I am trying to create a capistrano task to setup my log rotation file.
namespace :app do
task :setup_log_rotation,:roles => :app do
rotate_script = %Q{#{shared_path}/log/#{stage}.log {
daily
rotate #{ENV['days'] || 7}
size #{ENV['size'] || "5M"}
compress
create 640 #{user} #{ENV['group'] || user}
missingok
}}
put rotate_script, "#{shared_path}/logrotate_script"
"sudo cp #{shared_path}/logrotate_script /etc/logrotate.d/#{application}"
run "rm #{shared_path}/logrotate_script"
end
end
At the very top of my deploy.rb file I had following line
set :use_sudo, false
I completely missed that my cp command was silently failing and on my terminal I thought everything is fine. That is not good. How should I write the cp code so that incase cp fails for some reason ( in this case sudo command was failing) then I should get feedback on my terminal.
Solved my own problem.
Look at this for something similar.
I add this line in deploy.rb
default_run_options[:pty] = true
And changed from
run "sudo cp #{shared_path}/logrotate_script /etc/logrotate.d/#{application}"
to this
sudo "cp #{shared_path}/logrotate_script /etc/logrotate.d/#{application}"
Related
What is happening:
user starts local react server via any variation of npm [run] start[:mod]
my prestart script runs and kills the local webserver if found
Once pkill node is run, that kills the npm start script as well so I want to run the starting command again.
My current solution is to do
history 1 | awk '/some-regex/
to get the name of the last command which I can run with
exec('bash -c 'sleep 1 ; pkill node && ${previousCommand}' &')
This is starting to get pretty hacky so I'm thinking there has to be a better way to do this.
My node script so far:
const execSync = require("child_process").execSync;
const exec = require("child_process").exec;
const netcat = execSync('netcat -z 127.0.0.1 3000; echo $?') == 1 ? true : false; // true when :3000 is available #jkr
if(netcat == false) {
exec(`bash -c 'sleep 1 ; pkill node' &`);
console.warn('\x1b[32m%s\x1b[0m', `\nKilling all local webservers, please run 'npm start' again.\n`);
}
There seems to be an npm package which does this: kill-port
const kill = require('kill-port')
kill(port, 'tcp').then(console.log).catch(console.log)
Source: https://www.npmjs.com/package/kill-port
I understand this might not answer the question of running last command but should solve OP's problem.
I am trying to create a TPM-based unlock script using tpm2-tools with instructions from Tevora Secure boot tpm2. I have set up the key, loaded it with cryptsetup luksAddKey secret.bin, then tested it using tpm2_unlock -c 0x81000000 --auth pci:sha1:0,2,3,7 and returns the value of secret.bin. For extra measures, to make sure it works, I loaded secret.bin into "/etc/crypttab", ran # update-initramfs -u -k all, and rebooted. Upon reboot, the system unlocked.
I copied over the following code into "/etc/initramfs-tools/hooks/tpm2"
#!/bin/sh -e
if [ "$1" = "prereqs" ]; then exit 0; fi
. /usr/share/initramfs-tools/hook-functions
copy_exec /usr/local/bin/tpm2_unseal
copy_exec /usr/local/lib/libtss2-tcti-device.so
I appended my etc/crypttab from cryptname UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none luks to cryptname UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none luks,keyscript=/usr/local/bin/passphrase-from-tpm
I rewrote the following script because the tpm2-tools command was outdated, edited in the new command, and stored it in /usr/local/bin/passphrase-from-tpm:
#!/bin/sh
set -e
echo "Unlocking via TPM" >&2
export TPM2TOOLS_TCTI="device:/dev/tpm0"
/usr/local/bin/tpm2_unseal -c 0x81000000 --auth pcr:sha1:0,2,3,7
if [ $? -eq 0 ]; then
exit
fi
/lib/cryptsetup/askpass "Unlocking the disk fallback $CRYPTTAB_SOURCE ($CRYPTTAB_NAME)\nEnter passphrase: "
I ran # update-initramfs -u -k all then rebooted. In reboot, I get the following error: /lib/cryptsetup/scripts/passphrase-from-tpm: line 5: /usr/local/bin/tpm2_unseal: not found
I have tried many times to edit passphrase-from-tpm unsuccessfully, including:
Moving both passphrase-from-tpm into "/boot/efi/EFI/BOOT/" and referencing crypttab to that file
Modifying passphrase-from-tpm to use a relative file path to tpm_unseal
Before I figured out how to create a backup linux boot using:
objcopy \
--add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 \
--add-section .cmdline=cmdline.txt --change-section-vma .cmdline=0x30000 \
--add-section .linux="/boot/vmlinuz" --change-section-vma .linux=0x40000 \
--add-section .initrd="/boot/initrd.img" --change-section-vma .initrd=0x3000000 \
/usr/lib/systemd/boot/efi/linuxx64.efi.stub /boot/EFI/BOOT/BOOT_RECX64.EFI
I would be locked out of the system completely because of the error and had to reinstall Ubuntu about 40 times. I have suffered a lot and want to quit but I am too stubborn to throw in the flag.
just copy tpm2_unseal to /usr/local/bin/
I'm trying to make a working setup following basically those instructions, plus a few others I have found. While not working 100% yet, check that both /etc/initramfs-tools/hooks/tpm2 and /usr/local/bin/passphrase-from-tpm are marked executable (sudo chmod ug+x $filename).
