Enhances provisioning for sudo-only hosts#4242
Open
alexstewartja wants to merge 2 commits into
Open
Conversation
Shared-hosting VPS offerings (e.g. GoDaddy) grant sudo access but no
direct root login, which breaks multiple assumptions in the provision
recipes. All changes are guarded so the default root-login path is
unaffected.
provision:user:
- /root/.ssh/authorized_keys may not exist when you connect as a
non-root provision_user. Fall back to that user's authorized_keys
(resolved via getent) so the deployer user still gets a login key.
- Create {{deploy_path}} and chown it to deployer while still running
as the privileged host user, since a non-root user cannot chown.
provision:website:
- Set remote_user to provision_user (every other provision task does)
so commands connect as that user and elevate via the host's
become:root; otherwise a standalone run never establishes root and
the mkdir/chown run unprivileged -> Permission denied.
- Create the log dir and assign owner deployer / group caddy in the
root context. The deployer user's supplementary caddy group is not
reliably active in the non-login 'sudo -H -u deployer' shell, so a
later 'chgrp caddy' as deployer fails with Operation not permitted.
Ensures the caddy daemon (which runs as group `caddy`) can create `access.log`
within `{{deploy_path}}/log`. Without `775` permissions, `service caddy reload`
fails to open the log writer.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Improves the provisioning process to support VPS environments that do not provide direct root access, relying instead on a user with
sudoprivileges.Provision User Setup:
authorized_keysfile for theprovision_userif the root user's key isn't available.sudofallbacks for copying public keys and generating SSH keys for thedeployeruser, allowing these operations to succeed even without direct write permissions by leveragingsudo.deploy_pathis created and owned by thedeployeruser during the initial user provisioning, making it ready for deployment.Website Provisioning:
remote_userto theprovision_userfor the initial stages of website provisioning, enablingsudooperations where necessary before switching to thedeployeruser.deployer:caddy) and makes thelogdirectory group-writable (chmod 775) to ensure the Caddy web server can successfully write access logs, preventing reload failures.