I am developing an application that resides on a public host but whose source I must keep in a Git repository behind a corporate firewall. I'm getting very tired of the slowness of deploying via scp (copying the whole repository and shipping it over SSH on each deploy) and would like to have the remote host simply do a git pull to update. The problem is that the firewall prohibits incoming SSH connections.
Would it be possible for me to set up an SSH tunnel from my computer to the deployment computer and use my repository as the source for the git pull? After all, git is distributed, so my copy is just as valid a repository as the central one. If this is possible, what would the tunnel command and the Capistrano configuration be?
I think the tunnel will look something like
ssh -R something:deployserver.com:something deploybot@deployserver.com
Net::SSH implements remote forwarding. I have looked over all Capistrano's source code and couldn't see any references to it in the current release. None the less, that doesn't stop you from establishing remote forwarding before you deploy with Capistrano.
What you'll want to do is set the :local_repository and :repository paths individually. :local_repository is referenced locally to determine which commit will be used for the deployment before the connection is initiated. That leaves :repository for the remote server to pull from after the connection has been initiated. This is where you can specify the path to the repository behind the firewall.
# deploy.rb
set :local_repository, "ssh://git@serverbehindfirewall/path/to/project.git"
set :repository, "ssh://git@localhost:9000/path/to/project.git"
Before you deploy, be sure to establish the remote forward. You'll need to repeat this for each server you deploy to.
$ ssh -R 9000:serverbehindfirewall:22 deploybot@deployserver.com
# CTRL + C + A (Screen) or ⌘ + T (Terminal.app) to open new tab
$ cap HOSTFILTER=deployserver.com deploy # HOSTFILTER reduces set to specified host. Only useful if you have multiple servers.
Using Net::SSH this could easily be turned into a task which is executed before anything else providing greater flexibility when deploying to multiple servers.
Lastly, given you've been using scp, you might want to set deploy_via, :remote_cache which keeps a copy of the repository on the remote server. This greatly decreases your deployment time reduces the chance of corruption.
See my answer from this SO question:
Using Capistrano 3.x, the following works for me:
namespace :deploy do
desc "Open SSH Tunnel to GitLab"
task :open_tunnel do
on roles(:app) do
info "Opening SSH Remote Tunnel..."
self.send(:with_ssh) do |ssh|
# ssh -R 9000:192.168.1.123:22
ssh.forward.remote(22, "192.168.1.123", 9000)
end
end
end
before "deploy:check", "deploy:open_tunnel"
end
Please note that ssh.forward.remote expects parameters in a different order than ssh -R, the above is equivalent to ssh -R 9000:192.168.1.123:22
This task calls a private method, if anyone knows an official way to get the access Capistrano's ssh connection, please comment or edit.
Edit: Also see the section Tunneling and other related SSH themes of SSHKit's README
来源:https://stackoverflow.com/questions/2729100/is-it-possible-to-do-have-capistrano-do-a-checkout-over-a-reverse-ssh-tunnel