Category Archives: Linux

Github & Travis CI submodule trigger build for main project

Good day.

I was participating in project Pupil and one of the task was to trigger build of main project from push event of submodule. In order to do that you need to do simple POST request to travis api but Github doesn’t allow to add custom headers thus request cannot be authenticated. So workaround is rather simple.

1. Create .travis.yml in submodule:

branches:
only:
- master
os:
- linux
sudo: false
script:
- "/bin/bash ./scripts/webhook.sh"

2. Create wrapper script around curl request (./scripts/webhook.sh):

#!/bin/bash

curl -s -X POST -H "Content-Type: application/json" \
-H "Accept: application/json" -H "Travis-API-Version: 3" \
-H "Authorization: token ${TRAVIS_TOKEN}" \
-d '{"request":{"branch":"master"}}' \
https://api.travis-ci.org/repo/#REPO_NAME_SPACE#%2F#REPO_NAME#/requests

Note: %2F is /

3. Add TRAVIS_TOKEN to environment variables of Travis CI.
More information can be found at this page: Triggering builds through the API

4. If you are using git submodules then during build stage you need to add following command to script section of main project:
git submodule foreach git pull origin master

That’s it. Simple workaround. I hope I didn’t miss anything important. 😉

fpm pecl / pear to deb or rpm

Sometimes it happens. You need to convert pecl / pear package to deb or rpm.

This is What you need: fpm. This tool will solve your problem.

But if you try to do something like that:

# fpm -s pear -t deb mypearpackage

It will obviously fail. And actually it’s not a feature of fpm but rather very old bug of pear: pear bug #18666
If you read entire bug you will find workaround/patch. I will save your time and give a link on it: diff

Once you patch those two files: PEAR/Builder.php and PEAR/Command/Install.php fpm will actually works.

But you would face another issue. Since pear doesn’t know anything about php.ini it will suggest to manually add extension to php.ini.
You can simplify your life by splitting fpm into two subcommands.
First one will convert pear package to directory:

# fpm -s pear -t dir mypearpackage

And after you will manually add conf.d file (note: php –ini) to mypearpackage.dir/ you can pack it to rpm or deb as usual:

# fpm -s dir -C mypearpackage.dir/ -t deb -n mypearpackage ./

note: pecl is actually wrapper around pear. So pecl packages also can be converted by fpm using ether “–pear-channel” argument or by specifying channel in package name like that:

# fpm -s pear -t dir pecl.php.net/mypearpackage

I hope I didn’t miss anything important. 😉

CentOS SSH disable SCP and SFTP for some users

Sometimes one need to create a special SSH accounts that do only one thing: starts a program or a shell script. In that case one might need to prevent possibility to download or upload files to server. Due to my research it was not so trivial task as it might be looking.

Lets start with a description of how SCP and SFTP works.

SFTP works as subprocess of shell. So basically when user logs in via sftp client shell starts subprocess which in case of CentOS is /usr/libexec/openssh/sftp-server(One can find that info in /etc/ssh/sshd_config).

Meanwhile SCP talks directly with a shell. So it actually needs /bin/bash set as user shell.

Commonly described solution such as:

Match Group nosft
Subsystem   sftp  /bin/false


actually doesn’t work on CentOS(At least version 6). Maybe because SSHD is too old or something like that. If one tries to restart SSHD with above code in the config file he will get following error:

# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd: /etc/ssh/sshd_config line 141: Directive 'Subsystem' is not allowed within a Match block
                                                           [FAILED]


I’ve found small trick how to solve this problem.

First thing is to disable SFTP. Since it’s using another process withing shell let’s find it and deny it. For that I’m going to use small shell script that is wrapper around /bin/bash. So one needs to set following script as login shell of user account:

#!/bin/bash

# disable sftp
if [ "$2" == "/usr/libexec/openssh/sftp-server" ]; then
    exit 1
fi

/bin/bash


What it does? It’s actually looking for second argument of the starting command and if it matches sftp-server it exits with status code 1. And when user tries to initiate SFTP session it immediately drops a session.

But in case of SCP client will think a little longer but it will login and allow download and upload files. What to do? Since SCP talks directly to the shell we need to get rid of shell. Replace last scring (/bin/bash) in above script with a program that you want user to interact (example: telnet to another device) and SCP will fail to connect due to timeout since it cannot talk directly to shell.

I hope I didn’t miss anything important. 😉