In the code warehouse on the Gitlab, if you pull the code through SSH, you need to establish an SSH trust between the two machines, and you can use the Web System (PHP) to manipulate git, and build the SSH trust of the PHP process user and the Gitlab machine. In short, it is easy to build trust between two machine users, but the PHP process user also has to establish SSH trust, which is encountering some problems. This involves the concept of Linux users and permissions issues, in fact, not enough understanding of Linux.
Two machines to build Ssh-key Trust is very simple, you need two steps to do it.
1. Generate Ssh-key
Ssh-keygen-t rsa-c "$your _email"
View Ssh-key:
Php
Cat ~/.ssh/id_rsa.pub
Add Ssh-key to the Gitlab system by copying content.
2. Add Ssh-key via Gitlab background
But the question is:
Now build a PHP web system on Machine A, which is the code release system, in short, is to pull the code through the system, this time PHP is to nobody process users (of course, can be set to other users) run, and before the root of the user to build trust, This time the operation will fail.
Next, is to nobody users also create Ssh-key, the problem comes.
View PHP Process users
First, look at what users are running the PHP process in two ways:
The first way: View php-fpm.conf Configuration
First use the Find command to locate and view the file location:
[Root@localhost home]# Find/-name php-fpm.conf
/usr/local/php-5.6.23/etc/php-fpm.conf
[Root@localhost home]# vim/usr/local/php-5.6.23/etc/php-fpm.conf
The contents are as follows:
[WWW]
user = Nobody
Group = Nobody
Listen = 9000
The second way: Use the PS command to view the running PHP process
To use the command:
[root@localhost home]# ps aux | grep php
As shown in the figure:
Problems with switching nobody users
To create a ssh-key under the nobody user, switch to the nobody user first.
To use the command:
Su-nobody
But tip:
[Root@localhost ~]# Su-nobody
This are currently not available.
This is currently not available. What the hell!
Open the Linux/etc/passwd file.
As shown in the figure:
See nobody row, Path/home/nobody, the original path is/, because to create the home directory. In order to be able to su–nobody switch users, the following shell environment path/sbin/nologin temporarily changed to/bin/bash.
Create a home directory for nobody users and set the owner of the directory to nobody and operate with the root account:
Mkdir/home/nobody
Chown Nobody:nobody/home/nobody
Note: To set the owner to nobody.
Refer to the information on the Web:
The Nologin command can be used to politely deny the user the login system while giving the information. If you try to log in as such a user, add a record in the log and then output this available information in the terminal, which is the case. General settings Such an account is used to start the service account, this is only to start up the service, but can not log on to the system.
Execute the Ssh-key creation command, if prompted. SSH directory does not exist or the like, this time directly mkdir created.
Now use Su–nobody to switch to the nobody user, execute the Create Ssh-key command, as shown in the figure:
As the picture shows, nobody's ssh-key is well established. Use the Cat ~/.ssh/id_rsa.pub command to view the content of the public key and copy it to the Gitlab background to add it.
Test whether the SSH trust is established
Directly in a directory of Noboby users, use Git clone to see if you can pull the code.
I was relieved to see this step.
This time, then go to the website background operation pull code, found OK.
Finally, don't forget to change the/etc/passwd shell path back to:/sbin/nologin.
In addition to introduce the principle of the code release system, the principle is through the EXEC function of PHP to execute Linux commands, you can also execute GIT/SVN commands, in the background operation, is actually PHP to perform these operations, so the key is to solve various rights issues.
For example, a method for executing a command:
Php
Final public Function Runlocalcommand ($command) {
$command = Trim ($command);
$status = 1;
$log = ';
EXEC ($command. ' 2>&1 ', $log, $status);
Commands that have been executed
$this->command = $command;
Status of execution
$this->status =! $status;
Action Log
$log = Implode (Php_eol, $log);
$this->log = Trim ($log);
return $this->status;
}
Like Git's actions:
Public Function Updaterepo ($branch = ' master ', $gitDir = null) {
$gitDir = $gitDir?: Project::getdeployfromdir ();
$dotGit = RTrim ($gitDir, '/'). '/.git ';
There is git directory, direct pull
if (file_exists ($dotGit)) {
$cmd [] = sprintf (' cd%s ', $gitDir);
$cmd [] = sprintf ('/usr/bin/env git checkout-q%s ', $branch);
$cmd [] = sprintf ('/usr/bin/env git fetch-q--all ');
$cmd [] = sprintf ('/usr/bin/env git reset-q--hard origin/%s ', $branch);
$command = Join (' && ', $cmd);
return $this->runlocalcommand ($command);
}
Does not exist, then first checkout
else {
$cmd [] = sprintf (' mkdir-p%s ', $gitDir);
$cmd [] = sprintf (' cd%s ', $gitDir);
$cmd [] = sprintf ('/usr/bin/env git clone-q%s. ', $this->getconfig ()->repo_url);
$cmd [] = sprintf ('/usr/bin/env git checkout-q%s ', $branch);
$command = Join (' && ', $cmd);
return $this->runlocalcommand ($command);
}
}
It seems that you need to know more about Linux system users.