Run deployment task as different users.
915 views
Skip to first unread message
d2kagw
Jul 5, 2011, 5:58:04 AM7/5/11
to Capistrano
I have a very simple Capistrano recipe that needs to be deployed on a
very complicated hardware stack and I was hoping someone could point
out where I'm going wrong.
The security of our infrastructure requires that I:
* use a gateway
* deploy as a user other than myself
So, Capistrano needs to:
1. connect through a gateway as `authuser`
2. through the gateway connect to the app server as `authuser`
3. deploy files on the app server as `deployuser`
I've got it doing step 1 and 2 without issue, but re: step 3, it runs
the deploy as `authuser` instead of `deployuser` even though I've set
the runner as `deployuser`.
Here's the config portion of the deploy.rb file:
app = "new-app"
auth_user = "authuser"
deploy_user = "deployuser"
set :user, "#{auth_user}"
set :gateway, "#{auth_user}@<gateway ip address>"
ssh_options[:forward_agent] = true
default_run_options[:pty] = true
# Repository setup
set :application, "#{app}"
set :repository, "g...@github.com:#{auth_user}/#{app}.git"
set :scm, :git
set :branch, "master"
set :deploy_via, :remote_cache
set :git_enable_submodules, 1
# Roles
set :admin_runner, "#{deploy_user}"
set :runner, "#{deploy_user}"
role :web, "#{auth_user}@<gateway ip address>"
role :app, "#{auth_user}@<gateway ip address>"
role :db, "#{auth_user}@<gateway ip address>"
# Location
set :deploy_to, "/var/apps/#{app}"
# TASKS -------------------------------------------------
...
Any ideas what could be going wrong?
Notes: when I run deploy:setup, the commands are run as `authuser`,
it's just when I do a normal deploy that things go wrong.
very complicated hardware stack and I was hoping someone could point
out where I'm going wrong.
The security of our infrastructure requires that I:
* use a gateway
* deploy as a user other than myself
So, Capistrano needs to:
1. connect through a gateway as `authuser`
2. through the gateway connect to the app server as `authuser`
3. deploy files on the app server as `deployuser`
I've got it doing step 1 and 2 without issue, but re: step 3, it runs
the deploy as `authuser` instead of `deployuser` even though I've set
the runner as `deployuser`.
Here's the config portion of the deploy.rb file:
app = "new-app"
auth_user = "authuser"
deploy_user = "deployuser"
set :user, "#{auth_user}"
set :gateway, "#{auth_user}@<gateway ip address>"
ssh_options[:forward_agent] = true
default_run_options[:pty] = true
# Repository setup
set :application, "#{app}"
set :repository, "g...@github.com:#{auth_user}/#{app}.git"
set :scm, :git
set :branch, "master"
set :deploy_via, :remote_cache
set :git_enable_submodules, 1
# Roles
set :admin_runner, "#{deploy_user}"
set :runner, "#{deploy_user}"
role :web, "#{auth_user}@<gateway ip address>"
role :app, "#{auth_user}@<gateway ip address>"
role :db, "#{auth_user}@<gateway ip address>"
# Location
set :deploy_to, "/var/apps/#{app}"
# TASKS -------------------------------------------------
...
Any ideas what could be going wrong?
Notes: when I run deploy:setup, the commands are run as `authuser`,
it's just when I do a normal deploy that things go wrong.
Donovan Bray
Jul 5, 2011, 11:05:07 PM7/5/11
to capis...@googlegroups.com
set :user should be your deploy_user
I've never used the syntax you have for the gateway; so I can't vouch for that.
> --
> * You received this message because you are subscribed to the Google Groups "Capistrano" group.
> * To post to this group, send email to capis...@googlegroups.com
> * To unsubscribe from this group, send email to capistrano+...@googlegroups.com For more options, visit this group at http://groups.google.com/group/capistrano?hl=en
d2kagw
Jul 6, 2011, 12:50:26 AM7/6/11
to Capistrano
Thanks Donovan, Unfortunately changing the user like you suggested
didn't fix the problem.
Re: your comment on my gateway syntax, should it be done another way?
On Jul 6, 1:05 pm, Donovan Bray <donno...@gmail.com> wrote:
> set :user should be your deploy_user
>
> I've never used the syntax you have for the gateway; so I can't vouch for that.
>
didn't fix the problem.
Re: your comment on my gateway syntax, should it be done another way?
On Jul 6, 1:05 pm, Donovan Bray <donno...@gmail.com> wrote:
> set :user should be your deploy_user
>
> I've never used the syntax you have for the gateway; so I can't vouch for that.
>
Donovan Bray
Jul 6, 2011, 2:18:13 AM7/6/11
to capis...@googlegroups.com
Take a look at this blog by Jamis when he introduced the feature:
http://weblog.jamisbuck.org/2006/9/26/inside-capistrano-the-gateway-implementation
My guess is you may need to set the user for the deploy one way but pass the options hash to the gateway command with a different user specified.
I'll take a look at the capistrano source tomorrow to verify.
Reply all
Reply to author
Forward
0 new messages