in Server Side |

gitlab-ci deployment ke server cwp jailkit

Versi terupdate dari postingan yang ini. Alasan harus update karena di versi sebelumnya masih memanfaatkan git-ftp, dan juga jika tanpa git-ftp masih dengan asumsi di server tujuan adalah git repository, problemnya jika menggunakan ini, ketika ada file baru yang tidak di-tracking akan menjadi dirty repo. di versi ini, ada proses penapisan file yang berubah saja yang diunggah, lalu menjalankan composer install. Selain itu juga, karena servernya berbasis CWP, untuk lebih aman menggunakan fitur jailkit sehingga user hanya bisa mengakses lingkungannya sendiri saja. Berikut ini langkah-langkahnya:

  1. install jailkit ke server dan edit /etc/jailkit/jk_init.ini
    [uidbasics]
    this section probably needs adjustment on 64bit systems
    or non-Linux systems
    comment = common files for all jails that need user/group information
    paths = /lib/libnsl.so., /lib64/libnsl.so., /lib/libnss.so.2, /lib64/libnss.so.2, /lib/i386-linux-gnu/libnsl.so., /lib/i386-linux-gnu/libnss.so.2, /lib/x86_64-linux-gnu/libnsl.so., /lib/x86_64-linux-gnu/libnss.so.2, /lib/arm-linux-gnueabihf/libnss.so.2, /lib/arm-linux-gnueabihf/libnsl.so.*, /etc/nsswitch.conf, /etc/ld.so.conf
    Solaris needs
    paths = /etc/default/nss, /lib/libnsl.so.1, /usr/lib/nss_*.so.1, /etc/nsswitch.conf
    [netbasics]
    comment = common files for all jails that need any internet connectivity
    paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /lib/libnss_mdns*.so.2, /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols, /etc/services
    on Solaris devices /dev/udp and /dev/tcp might be needed too, not sure
    [logbasics]
    comment = timezone information and log sockets
    paths = /etc/localtime
    need_logsocket = 1
    Solaris does not need logsocket
    but needs
    devices = /dev/log, /dev/conslog
    [jk_lsh]
    comment = Jailkit limited shell
    paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini
    users = root
    groups = root
    includesections = uidbasics, logbasics
    [limitedshell]
    comment = alias for jk_lsh
    includesections = jk_lsh
    [cvs]
    comment = Concurrent Versions System
    paths = cvs
    devices = /dev/null
    [git]
    comment = Fast Version Control System
    paths = /usr/bin/git*, /usr/lib/git-core, /usr/bin/basename, /bin/uname, /usr/bin/pager
    includesections = editors, perl
    [scp]
    comment = ssh secure copy
    paths = scp
    includesections = netbasics, uidbasics
    devices = /dev/urandom, /dev/null
    [sftp]
    comment = ssh secure ftp
    paths = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server, /usr/lib/openssh/sftp-server
    includesections = netbasics, uidbasics
    devices = /dev/urandom, /dev/null
    on solaris
    paths = /usr/lib/ssh/sftp-server
    [ssh]
    comment = ssh secure shell
    paths = ssh
    includesections = netbasics, uidbasics
    devices = /dev/urandom, /dev/tty, /dev/null
    [rsync]
    paths = rsync
    includesections = netbasics, uidbasics
    [procmail]
    comment = procmail mail delivery
    paths = procmail, /bin/sh
    devices = /dev/null
    [basicshell]
    comment = bash based shell with several basic utilities
    paths = /bin/sh, bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, egrep, false, fgrep, grep, gunzip, gzip, 7z, unzip, ln, ls, mkdir, mktemp, more, mv, pwd, rm, rmdir, sed, sh, sleep, sync, tar, touch, true, uncompress, zcat, /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile, /usr/lib/locale/en_US.utf8
    users = root
    groups = root
    includesections = uidbasics
    [interactiveshell]
    comment = for ssh access to a full shell
    includesections = uidbasics, basicshell, terminfo, editors, extendedshell
    [midnightcommander]
    comment = Midnight Commander
    paths = mc, mcedit, mcview, /usr/share/mc
    includesections = basicshell, terminfo
    [extendedshell]
    comment = bash shell including things like awk, bzip, tail, less
    paths = awk, bzip2, bunzip2, ldd, less, clear, cut, du, find, head, less, md5sum, nice, sort, tac, tail, tr, sort, wc, watch, whoami
    includesections = basicshell, midnightcommander, editors
    [terminfo]
    comment = terminfo databases, required for example for ncurses or vim
    paths = /etc/terminfo, /usr/share/terminfo, /lib/terminfo
    [editors]
    comment = vim, joe and nano
    includesections = terminfo
    paths = joe, nano, vi, vim, /etc/vimrc, /etc/joe, /usr/share/vim
    [netutils]
    comment = several internet utilities like wget, ftp, rsync, scp, ssh
    paths = wget, lynx, ftp, host, rsync, smbclient
    includesections = netbasics, ssh, sftp, scp
    [apacheutils]
    comment = htpasswd utility
    paths = htpasswd
    [extshellplusnet]
    comment = alias for extendedshell + netutils + apacheutils
    includesections = extendedshell, netutils, apacheutils
    [openvpn]
    comment = jail for the openvpn daemon
    paths = /usr/sbin/openvpn
    users = root,nobody
    groups = root,nogroup
    includesections = netbasics
    devices = /dev/urandom, /dev/random, /dev/net/tun
    includesections = netbasics, uidbasics
    need_logsocket = 1
    [apache]
    comment = the apache webserver, very basic setup, probably too limited for you
    paths = /usr/sbin/apache
    users = root, www-data
    groups = root, www-data
    includesections = netbasics, uidbasics
    [perl]
    comment = the perl interpreter and libraries
    paths = perl, /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5
    [xauth]
    comment = getting X authentication to work
    paths = /usr/bin/X11/xauth, /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf
    [xclients]
    comment = minimal files for X clients
    paths = /usr/X11R6/lib/X11/rgb.txt
    includesections = xauth
    [vncserver]
    comment = the VNC server program
    paths = Xvnc, Xrealvnc, /usr/X11R6/lib/X11/fonts/
    includesections = xclients
    [ping]
    comment = Ping program
    paths_w_setuid = /bin/ping
    [xterm]
    comment = xterm
    paths = /usr/bin/X11/xterm, /usr/share/terminfo, /etc/terminfo
    devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4
    [php]
    comment = the php interpreter and libraries
    executables = /usr/bin/php,/usr/bin/php5.6,/usr/bin/php7.0,/usr/bin/php7.1
    directories = /usr/lib/php, /usr/share/php, /usr/share/php5, /etc/php, /usr/share/php-geshi, /usr/share/zoneinfo, /etc/snmp, /usr/share/snmp
    includesections = env
    [env]
    comment = environment variables
    executables = /usr/bin/env
    [mysql-client]
    comment = mysql client
    executables = /usr/bin/mysql, /usr/bin/mysqldump
    paths = /usr/lib/libmysqlclient.so
    [drush]
    comment = drush (drupal command line)
    executables = /usr/local/bin/drush
    includesections = php, mysql-client, uidbasics, netbasics
    directories = /etc/ssl/certs, /usr/share/ca-certificates
    [composer]
    comment = composer
    executables = /usr/local/bin/composer
    includesections = php, uidbasics, netbasics
  2. Jalankan jk_init -j /home/jail/USER basicshell netutils editors composer php
  3. Desain gitlab-ci.yaml yang untung sekali dibantu dengan chatGPT
stages:
  - deploy

