Criando Ambientes de Desenvolvimento Auditáveis com Git

View Slide

Roles

View Slide

Safety vs. Security

View Slide

Accountability

View Slide

git-scm.com/docs

View Slide

code-squad.com

View Slide

centralized feature-branch
gitflow forking
Workﬂows

View Slide

New Project
Example

View Slide

Development
$ mkdir -p ~/Projects/myapp

$ cd ~/Projects/myapp
de>
de> $ git init
$ git add *
$ git commit -m “It's alive”

View Slide

Clone URL

View Slide

Development
$ git remote add origin ssh://[email protected]/you/myapp
$ git push origin master

View Slide

The code is on the cloud

View Slide

Server
$ sudo mkdir -p /var/projects/myapp
$ sudo adduser deploy
$ sudo chown -R deploy /var/projects
Fixing the Environment
$ cd /var/projects/
$ git clone ssh://[email protected]/you/myapp
NO!
$ sudo -u deploy -s

View Slide

Server
$ sudo -u deploy -s
Create a deploy key
$ ssh-keygen
$ cat /home/deploy/.ssh/id_rsa.pub
ssh-rsa AAAA…
…nmX1 [email protected]

View Slide

Deploy Keys on GitHub
youtu.be/_5fYdib_tvw

View Slide

Deploy Keys on BitBucket
youtu.be/DDPtYYze-aw

View Slide

Server
$ cd /var/www
$ sudo ln -s /var/projetos/myapp/public myapp
Making it accessible
http://server.com.br/myapp

View Slide

Update Flow
$ git pull origin master

View Slide

Update Flow
$ git pull origin master
Let’s make this run automatically

View Slide

!
Clone
Code
Commit
Push

View Slide

We need a deploy URL
1
http://myserver.com/deploy.php?what=myapp
2
3
http://myserver.com/deploy/myapp (url rewrite)
http://myserver.com/deploy/myapp (link)
NICE!

View Slide

We need a deploy URL
http://myserver.com/deploy/myapp
Looks nice to me

View Slide

Server
$ sudo mkdir -p /var/projects/deploy
Fixing the Deploy
$ cd /var/www
$ sudo ln -s /var/projects/deploy
$ cd /var/projects/deploy/
$ sudo ln -s . myapp
$ sudo vi index.php
$ sudo ln -s . other-app

View Slide

Server
index.php
!
$uri = explode(‘/’, $_SERVER[‘REQUEST_URI’]);
$deploy_what = $uri[2];
$output = `git pull origin master`;
echo ‘’ . $output . ‘’;

View Slide

Server
index.php runs as user www-data
who cannot write in /var/projects
we have to switch user and do the pull
but… wait…
sudo

View Slide

What’s wrong with sudo
Asks for a password. We want it unattended.
Great power == great responsibility
Respect it, but don’t fear it

View Slide

How do we solve it
Allow it to run without a password
But only for a speciﬁc script, so it’s safe
/etc/sudoers
www-data (ALL) = (deploy) NOPASSWD:/opt/deployer/deploy.sh
this guy runs on those pcs as this user without password, only this

View Slide

Server
index.php
!
$uri = explode(‘/’, $_SERVER[‘REQUEST_URI’]);
$deploy_what = $uri[2];
$output =
echo ‘’ . $output . ‘’;
`sudo -u deploy /opt/deployer/deploy.sh $deploy_what`;

View Slide

Server
/opt/deployer/deploy.sh
#!/bin/bash
!
case “$1” in
myapp)
cd /var/projects/myapp
/usr/bin/git pull origin master 2>&1
;;
other-app)
cd /var/projects/some_other_dir
/usr/bin/git pull origin master 2>&1
;;
esac

View Slide

Hook on GitHub
youtu.be/E4zJ3AUxSmI

View Slide

Hook on BitBucket
youtu.be/_lpXmQdsxe4

View Slide

Development
$ git commit -a -m “This will auto-update”

de>
de> hook
git pull
updated

View Slide

Review
Create a deploy user, give him SSH keys
Add the keys to the repository as deploy keys
Create a script to git pull your project
Allow www-data to sudo the script as deploy
Create a deploy application to run the script
Add the hook to the repository
Code, commit and push

View Slide

Thank You!

View Slide

Criando Ambientes de Desenvolvimento Auditáveis com Git

Criando Ambientes de Desenvolvimento Auditáveis com Git

Ricardo Coelho

More Decks by Ricardo Coelho

Other Decks in Programming

Featured

Transcript