[Cap3] Execute some tasks as privileged user
54 views
Skip to first unread message
slowjack2k
May 2, 2014, 9:17:48 AM5/2/14
to capis...@googlegroups.com
Hi,
I would like to execute all sudo tasks with a privileged user and not the
current deployment user. Also I don't want to grand the actual deployment
user any sudo rights.
Is this possible?
For instance by overriding roles, release_roles and so on, determine the actual
task and return Host-Objects with a different user then the default one?
For my own Tasks I was able to do this with the following Code:
But with this approach I need to change every recipe and it does not work very well with third party
cap-tasks.
Regards
Dieter
I would like to execute all sudo tasks with a privileged user and not the
current deployment user. Also I don't want to grand the actual deployment
user any sudo rights.
Is this possible?
For instance by overriding roles, release_roles and so on, determine the actual
task and return Host-Objects with a different user then the default one?
For my own Tasks I was able to do this with the following Code:
module MyMod
def privileged_roles(*names)
roles(*names).map do |host|
host.clone.tap do |new_host|
new_host.netssh_options[:user] = fetch(:privileged_user)
new_host.user = fetch(:privileged_user)
end
end
end
end
self.extend MyMod
But with this approach I need to change every recipe and it does not work very well with third party
cap-tasks.
Regards
Dieter
Bruno Sutic
May 3, 2014, 5:03:51 PM5/3/14
to capis...@googlegroups.com
Hi Dieter,
you know you're kinda "fighting the system" with this one, right?
Capistrano suggests you give 'deploy' user passwordless sudo privileges. You can read about it here, the 'Authorization' section.
Anyway, if you still wanna do it maybe you can have something like this in the stage file:
# your standard roles here
role :app, %w{dep...@example.com}
role :web, %w{dep...@example.com}
role :db, %w{dep...@example.com}
# privileged roles here (same server though)
role :privileged_app, %w{privile...@example.com}, no_release: true
role :privileged_web, %w{privile...@example.com}, no_release: true
role :privileged_db, %w{privile...@example.com}, no_release: true
Essentially, you're defining another set of roles with a privileged user. Notice you're not doing any deployment with the privileged user (no_release is true).
So now you can define your tasks:
task :my_task do
on roles(:privileged_app) do
# stuff here
end
end
As for the 3rd party plugins, they should enable you to explicitly set a role that does 3rd party task. Something like this in the stage file:
set :third_party_plugin_role, :privileged_app
Please note, I didn't try this (and I don't intend to), but maybe it helps or gives you other ideas.
For the least amount of headache, I'd still suggest following the capistrano suggestion and enabling passwordless sudo if possible.
Bruno
slowjack2k
May 4, 2014, 2:37:57 PM5/4/14
to capis...@googlegroups.com
Hi Bruno,
thanks for your awnser! I will give it try and think about it. I don't want to fight the system.
I know from experince with Rails that fighting the system is a bad idea.
What drove me are security concerns. I dont want that my unicorn run with a user which is able to copy scripts
to the monit or sites-availbable folder.
What I have in mind is deploy the code with the unprivileged user (not sudo enabled) which also runs later the unicorn sever
and execute all sudo task with a second user. Tasks like restart the nginx, copy init.d scipts, copy
monit scripts and so on.
Sure I can deploy with the privileged user (sudo enabled) and change folder permissions later for the unprivileged user
which runs unicorn, but I think this is more error prone .
As for the 3rd party plugins, they should enable you to explicitly set a role that does 3rd party task.
That is a great hint! I think this should go into the documentation for capistrano. So that 3rd party developer keep
this in mind.
Dieter
Reply all
Reply to author
Forward
0 new messages