variables:
  PROJECT_PATH: "/path/to/project"

deploy:
  stage: deploy
  before_script:
    - 'which ssh-agent || (apk add --update openssh-client git git-ftp)' # Install dependencies jika perlu
    - eval $(ssh-agent -s) # Start SSH agent
    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - # Tambah private key
    - mkdir -p ~/.ssh
    - chmod 700 ~/.ssh
    - ssh-keyscan -H "$SSH_HOST" >> ~/.ssh/known_hosts # Hindari prompt fingerprint
    - chmod 644 ~/.ssh/known_hosts

  script:
  - echo "Fetching last deployed commit..."
  - ssh "$SSH_USER@$SSH_HOST" "cat $PROJECT_PATH/.git-ftp.log || echo '0000000000000000000000000000000000000000'" > last_commit.txt
  - LAST_DEPLOYED=$(cat last_commit.txt)
  - CURRENT_COMMIT=$(git rev-parse HEAD)
  - echo "Last deployed:" $LAST_DEPLOYED
  - echo "Current commit:" $CURRENT_COMMIT
  - CHANGED_FILES=$(git diff --name-status $LAST_DEPLOYED $CURRENT_COMMIT || echo "")
  - echo "Changed files:"
  - echo "$CHANGED_FILES"
  - |
    if [ -n "$CHANGED_FILES" ]; then
      echo "Uploading changed files..."
      # Set IFS to newline to ensure each line is processed separately
      IFS=$'\n'
      for line in $CHANGED_FILES; do
        echo "Processing line: $line"
        STATUS=$(echo "$line" | awk '{print $1}')
        FILE=$(echo "$line" | awk '{print $2}')
        NEW_FILE=$(echo "$line" | awk '{print $3}')
        
        case "$STATUS" in
          M|A)
            DIR_PATH=$(dirname "$FILE")
            echo "Ensuring directory exists: $PROJECT_PATH/$DIR_PATH"
            ssh "$SSH_USER@$SSH_HOST" "mkdir -p $PROJECT_PATH/$DIR_PATH"
            echo "Uploading $FILE..."
            scp "$FILE" "$SSH_USER@$SSH_HOST:$PROJECT_PATH/$FILE"
            ;;
          D)
            echo "Deleting $FILE..."
            ssh "$SSH_USER@$SSH_HOST" "rm -rf $PROJECT_PATH/$FILE"
            ;;
          R*)
            OLD_DIR_PATH=$(dirname "$FILE")
            NEW_DIR_PATH=$(dirname "$NEW_FILE")
            echo "Ensuring directory exists: $PROJECT_PATH/$NEW_DIR_PATH"
            ssh "$SSH_USER@$SSH_HOST" "mkdir -p $PROJECT_PATH/$NEW_DIR_PATH"
            echo "Moving $FILE to $NEW_FILE..."
            ssh "$SSH_USER@$SSH_HOST" "mv $PROJECT_PATH/$FILE $PROJECT_PATH/$NEW_FILE"
            ;;
          *)
            echo "Unknown status: $STATUS for file: $FILE"
            ;;
        esac
      done
    else
      echo "No changes to upload."
    fi
  - echo $CURRENT_COMMIT | ssh "$SSH_USER@$SSH_HOST" "cat > $PROJECT_PATH/.git-ftp.log"
  - ssh "$SSH_USER@$SSH_HOST" "cd $PROJECT_PATH && composer install --no-dev --optimize-autoloader"
  only:
    - main

Published

Write a Comment

Comment