After making the initramfs, you can run the following to ensure that the TPM related files are actually in the image. Replace the path in the filename by whatever update-initramfs said it was generating:
$ lsinitramfs /boot/initrd.img-5.0.0-37-generic | egrep "(tpm|libtss)"
lib/cryptsetup/scripts/passphrase-from-tpm
lib/modules/5.0.0-37-generic/kernel/crypto/asymmetric_keys/tpm_key_parser.ko
lib/modules/5.0.0-37-generic/kernel/crypto/asymmetric_keys/asym_tpm.ko
lib/udev/rules.d/tpm-udev.rules
usr/local/lib/libtss2-sys.so.0
usr/local/lib/libtss2-mu.so.0
usr/local/lib/libtss2-sys.so.0.0.0
usr/local/lib/libtss2-tcti-device.so
usr/local/lib/libtss2-tcti-device.so.0
usr/local/lib/libtss2-tcti-device.so.0.0.0
usr/local/lib/libtss2-mu.so.0.0.0
usr/local/bin/tpm2_unseal
Additionally, I have modified /usr/local/bin/passphrase-from-tpm to the following:
#!/bin/sh
TPM_DEVICE=/dev/tpm0
TPM_REGISTER=0x81000001
TPM_SEAL_POLICY=sha256:0,2,4,7
export TPM2TOOLS_TCTI="device:$TPM_DEVICE"
if [ "$CRYPTTAB_TRIED" -eq 0 ]; then
echo "Unlocking via TPM" >&2
/usr/local/bin/tpm2_unseal -H $TPM_REGISTER -L $TPM_SEAL_POLICY
UNSEAL_STATUS=$?
echo "Unseal status $UNSEAL_STATUS" >&2
if [ $UNSEAL_STATUS -eq 0 ]; then
exit
fi
else
echo "TPM unlocking previously failed for $CRYPTTAB_SOURCE ($CRYPTTAB_NAME)" >&2
/lib/cryptsetup/askpass "Enter passphrase for $CRYPTTAB_SOURCE ($CRYPTTAB_NAME): "
fi
Note that the command line options to tpm2_unseal are for the 3.x versions of tpm2-tools. If you're using another version, you might need to update the options.
I pulled out various bits into variables at the top of the file. Modify TPM_REGISTER and TPM_SEAL_POLICY to match how you created the TPM object. set -e was removed since if any command failed, the whole script would exit, preventing the askpass fallback from ever running if tpm2_unseal failed.
Additionally, I noticed that if the script fails for some reason, systemd will attempt to run it again. If the secret in the TPM doesn't match the LUKS key, this will render the system unbootable, since the unseal succeeds, but unlocking fails, and systemd will run the script again.
Looking at the man page for crypttab, I discovered that one of the environment variables provided to the keyscript is CRYPTTAB_TRIED which is the number of tries it has attempted to unlock the volume. If CRYPTTAB_TRIED is 0, it'll attempt to use the TPM, as shown by this test (Running as non-root, so accessing the TPM device fails):
$ export CRYPTTAB_SOURCE=some_device
$ export CRYPTTAB_NAME=some_device_name
$ export CRYPTTAB_TRIED=0
$ ./passphrase-from-tpm
Unlocking via TPM
ERROR:tcti:src/tss2-tcti/tcti-device.c:440:Tss2_Tcti_Device_Init() Failed to open device file /dev/tpm0: Permission denied
ERROR: tcti init allocation routine failed for library: "device" options: "/dev/tpm0"
ERROR: Could not load tcti, got: "device"
Unseal status 1
When it tries running the script again, CRYPTTAB_TRIED will be greater than 0, making it display the password prompt instead:
$ export CRYPTTAB_TRIED=1
$ ./passphrase-from-tpm
TPM unlocking previously failed for some_device (some_device_name)
Enter passphrase for some_device (some_device_name):
Hopefully this is still of use to you, and helpful to anyone else trying to get the house of cards that is disk encryption with a TPM on Linux working.
i have to compile a custom c coded binary used by our rails app.
this setup is held in a custom rake file (ourapp.rake, below)
running cap v2 i noticed the make was failing but the deploy didn't "fail".
