Hi,
We have spent too many hours now trying to get an automated git pull happen on our server.
What we try to accomplish: Code in our local environment and push to our Gitlab server. The gitlab server executes a webhook to a .php file that shall run a script updating our live server with the commited files.
The problem we have is that it never updates the files. We have tried a lot of things now and starting to get out of ideas, so hopefully someone here can shred some light.
We are using this script https://gitlab.com/kpobococ/gitlab-webhook/blob/master/gitlab-webhook-push.php
Our folder structure is:
– prestashop
----- htdocs (project folder)
---------- .git
---------- gitlab-webhook-push.php
----- hooks
------------ gitlab-webhook-push.sh
------------ gitlab-webhook-push.log
We edit the .php file to point to the hooks folder and the .sh file to cd …/htdocs > /dev/null &
Running the webhook the log gets updated but the git pull doesn’t seems to work. So the webhook seems to be correct.
If we using the cmd line on the server using git pull the files gets pulled. So that would suggest that git is initialized correctly. But worth mentioning is that when we initialized and cloned we used the http url instead of the ssh, if that might be a problem? We have cached the username and password on the server also.
We are using Bitnami image for Gitlab server and a Bitnami Prestashop image for our “production” server. On our local machines we have downloaded a Bitnami Prestashop image.
Something worth mentioning is that our server already had files inside our project folder in which we initialized git, in case that can be a problem.
What we would think being the problem is permissions. The apache user that runs the script is daemon. But we have given daemon full access on all files and nothing.
But since we can get any error messages worth mentioning it’s hard to know where the problem is.
So hopefully someone here can point us in the right direction or point out something we should have done differently in our setup that might cause problems.
Best Regards
Kalle
We solved this today with using SSH instead.
Hello. Can you please add a detailed sollution? I also struggle to execute an actual git pull on the server autmaticly but only AFTER the build process is done.
Hi,
Well I can certainly try. It was a bit tricky.
The big problem for us I believe was to give the Apache User permissions. In our case the Apache user was daemon and we had to generate a ssh key for that user and then add that key as deployment key in our Gitlab project.
If you don’t know your Apache User create a .php and paste in this code and then go to that .php file from the web browser:
<?php echo exec('whoami');
After that you can run these commands in the console to generate a ssh key.
sudo -u your_apache_user ssh-keygen -t rsa
Make sure that you just give an empty password for the key and then paste the SSH key into deployment key.
After that we had to run a git pull from the console in order to add it to known_hosted
sudo -u your_apache_user git pull
Then create a .php script and all we have for now in our webhook script is
<?php echo shell_exec("git pull origin master 2>&1");
The 2>& 1 gives you output that will help you to debug what is going wrong. This will make sure it only gets whats new on our master branch.
Add a Web hook in your Gitlab project for push events and add your url to your .php script. Also make sure the files your are updating and accessing that the Apache User has permissions to change them.
Hopefully that can help you get a step forward :).
1 Like
This all sounds reasonable and working. However can we brainstorm a little bit? 
I’ve already created a seperate user for executing the php scripts because I was aware of this. But granting running privileges on anything for the built in apache user, I don’t think this is a good idea at all.
So I’ve created a 3rd user and modified www.conf to be ran by that user. Let’s call him web02. He executes a shell command that tells the server to use git pull. This is fine and nice, I can easily call this with curl fromt he .gitlab-ce.yml easy or even just to add it as a webhook, BUT how do you prevent ANYONE ELSE to execute the git pull just by entering the direct URL to the PHP file? If this can’t be sorted out I won’t use this method because it’s security is missing. 
Oh, and one more addition. My folder structure looks like this:
git folder
|
|-public
| |-pictures
| |-scripts
| |-etc, etc
|-vendor
|-config
|–etc, etc
The php file is located in the git folder/public BUT the git pull has to be executed from it’s parent folder git folder. I might just add a cd .. into the shell_exec command but will that work?
Update: It works, it pulls down what I want to even without the cd … (that is strange for me, like a lot)
Now the only issue what I have to apply is to allow only my server to reach that file. I wish not to store anything in PHP because if someone with the least hacking skill can reach this file and can see in it, it can compomize my whole infrastructure. So I’m looking for a sollution via NginX. What do you think?
Glad you got it to work.
I haven’t looked into better security yet since we are so far just testing it out before moving it into our production chain. The script I linked in my OP checks a password parameter as security, but if that’s enough I’m not the guy to answer.
Aaaaaand got the security as well. 
Created a deployment folder inside the public folder. Put the deploy.php in it, so you can refer to it with an URL like http://yourwebsite.com/deployment/deploy.php.
Then comes the trick: In nginx I created a seperate location part just for the deploy.php and there I’ve allowed ONLY my git server. Every other IP address accessing that file is denied. 
In NginX:
location ~ ^/deployment/deploy.php(/|$) {
fastcgi_pass 127.0.0.1:9001;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
allow GITSERVER-IPADDRESS;
deny all;
}
deploy.php:
<?php
echo shell_exec("git pull origin master 2>&1");
?>
Getting there!
That looks cool, good work. Thanks for sharing!
1 Like