I've got capistrano 3 running perfectly with passwordless deploy as a non root user.
What I'm trying to do now is setup a install script that install's the upstart service, the sudoers.d file and installs some dependencies on the server.
so that I could install a new server by simply entering the user and host in the production.rb file and run cap production setupserver
the problem is that the setup scripts that I've created need to be run as root.
But since it's a one time thing, I'd simply like to ask the user for the root password and run a couple of tasks on the server.
the as :root command doesn't work since it uses su -c
I could ask for the password as demonstrated here
http://capistranorb.com/documentation/faq/how-can-i-get-capistrano-to-prompt-for-a-password/
any suggestions on how to override the user specified in the production.rb file?
and how to pass the asked password?
The way I finally solved it was by adding another role for the same server.
role :app, 'theappuser#myserver'
role :install, 'root#myserver', :no_release => true
And then doing something like this
desc 'Install nginx'
task :install do
on roles(:install) do
require 'erb'
template = ERB.new(File.new('deploy/templates/nginx.conf.erb').read).result(binding)
upload! StringIO.new(template), "/etc/nginx/conf.d/#{fetch(:domain)}.conf"
end
on roles(:app) do
invoke 'nginx:restart'
end
end
if i understand you correctly this should solve your problem by make the user variable:
set :current_user, Proc.new { current_user = Capistrano::CLI.ui.ask "Enter deploy user" }
if current_user.present?
set :user, "#{current_user}"
end
what it will do it will ask you before run the command for user then assign this user to production.rb :user, then you will be able to control it on the setup.
Related
On a machine running apache there are 3 rails apps running, all use capistrano for deployment, and they use passenger. The deployment scripts are standard. My predecessor set up the user deploy in textbook style, all 3 projects use the same capistrano version (3.8), and use the same directory structure on the server. All sit in a common directory within the deploy user's home. All use passenger, the same ruby and rails versions. They shared some linked directories, but otherwise the deployment scripts are all pretty trivial. My predecessor insists that in his times the deployment worked. We have still got his machine, and deployment does not work from his machine either-- only of this one project.
On cap production deploy of one of the three projects I always get a Errno::EACCES: Permission denied # dir_initialize - /tmp/passenger.h6D8mJy/apps.s error.
My only workaround is the following:
I log in on the production server, make myself superuser and change the owner of the /tmp directory to deploy. Then I run the deployment script, and it succeeds. (Then of course I change the owner of the directory back to root.)
So it seems as if the /tmp/passenger.something directory has set its owner wrong. Somehow I don't think this can be the problem though, since the other two scripts use the same directory and don't have this problem. Or do they? Who creates this directory and why, and where is ownership of this directory configured?
I thought it best if I just included the log, but I had to cut all of it... stackOverflow rejected my post because "this looks like spam").
INFO [e1c2bb25] Running ~/.rvm/bin/rvm ruby-2.3.1 do bundle exec rake assets:precompile as deploy#99.999.99.999
DEBUG [e1c2bb25] Command: cd /home/deploy/projects/external-services/releases/20190423082459 && ( export RAILS_ENV="production" ; ~/.rvm/bin/rvm ruby-2.3.1 do bundle exec rake assets:precompile )
DEBUG [56ee67e8] rake aborted!
Errno::EACCES: Permission denied # dir_initialize - /tmp/passenger.h6D8mJy/apps.s
I am new to ansible (2.2.1) and have started to migrate from our fabric scripts to ansible which I find somewhat better regarding structure. I have run into an issue, it should be pretty straight forward but since I do not know ansible through and through I am not sure how to proceed. I am running this against a vagrant box as of now.
The issue is regarding user privileges and postgres.
Lets say I have this playbook
- hosts: web
become: yes
become_user: root
vars:
dbname: myapp
tasks:
- name: ensure database is created
postgresql_db: name={{dbname}}
I cannot make this simple example work! All dependencies are met. If I do the same thing with mysql this works fine but here I get issues with unable to connect to database: FATAL: Peer authentication failed for user "postgres".
In mysql I use the "root" user with a blank password, which works because I know that user is created upon install with a blank password.
There is a user postgres created when the installation of postgresql is completed so the user exists. And as root I should be able to login by saying I am the postgres user. Am I missing something in how this is done? It works just fine if log into the server and sudo -su postgres && psql.
I also tried to add become_user: postgres by the task I want to run but then I get unprivileged user issues.
Any ideas of what is missing?
Found a few workarounds and a solution, given you are ok with giving away some security (which makes sense, this being an issue just for that reason).
More people having this problem with the new ansible in this github issue thread
https://github.com/ansible/ansible/issues/16048
What I ended up doing was settings allow_world_readable_tmpfiles = True in the ansible.cfg file. Then this is not an issue anymore but you get warnings. I only need this setting for when handling the postgres role, so maybe I'll end up split it up or putting the setting somewhere less global.
Using Capistrano v3, how can I run all remote tasks through su as another user? I cannot find anything in the official documentation (http://capistranorb.com/)
For my use case, there is one SSH user and one user for every virtual host. User A connects to the server and should run all commands as user B.