i since just made the task
system "cd #{thedir} && exit 1" # simulate failing of custom task
but the deploy:cold doesn't fail, the debug output (below) clearly shows make failing
am i missing something? i've tried
searching for error codes/failing scenario of capistrano - nothing (lots of mentions of trying to run custom scripts on failing)
system v run v invoke
help appreciated, code below
# ourapp.rake
namespace :ourapp do
desc "Compile and Install Performant Parser"
task :compile_performant_parser do
thedir=File.join(Rails.root, 'parser')
system "cd #{thedir} && make clean && make && make install"
end # compile
desc "Compile and Install Compareplans process"
task :compile_binary do
thedir=File.join(Rails.root, 'compareplans_process/src')
#system "cd #{thedir} && make clean && make && make install"
system "exit 1"
end # compile
task :install => [:compile_performant_parser, :compile_binary ] do
puts "Preparing Ourapp for run"
end
end
additions to deploy.rb
namespace :deploy do
desc "setup ourapp dependencies, dir, binaries and (later data)"
task :setup_ourapp do
run "cd #{current_release} && /usr/bin/env bundle exec rake our app:install RAILS_ENV=#{rails_env}"
end
after 'deploy:update_code', 'deploy:setup_ourapp'
end
so i figured out that capistrano does not exit, so you need to test the error code
Capistrano run local command exit on failure
and to rollback you need to use a transaction type
How do I use transactions within custom capistrano tasks?
I have configured chef environment and i am able to deploy my application using capistrano . Now i want to my chef to handle capistrano to deploy my apps . How can it be done ?
I do the opposite, ie. deploy my Chef recipes via Capistrano. I recommend it.
#config/deploy.rb
...
before 'bundle:install', "provision:default", "deploy:config_db_yml_symlink"
...
This will execute the chef config for a server after before bundle install, which is important because a lot of gems rely on packages being installed to the OS.
#config/deploy/provision.rb
Capistrano::Configuration.instance(:must_exist).load do
namespace :provision do
task :default do
provision.setup
provision.web
provision.db
provision.db_slave
end
task :setup, once: true do
provision.get_environment_variables
provision.update_cookbooks
end
task :db, :roles => :db do
next if find_servers_for_task(current_task).empty?
if rails_env == 'staging'
run %{cd #{release_path}/provision; sudo chef-solo -c solo.rb -j db.json -l debug}
else
run %{cd #{release_path}/provision; sudo chef-solo -c solo.rb -j db_master.json -l debug}
end
end
task :db_slave, :roles => :db_slave do
next if find_servers_for_task(current_task).empty?
run %{cd #{release_path}/provision; sudo chef-solo -c solo.rb -j db_slave.json -l debug}
end
task :web, :roles => :web do
next if find_servers_for_task(current_task).empty?
run %{cd #{release_path}/provision; sudo chef-solo -c solo.rb -j web.json -l debug}
end
task :get_environment_variables do
run "if [ -d ~/.config ]; then " +
"cd ~/.config && git fetch && git reset origin/master --hard; " +
"else git clone git#github.com:mycompany/config.git .config; fi"
run "sudo cp ~/.config/secureshare/#{rails_env}/environment /etc/environment"
end
task :update_cookbooks do
run "if [ -d /u/chef ]; then " +
"cd /u/chef && git fetch && git reset origin/master --hard; " +
"else git clone git#github.com:mycompany/chef.git /u/chef; fi"
end
end
namespace :deploy do
task :setup, :except => { :no_release => true } do
dirs = [deploy_to, releases_path, shared_path]
dirs += shared_children.map { |d| File.join(shared_path, d.split('/').last) }
dirs += [File.join(shared_path, 'sockets')]
run "#{try_sudo} mkdir -p #{dirs.join(' ')}"
run "#{try_sudo} chmod g+w #{dirs.join(' ')}" if fetch(:group_writable, true)
run "#{try_sudo} chown -R ubuntu:ubuntu #{dirs.join(' ')}" if fetch(:group_writable, true)
end
task :config_db_yml_symlink do
run "ln -s #{shared_path}/database.yml #{release_path}/config/database.yml"
end
end
end
I have a folder in my project named provision, to handle the definition of chef roles, though the recipes are in a different repository.
