使用 Flask 编写 Gitlab Webhook 实现自动拉

1、在要拉取代码的机器上生成用户的 ssh keys

# ssh-keygen
# cat .ssh/id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKj81pSNoBMQlp81FYDuyyu874YsrrFgkBClPq7Gkt5JXwQRU7hOzL/eNan6Rbow8cVYlhOU0Xx9ZCq+bheIhK2W6DnSwASAzgFyLpChuFEGS2te3SQMHPuGkhELoraov2dTw7U51E9cbdrt1xdVbWnwGDSiejLrQ1C+4SYKmOgNiYvveeGh530Mz1QbAsxacZBILtBADdq1L8Sp04qDxgJn59KumnJ44XoDAKqBVkJVn1mBMNrMnhhTfjpd0bFKSe5h1r8Rx7Wek2kzmHuelUYOQlT9EcqYKAuuO9Bh4ZZ62DeKYZ9w9/ZXomYRlIPBuWezW6v1ppoOWOBSX/Cauv root@localhost.localdomain

添加到 gitlab ssh kyes，避免 git pull 拉取代码时要输入密码

测试是否能连接 gitlab

# ssh -T git@gitlab.xxx.com
Welcome to GitLab, @webhook!

说明可以使用 webhook 用户连接到 gitlab

2、配置 gitlab webhook

如果添加时出现 “Webhooks and insecure internal web services”，则配置

3、编写 flask webhook 服务 app.py

from flask import Flask
from flask import request, jsonify, abort
import subprocess

app = Flask(__name__)

WEBHOOK_VERIFY_TOKEN = "Gitlab 中 Secret Token 的值"


@app.route('/webhook', methods=['GET', 'POST'])
def webhook():
    if request.method == 'GET':
        verify_token = request.headers.get('X-Gitlab-Token')
        if verify_token == WEBHOOK_VERIFY_TOKEN:
            return jsonify({'status': 'success'}), 200
        else:
            return jsonify({'status': 'bad token'}), 401

    elif request.method == 'POST':
        verify_token = request.headers.get('X-Gitlab-Token')
        if verify_token == WEBHOOK_VERIFY_TOKEN:
            # 进入到代码目录，拉取最新代码
            retcode = subprocess.call("cd /data/xxx-salt/ && git pull", shell=True)
            if retcode == 0:
                return jsonify({'status': 'success'}), 200
            else:
                return jsonify({'status': 'git pull error'}), 503
        else:
            return jsonify({'status': 'bad token'}), 401

    else:
        abort(400)


if __name__ == '__main__':
    app.run(host='0.0.0.0', port='5000')

4、在要拉取代码的机器上部署 flask webhook 服务 app.py

# pip install flask
# yum install -y supervisor
// 先直接运行 app.py 看是否正常
# /usr/bin/python /data/webhook/app.py
// 用 curl 测试一下，看服务是否能处理请求
# curl -X POST -H 'X-Gitlab-Token: Gitlab 中 Secret Token 的值' 10.1.xxx.xxx:5000/webhook
{"status":"success"}

// 用 supervisor 部署服务（也可以先用 gunicorn 运行 app.js）。或者直接运行 /usr/bin/python /data/webhook/app.py ，就可以忽略这一步
# egrep -v "^$|^;" /etc/supervisord.conf
[unix_http_server]
file=/var/run/supervisor/supervisor.sock   ; (the path to the socket file)
[supervisord]
logfile=/var/log/supervisor/supervisord.log  ; (main log file;default $CWD/supervisord.log)
logfile_maxbytes=50MB       ; (max main logfile bytes b4 rotation;default 50MB)
logfile_backups=10          ; (num of main logfile rotation backups;default 10)
loglevel=info               ; (log level;default info; others: debug,warn,trace)
pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
nodaemon=false              ; (start in foreground if true;default false)
minfds=1024                 ; (min. avail startup file descriptors;default 1024)
minprocs=200                ; (min. avail process descriptors;default 200)
user=root                 ; (default is current user, required if root)
[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
[supervisorctl]
serverurl=unix:///var/run/supervisor/supervisor.sock ; use a unix:// URL  for a unix socket
[include]
files = supervisord.d/*.ini
# egrep -v "^$|^;" /etc/supervisord.d/webhook.ini 
[program:webhook]
command=/usr/bin/python /data/webhook/app.py              ; the program (relative uses PATH, can take args)
process_name=%(program_name)s ; process_name expr (default %(program_name)s)
numprocs=1                    ; number of processes copies to start (def 1)
directory=/data/webhook                ; directory to cwd to before exec (def no cwd)
umask=022                     ; umask for process (default None)
priority=999                  ; the relative start priority (default 999)
autostart=true                ; start at supervisord start (default: true)
autorestart=true              ; retstart at unexpected quit (default: true)
startsecs=10                  ; number of secs prog must stay running (def. 1)
startretries=3                ; max # of serial start failures (default 3)
exitcodes=0,2                 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT               ; signal used to kill process (default TERM)
stopwaitsecs=10               ; max num secs to wait b4 SIGKILL (default 10)
user=root                   ; setuid to this UNIX account to run the program
redirect_stderr=true          ; redirect proc stderr to stdout (default false)
stdout_logfile=/tmp/webhook.log        ; stdout log path, NONE for none; default AUTO
stdout_logfile_maxbytes=1MB   ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=10     ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB   ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false   ; emit events on stdout writes (default false)
stderr_logfile=/tmp/webhook.error.log        ; stderr log path, NONE for none; default AUTO
stderr_logfile_maxbytes=1MB   ; max # logfile bytes b4 rotation (default 50MB)
stderr_logfile_backups=10     ; # of stderr logfile backups (default 10)
stderr_capture_maxbytes=1MB   ; number of bytes in 'capturemode' (default 0)
stderr_events_enabled=false   ; emit events on stderr writes (default false)
environment=A=1,B=2           ; process environment additions (def no adds)
serverurl=AUTO                ; override serverurl computation (childutils)

# systemctl restart supervisord
# supervisorctl status
webhook                          RUNNING   pid 11246, uptime 1:29:18

5、测试 gitlab webook

查看 app.py 日志

# tail /tmp/webhook.log 
10.1.9.34 - - [03/Jan/2019 13:06:12] "POST /webhook HTTP/1.1" 200 -
Already up-to-date.
10.1.200.91 - - [03/Jan/2019 13:12:34] "POST /webhook HTTP/1.1" 200 -

这样就可以实现一个简单的自动拉取代码到服务器的 webhook