Linux creates ssh-key and builds trust for PHP process user Noboby

Source: Internet
Author: User
Tags fpm mkdir sprintf ssh git clone

In the code warehouse on the Gitlab, if you pull the code through SSH, you need to establish an SSH trust between the two machines, and you can use the Web System (PHP) to manipulate git, and build the SSH trust of the PHP process user and the Gitlab machine. In short, it is easy to build trust between two machine users, but the PHP process user also has to establish SSH trust, which is encountering some problems. This involves the concept of Linux users and permissions issues, in fact, not enough understanding of Linux.

Two machines to build Ssh-key Trust is very simple, you need two steps to do it.

1. Generate Ssh-key

Ssh-keygen-t rsa-c "$your _email"

View Ssh-key:

Php

Cat ~/.ssh/id_rsa.pub

Add Ssh-key to the Gitlab system by copying content.

2. Add Ssh-key via Gitlab background

But the question is:

Now build a PHP web system on Machine A, which is the code release system, in short, is to pull the code through the system, this time PHP is to nobody process users (of course, can be set to other users) run, and before the root of the user to build trust, This time the operation will fail.

Next, is to nobody users also create Ssh-key, the problem comes.

View PHP Process users

First, look at what users are running the PHP process in two ways:

The first way: View php-fpm.conf Configuration

First use the Find command to locate and view the file location:

[Root@localhost home]# Find/-name php-fpm.conf
/usr/local/php-5.6.23/etc/php-fpm.conf
[Root@localhost home]# vim/usr/local/php-5.6.23/etc/php-fpm.conf

The contents are as follows:

[WWW]
user = Nobody
Group = Nobody
Listen = 9000

The second way: Use the PS command to view the running PHP process

To use the command:

[root@localhost home]# ps aux | grep php
As shown in the figure:

Problems with switching nobody users

To create a ssh-key under the nobody user, switch to the nobody user first.

To use the command:

Su-nobody

But tip:

[Root@localhost ~]# Su-nobody
This are currently not available.
This is currently not available. What the hell!

Open the Linux/etc/passwd file.

As shown in the figure:

See nobody row, Path/home/nobody, the original path is/, because to create the home directory. In order to be able to su–nobody switch users, the following shell environment path/sbin/nologin temporarily changed to/bin/bash.

Create a home directory for nobody users and set the owner of the directory to nobody and operate with the root account:


Mkdir/home/nobody
Chown Nobody:nobody/home/nobody

Note: To set the owner to nobody.

Refer to the information on the Web:

The Nologin command can be used to politely deny the user the login system while giving the information. If you try to log in as such a user, add a record in the log and then output this available information in the terminal, which is the case. General settings Such an account is used to start the service account, this is only to start up the service, but can not log on to the system.
Execute the Ssh-key creation command, if prompted. SSH directory does not exist or the like, this time directly mkdir created.

Now use Su–nobody to switch to the nobody user, execute the Create Ssh-key command, as shown in the figure:

As the picture shows, nobody's ssh-key is well established. Use the Cat ~/.ssh/id_rsa.pub command to view the content of the public key and copy it to the Gitlab background to add it.

Test whether the SSH trust is established

Directly in a directory of Noboby users, use Git clone to see if you can pull the code.

I was relieved to see this step.

This time, then go to the website background operation pull code, found OK.

Finally, don't forget to change the/etc/passwd shell path back to:/sbin/nologin.

In addition to introduce the principle of the code release system, the principle is through the EXEC function of PHP to execute Linux commands, you can also execute GIT/SVN commands, in the background operation, is actually PHP to perform these operations, so the key is to solve various rights issues.

For example, a method for executing a command:

Php

Final public Function Runlocalcommand ($command) {
$command = Trim ($command);
$status = 1;
$log = ';
EXEC ($command. ' 2>&1 ', $log, $status);
Commands that have been executed
$this->command = $command;
Status of execution
$this->status =! $status;
Action Log
$log = Implode (Php_eol, $log);
$this->log = Trim ($log);
return $this->status;
}


Like Git's actions:

Public Function Updaterepo ($branch = ' master ', $gitDir = null) {
$gitDir = $gitDir?: Project::getdeployfromdir ();
$dotGit = RTrim ($gitDir, '/'). '/.git ';
There is git directory, direct pull
if (file_exists ($dotGit)) {
$cmd [] = sprintf (' cd%s ', $gitDir);
$cmd [] = sprintf ('/usr/bin/env git checkout-q%s ', $branch);
$cmd [] = sprintf ('/usr/bin/env git fetch-q--all ');
$cmd [] = sprintf ('/usr/bin/env git reset-q--hard origin/%s ', $branch);
$command = Join (' && ', $cmd);
return $this->runlocalcommand ($command);
}
Does not exist, then first checkout
else {
$cmd [] = sprintf (' mkdir-p%s ', $gitDir);
$cmd [] = sprintf (' cd%s ', $gitDir);
$cmd [] = sprintf ('/usr/bin/env git clone-q%s. ', $this->getconfig ()->repo_url);
$cmd [] = sprintf ('/usr/bin/env git checkout-q%s ', $branch);
$command = Join (' && ', $cmd);
return $this->runlocalcommand ($command);
}
}
It seems that you need to know more about Linux system users.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.