部署 用哪个账号执行 capistrano 的 deploy:setup 命令?

xiaoronglv · March 12, 2013 · Last by mars replied at March 12, 2013 · 3067 hits

我的 vps 有三个账号:

root

xiaorong (有 sudo 权限)

webapp (无 sudo 权限,用于发布程序,跑程序.)

在发布程序,执行cap deploy:setup 时需要 sudo 权限。

我不知道该怎么办了,难道也要给 webapp sudo 权限?

你把部署目录放在你部署用户的主目录里,不用 sudo 的

应该用 webapp 吧,安全起见。

sudo 问题应该是服务器上部署目标的目录权限没有给到 webapp 这个用户

webapp,有 sudo 权限也是麻烦事

#1 楼 @lidashuang

其实我放到了 webapp 的目录中。但发布时系统还是要求我 sudo 权限。奇怪了。

https://github.com/xiaoronglv/chalkboard/blob/master/config/deploy.rb

require 'rvm/capistrano'
require 'bundler/capistrano'

set :rvm_type, :system
set :rvm_ruby_string, 'ruby-2.0.0-p0'
set :runner, 'webapp'
set :user, 'webapp'

role :web, '192.81.130.103'
role :app, '192.81.130.103'
role :db, '192.81.130.103', :primary => true

set :application, 'chalkboard'
set :deploy_to, '/home/webapp/apps/chalkboard'
set :use_sudo, false

set :repository, 'git://github.com/xiaoronglv/chalkboard.git'
set :scm, :git
set :scm_verbose, true
set :branch, 'master'
set :deploy_via, :remote_cache

default_run_options[:pty] = true


after 'deploy', 'deploy:cleanup'

namespace :deploy do

  task :start, :roles => :app do
    run "cd #{deploy_to}/current/; RAILS_ENV=production bundle exec unicorn_rails -c config/unicorn.rb -D"
    #run "/etc/init.d/unicorn_#{application} start"
  end

  task :stop, :roles => :app do
    run "kill -QUIT `cat #{deploy_to}/current/tmp/pids/unicorn.pid`"
    #run "/etc/init.d/unicorn_#{application} stop"
  end

  desc "Restart Application"
  task :restart, :roles => :app do
    run "kill -USR2 `cat #{deploy_to}/current/tmp/pids/unicorn.pid`"
  end


  task :setup_config, :roles => :app do
    sudo "ln -nfs #{current_path}/config/nginx.conf /etc/nginx/sites-enabled/#{application}.conf"
    sudo "ln -nfs #{current_path}/config/unicorn_init.sh /etc/init.d/unicorn_#{application}"
    run "mkdir -p #{shared_path}/config"
    put File.read('config/database.example.yml'), "#{shared_path}/config/database.yml"
    puts "Now edit the config files in #{shared_path}."
  end
  after 'deploy:setup', 'deploy:setup_config'

  task :symlink_config, :roles => :app do
    run "ln -nfs #{shared_path}/config/database.yml #{release_path}/config/database.yml"
  end
  after 'deploy:finalize_update', 'deploy:symlink_config'

end

你看看执行的是什么命令需要 sudo

是这里吧?

sudo "ln -nfs #{current_path}/config/nginx.conf /etc/nginx/sites-enabled/#{application}.conf"
   sudo "ln -nfs #{current_path}/config/unicorn_init.sh /etc/init.d/unicorn_#{application}"

#5 楼 @lidashuang

我做了一个折中的处理办法:

  1. 给 webapp sudo 权限

  2. 所有的账号通过密钥登陆。

这样安全性应该没问题吧。

capistrano 的部分命令需要 sudo 权限,建议用有 sudo 权限的非 root 用户。

You need to Sign in before reply, if you don't have an account, please Sign up first.