname 120.76.209.8
     port 22
     identityfile ~/.ssh/gitpull
[root@-web-01 ~]# cat /root/.ssh/gitpull


#[email protected]:evan/mygit.git
git clone gitserver_web:evan/mygit.git a.com 

ssh -i ~/.ssh/gitpull mgame@${Host} "${Website}"

sudo: sorry, you must have a tty to run sudo sudo: sorry, you must have a tty to run sudo

解决办法
[root@web-01 ~]# cat /etc/sudoers.d/mgame 
Defaults   !visiblepw
Defaults:mgame   !requiretty
mgame ALL=(ALL)   ALL
mgame ALL=NOPASSWD: /usr/bin/git
mgame ALL=NOPASSWD: /bin/chown 

 
#echo 'mgame  ALL=(ALL) NOPASSWD:NOPASSWD:ALL' >/etc/sudoers.d/mgame

chmod -R 700 .ssh/
cd /home/mgame/.ssh
chmod  600 authorized_keys 

 

 

Q:

 remote: error: cannot open .git/FETCH_HEAD: Permission denied

A:

 可以为false 

filemode = true 或者 sudo

 

 ssh-keygen -f gitpull   -C "test git key"

从game git clone use git use 是因为放了 pub key 在 gogs /home/git/.ssh/authorized_keys


##测试 git clinet 和 git server 的连接

#记得后面要在 game机器上试一下 on root user mark   20170519
#这样是  成功了的 
[root@aweb1 ~]# ssh  gitserver_web
PTY allocation request failed on channel 0
Hi there, You've successfully authenticated, but Gogs does not provide shell access.
                                                                                    If this is unexpected, please log in with password and setup Gogs under another user.
                                                          Connection to 4.88.14.10 closed.

git 服务器 gogs

useradd git  ; echo "dopsgit#$evan2@1" |passwd git --stdin

添加一个 pri key not [root@dk-server .ssh]# cat /home/git/.ssh/gitpull

----

BEGIN RSA PRIVATE KEY-----

chmod 600 /home/git/.ssh/gitpull

在web界面添加 hook

1.打开你要设置的仓库--》右上 仓库设置 --》 管理git 勾子 --》post-receive --》
#!/bin/sh
#
# An example hook script for the "post-receive" event.
#
# The "post-receive" script is run after receive-pack has accepted a pack
# and the repository has been updated.  It is passed arguments in through
# stdin in the form
#  <oldrev> <newrev> <refname>
# For example:
#  aa453216d1b3e49e7f6f98441fa56946ddcd6a20 68f7abf4e6f922807889f52bc043ecd31b79f814 refs/heads/master
#
# see contrib/hooks/ for a sample, or uncomment the next line and
# rename the file to "post-receive".

#. /usr/share/git-core/contrib/hooks/post-receive-email



# 读取标准输入 新的 hook for gzweb1 and gzweb2
read refname
branch="${refname##*/}"
 
# 网站地址及网站目录  website 网站目录 和以前是一样的 
Host="192.168.1.119"
Website=a.com
 
# master分支更新线上环境 
#for Host in ${Hosts}
#do
    if [ "$branch" = "master" ]; then
        echo -e "start host: \033[33m${Host}\033[0m"
        ssh -i ~/.ssh/gitpull mgame@${Host} "${Website}"
        echo -e "end host: \033[33m${Host}\033[0m"
    fi
#done

就是 game root目录下的 pub key

 

仓库设置 --》 管理部署密钥 添加pub key game mgame pubkey

不要这个 权限太大了 帐户设置-->管理 SSH 密钥 --> -->

 

cat /home/git/.ssh/authorized_keys

 git clone gitserver_web:shi/e.com.git a.com

 

Q：

ssh -i ~/.ssh/gitpull mgame@${Host} "${Website}"

sudo: sorry, you must have a tty to run sudo

 

A: [root@01 ~]# cat /etc/sudoers.d/mgame
Defaults   !visiblepw
Defaults:dkmgame   !requiretty
dkmgame ALL=(ALL)   ALL
dkmgame ALL=NOPASSWD: /usr/bin/git
dkmgame ALL=NOPASSWD: /bin/chown 

#
##写错 key file   

[root@ ~]# cat ~/.ssh/gitpull cat: /root/.ssh/gitpull: 没有那个文件或目录


问题 之一 
evan@evanpc:~/test/mygit$ git push Username for '[http://120.7.0.64:3000' http://120.7.0.64:3000']: evan Password for '[http://[email protected]:3000' http://[email protected]:3000']: 对象计数中: 2, 完成. Delta compression using up to 4 threads. 压缩对象中: 100% (2/2), 完成. 写入对象中: 100% (2/2), 281 bytes | 0 bytes/s, 完成. Total 2 (delta 0), reused 0 (delta 0) remote: start host: 120.76.209.8 remote: bash: a.com: command not found remote: end host: 120.76.209.8 To [http://120.77.0.64:3000/evan/mygit.git http://120.77.0.64:3000/evan/mygit.git]

   5b4c2b6..f8aced1  master -> master

解决办法

dkmgame ~/.ssh/authorized_keys 只可以运行 git 相关

command="~/.ssh/wrapper.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa




 
username=evan
grep -q git /etc/sudoers.d/${username} || cat >> /etc/sudoers.d/${username} << EOF
Defaults   !visiblepw
Defaults:${username}   !requiretty
${username} ALL=NOPASSWD: /usr/bin/git
EOF



最后是 hook 测试 
 on gogs 
 
 su - git 
Host="36.89.169.4"
Website=cron

ssh -i ~/.ssh/pull mgame@${Host} "${Website}"
 
 ssh_exchange_identification: Connection closed by remote host

on git client ip  add  gogs ip   

错误处理

1.

[root@aweb1 test]# git clone itserver_web:huang/sgame.com.git  sdk-admin.yahgame
Initialized empty Git repository in /data/evan/test/sdk-admin.yahgame/.git/
ssh_exchange_identification: Connection closed by remote host
fatal: The remote end hung up unexpectedly

这个提示是典型的tcp_wrapper配置了不允许你这个ip登录ssh

2. Host key verification failed

然后不能自动推是 要在 git 用户下执行一下 hook file 

有时可能是在虚拟机上key 不能用 我就试过 换了虚拟器就好了 20170314pm

3 bad owner

gitserver_abroad 改为 gitserver 就好了

1. 配置文件 小伙伴改为 600:root 然后老是提示bad owner 什么的

解决办法 chown -R root:root /root/.ssh/config

4 clone Connection closed by remote host

[root@]#  git clone gitserver:ops/yah_cron.git  cron 

Initialized empty Git repository in ydd_cron/.git/ ssh_exchange_identification: Connection closed by remote host

解决办法 sshd:git_client_ip