踩坑:****添加的是root用户的公钥,执行拉代码的是www用户。
root登录服务器,创建公私钥。然后把公钥添加到gitee并启用。gitee创建仓库,clone到本地修改代码后,提交到仓库。调用WebHooks往服务器推送数据,服务器的钩子文件执行git pull
拉取代码一直提示无权限。
gitlab.php
钩子文件代码:
// 获取请求参数
$headers = getallheaders();
$body = json_decode(file_get_contents("php://input"), true);
// 请求密码
$password = 'test';
// 验证提交分支是否为master
if (!isset($body['ref']) || $body['ref'] !== 'refs/heads/master') {
echo '非主分支' . $body;
exit(0);
}
// 验证提交密码是否正确
if (!isset($body['password']) || $body['password'] !== $password) {
echo '密码错误';
exit(0);
}
// 验证成功,拉取代码 origin master
$user = shell_exec("whoami"); //服务器上先把shell_exec和exec函数禁用解除
echo $user; //输出服务器执行git pull 的用户是谁
$command = 'cd /www/wwwroot/' . $body['project']['path'] . ' && pwd && git pull 2>&1';
$res = shell_exec($command);
var_dump($res); //打印执行结果
提示:
"error: cannot open .git/FETCH_HEAD: Permission denied"
给该文件写权限
把
git pull
改成sodu git pull
提示如下:
"/www/wwwroot/test
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
sudo: no tty present and no askpass program specified"
用户权限有问题。当前执行拉代码的用户是www,而shell登录的是root,用root手动执行git pull
是没问题,就是钩子文件执行没权限。提示:
"Host key verification failed.fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists."
那就从root切换到www用户:su - www
,之前服务器做了安全限制,www没有登录shell的权限,把www:x:1000:1000::/home/www:/sbin/nologin
改成/bin/bash
再执行切换用户。切换后,重新生成公钥,添加到gitee启用。
#www用户无登录shell权限,此帐户当前不可用。
[root@xxx ~]# su - www
Last login: Mon Nov 22 00:30:12 CST 2021 on pts/0
This account is currently not available.
#修改权限后,切换www,提示没权限进入root目录
[root@xxx ~]# su www
[www@xxx root]$ ls
ls: cannot open directory .: Permission denied
#提示没权限,公钥问题
[www@xxx test]$ git pull
The authenticity of host 'gitee.com (212.64.62.183)' can't be established.
ECDSA key fingerprint is SHA256:FQGC9Kn/eye1W8icdBgrQp+KkGYoFgbVr17bmjey0Wc.
ECDSA key fingerprint is MD5:27:e5:d3:f7:2a:9e:eb:6c:93:cd:1f:c1:47:a3:54:b1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'gitee.com,212.64.62.183' (ECDSA) to the list of known hosts.
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
[www@xxx test]$ cd ~/.ssh/
[www@xxx .ssh]$ ls
known_hosts
[www@xxx .ssh]$ cat known_hosts
gitee.com,212.64.62.183 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMuEoYdx6to5oxR60IWj8uoe1aI0X1fKOHWOtLqTg1tsLT1iFwXV5JmFjU46EzeMBV/6EmI1uaRI6HiEPtPtJHE=
[www@xxx .ssh]$ ssh-keygen -t id_rsa -C "www@root.com"
unknown key type id_rsa
[www@xxx .ssh]$ ssh-keygen -C "www@root.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/www/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/www/.ssh/id_rsa.
Your public key has been saved in /home/www/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:eRDd0kEWu6yOVvqS2xGJ7fP4jirbGGIm0XFMuMXa1v8 www@root.com
The key's randomart image is:
+---[RSA 2048]----+
| o. .. +=o |
| .oo .o.o. |
| .=o.. .. |
| .ooo .= o . |
| . .. S.= o |
| . ooo |
| . + . +=. |
| + ..+=+ *E |
| o+==*o+ |
+----[SHA256]-----+
[www@xxx .ssh]$ ls
id_rsa id_rsa.pub known_hosts
[www@xxx .ssh]$ cat id_rsa.pub
ssh-rsa ... www@root.com #公钥
[www@iZbp19n36uysr947rrddpaZ .ssh]$ ls
id_rsa id_rsa.pub known_hosts
本地修改代码后执行
git push origin master
就会看到触发的钩子在服务器执行git pull
成功了。
www #打印的当前用户
"/www/wwwroot/test
From gitee.com:gitlabstack/wuyoutuike
de7b10a..89dad46 master -> origin/master
Updating de7b10a..89dad46
Fast-forward
test.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)"
可能会用到的点:
服务器生成公钥:ssh-keygen -t id_rsa -C "xxx@xx.com"
或ssh-keygen -C "xxx@xx.com"
服务器验证公钥:ssh -T git@gitee.com
成功会提示如下:
Hi Anonymous! You've successfully authenticated, but GITEE.COM does not provide shell access.
git
使用ssh
方式git@gitee.com:xxx/xxx.git
操作报错
解决:把当前操作git的电脑或服务器公钥添加到代码仓库所在服务器,部署并启用!
C:\Users\DragonersLi\Desktop>git clone git@gitee.com:gitlabstack/xxx.git
Cloning into 'test'...
[session-58450d89] Auth error: Access deined: authorize failure.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
发表评论 取消回复