This isn't much of an answer, but I don't think what you are trying to do is possible without code modifications. Here's why:
There are two primary cases where you would use a different user:
Deployment needs to run as a particular user because of file ownership.
Deployment needs to run with root permissions.
In the first case, you generally would simply tell Capistrano to ssh as that user.
In the second case, you would tell Capistrano to run certain commands with paswordless sudo (http://capistranorb.com/documentation/getting-started/authentication-and-authorisation/#authorisation).
I can see a situation where only one user is available via SSH, but file ownership and permissions is based on another user, so you want to make su part of the workflow. I'm sure it is possible to do, but if I had to do it, I would be reading the source code of Capistrano and overriding how shell commands are executed. This would be non-trivial.
If you have a specific command like rm which needs to run as a different user, you may be able to use the SSHKit.config.command_map[:rm] = 'sudo rm' mechanism to do it.
In a nutshell, I don't think what you are asking for is, on its face, easily done with Capistrano. If you have a specific use case, we may be able to offer suggestions as to how you may approach the problem differently which plays better to Capistrano's strengths.
Good luck!
Update
Looking further, the capistrano-rbenv gem has a mechanism by which it has overridden the execution of all commands:
task :map_bins do
SSHKit.config.default_env.merge!({ rbenv_root: fetch(:rbenv_path), rbenv_version: fetch(:rbenv_ruby) })
rbenv_prefix = fetch(:rbenv_prefix, proc { "#{fetch(:rbenv_path)}/bin/rbenv exec" })
SSHKit.config.command_map[:rbenv] = "#{fetch(:rbenv_path)}/bin/rbenv"
fetch(:rbenv_map_bins).each do |command|
SSHKit.config.command_map.prefix[command.to_sym].unshift(rbenv_prefix)
end
end
https://github.com/capistrano/rbenv/blob/master/lib/capistrano/tasks/rbenv.rake#L17
You might have success with something similar.
In order to run all remote tasks through su as another user I think you need to change Ownership for that User.
I'm Assuming that deployment folder name is /public_html/test .
sudo chown User:User /public_html/test # `chown` will change the owner ship so that `User` user can `**Read/Write**`
umask 0002
sudo chown User:User public_html/test/releases
sudo chown User:User public_html/test/shared
Hope this will solve your issue!!!
i am trying to install jboss-fuse-6.1.0.redhat-379
and i am able to create esb:create-admin-user via console but not i am trying to automate installation via shell script .
i am able to start fuse server but not able to create user
esb:create-admin-user.
below is sample script for creating user.
!/bin/ksh
cd $HOME/jboss-fuse-6.1.0.redhat-379/bin
./fuse esb:create-admin-user --new-user admin1 --new-user-password admin12
but it is not creating user.
please let me know how i can do this .
This could be the issue with file write access present in etc .
Here is the another solution for that
Go to jboss-fuse-6.1.0.redhat-379/etc folder
Open users.properties file and add username=password,admin
Last word admin is the "Admin" role.
You are probably looking for the bin/client script to execute commands against a running fuse instance. But for that you will need a username/password ;)
If you want to automate it is indeed probably easier just to use #mahesh-biradar approach:
echo "admin1=admin12,admin" >> etc/users.properties
I am starting the jboss_3.2.7 with the linux user jbs using jboss with RUNASIS option, but it is not working while the entire system[linux] restart. Which is starting the jboss as root user.
I added the jboss service in chkconfig option of linux for starting the jboss on linux restart.
In the jboss service file (/etc/init.d) modified the user to RUNASIS
define the user under which jboss will run, or use RUNASIS to run as the current user
JBOSSUS=${JBOSSUS:-"RUNASIS"}
You are using quite old JBoss version and I personally never see it. But I think it should be very similar to newer ones.
Please try to put your user after when defining these variable:
JBOSSUS=jbs
The other solution is to setting these variable before executing running script:
export JBOSSUS=jbs; /etc/init.d/jboss start
Update
I have just downloaded JBoss 3.2.7 and I checked the jboss_init_redhat.sh script (I hope you use these one as a templete for your starting script).
In the file jboss_init_redhat.sh you can find such lines:
#define the user under which jboss will run, or use RUNASIS
#to run as the current user
JBOSSUS=${JBOSSUS:-"jboss"}
These line defines the new user name. It checks if the variable JBOSSUS is set up and if not is uses jboss user as default name.
The second interesting part of these script:
if [ "$JBOSSUS" = "RUNASIS" ]; then
SUBIT=""
else
SUBIT="su - $JBOSSUS -c "
fi
You should know one thing: when you run automatically any script from init scripts it is always run as a root user. Thats why in the script should be command which change the effective user to someone else. And here you have these part of the script.
It first checked if your username is RUNASIS and if it is yes - do nothing. In another case it run JBoss as a another user by using su command.
In your case it should be sufficient to change JBOSSUS variable definition to something like that:
JBOSSUS=jbs
After that you can start these script as a root user and it should run JVM with JBoss with jbs user.