#provision/solo.rb
root = File.absolute_path(File.dirname(__FILE__))
cookbook_path '/u/chef'
role_path root + "/roles"
log_level :debug
log_location STDOUT
Nodes are defined in the project
#provision/db_slave.json
{
"run_list": ["role[db_slave]"]
}
And roles
#provision/roles/db_slave.rb
name "db_slave"
description 'A postgresql slave.'
run_list(["recipe[base]", "recipe[postgresql::slave]", "recipe[rails]","recipe[papertrail]", "recipe[fail2ban]"])
override_attributes(
'kernel' => {
'shmmax' => ENV['KERNEL_SHMMAX'],
'shmall' => ENV['KERNEL_SHMALL'],
'msgmax' => ENV['KERNEL_MSGMAX'],
'msgmnb' => ENV['KERNEL_MSGMNB']
},
'postgresql' => {
'user' => ENV['PG_USER'],
'password' => ENV['PG_PASSWORD'],
'database' => ENV['PG_DATABASE'],
'master_host' => ENV['PG_HOST']
},
'app_dir' => ENV['APP_DIR'],
'papertrail' => {
'port' => ENV['PAPERTRAIL_PORT'],
'log_files' => [
"#{ENV['APP_DIR']}/shared/log/*.log",
"/var/log/*.log",
"/var/log/syslog",
"/var/log/upstart/*.log",
"/var/log/postgresql/*.log"
]
},
'new_relic' => {
'key' => ENV['NEW_RELIC_LICENSE_KEY']
})
All without keeping any sensitive information within the app. I also use capistrano-ec2group in order to map servers to roles using EC2 security groups.
group :myapp_web, :web
group :myapp_web, :app
group :myapp_db, :db, :primary=>true
group :myapp_db_slave, :db_slave
So basically you keep your chef recipes in one repo, your environment variables in another repo, and your app in another repo - and use Capistrano to both provision servers and deploy your app.
You could also keep your chef recipes in your application repo, but that inhibits reuse between project. The key is to put everything that changes into environment variables and store them separate to the app and the recipes.
When this is configured correctly, to add new servers you simply need to spin one up in EC2, apply the desired security group and then
cap deploy
You could watch that Foodfightshow Episode about Application Deployment.
You can e.g. put the configuration files (with e.g. the database credentials) to the server with Chef, while pushing the source code with Capistrano.
You can't. Or at least it won't be very straightforward.
Chef is a pull system -- the client pulls information from the Chef server, and takes action upon it.
Capistrano is a push system -- you tell it to log into the server and perform tasks there.
The only way I see for you to integrate them would be to run Capistrano locally on each machine, but I fail to see a reason for that.
Chef's deploy resource can probably do everything you need without the need to have Capistrano integrated. If you still want to push your deploys to the servers independently from the chef-client runs, you're better off not deploying via Chef and keeping your current system.
If you want continuous delivery, hook up your Capistrano scripts to your CI server and run them at the end of your pipeline.
The podcast referred by #StephenKing is a great source of information on this matter.
I am trying to deploy a Rails3 app with Capistrano (2.5.19). I have successfully run:
cap deploy:setup
and the correct directories were created on the server. But when I run cap deploy:cold or cap deploy the script hangs halfway through.
shell$ cap deploy:cold
* executing `deploy:cold'
* executing `deploy:update'
** transaction: start
* executing `deploy:update_code'
executing locally: "git ls-remote git#server.foo.com:test.git master"
* executing "git clone -q git#server.foo.com:test.git /home/deployer/www/apps/test/releases/20101223162936 && cd /home/deployer/www/apps/test/releases/20101223162936 && git checkout -q -b deploy be3165b74d52540742873c125fb85d04e1ee3063 && git submodule -q init && git submodule -q sync && git submodule -q update && (echo be3165b74d52540742873c125fb85d04e1ee3063 > /home/deployer/www/apps/test/releases/20101223162936/REVISION)"
servers: ["server.foo.com"]
[server.foo.com] executing command
Here is my deploy.rb:
$:.unshift(File.expand_path("~/.rvm/lib"))
require 'rvm/capistrano'
set :rvm_ruby_string, 'jruby'
# main details
set :application, "test_sqlserver"
role :web, "server.foo.com"
role :app, "server.foo.com"
role :db, "server.foo.com", :primary => true
# server details
default_run_options[:pty] = true
ssh_options[:forward_agent] = true
set :deploy_to, "/home/deployer/www/apps/#{application}"
set :deploy_via, :checkout
set :user, :deployer
set :use_sudo, false
# repo details
set :scm, :git
set :repository, "git#server.foo.com:test.git"
set :branch, "master"
set :git_enable_submodules, 1
I believe my file permissions are setup correctly
There appears to be a bug in JRuby since at least 1.6.5 -- see SSH Agent forwarding does not work with jRuby (which lets capistrano ssh-deployments fail)
Apparently one "workaround" is to not use SSH agent forwarding, though that may not be acceptable. If you want the issue noticed and fixed faster (I know I do), watching the issue might help.
Looks like you can't run Capistrano under jruby, as jruby-openssl doesn't support Net:SSH which underlies Capistrano.
http://jruby-extras.rubyforge.org/jruby-openssl/