I am using AWS CodeDeploy to deploy code to our AWS Amazon Linux instances. I followed this knowledge base article https://aws.amazon.com/premiumsupport/knowledge-center/codedeploy-agent-non-root-profile/ to have the agent execute in the ec2-user context instead of root
Before making the change, the script in the yml file executed as expected (but we need the script to execute in non root context) and setting the runas: part of the appspec.yml file did not seem to execute the script in the ec2-user context as expected
appspec.yml:
version: 0.0
os: linux
files:
- source: /
destination: /home/ec2-user/veddor/api
owner: ec2-user
hooks:
AfterInstall:
- location: deploy/script/deploy-veddor-api.sh
timeout: 300
runas: ec2-user
Since making the change, this error now shows up rather than executing the script specified in the appspec file
LifecycleEvent - AfterInstall
Script - deploy/script/deploy-veddor-api.sh
[stderr]Password: su: Authentication failure
contents of the deploy-veddor-api.sh
cp /home/ec2-user/veddor/api/deploy/config/Config-roddev.php /home/ec2-user/veddor/api/app/config/Config.php
cd /home/ec2-user/veddor/api
chmod +x ./composer.phar
php ./composer.phar install
I am looking for help to figure out what I need to do to get the script deploy-veddor-api.sh to actually run in the ec2-user context.
You may be running the AWS CodeDeploy Agent as a non-root user. Only root will have the ability to have a runas user in your AfterInstall hook, as no other user account can run the substitute user "su" command without password authentication.
Check out the details for "runas" in AWS' appspec user guide:
https://docs.aws.amazon.com/codedeploy/latest/userguide/reference-appspec-file-structure-hooks.html
runas Optional. The user to impersonate when running the script. By
default, this is the AWS CodeDeploy agent running on the instance. AWS
CodeDeploy does not store passwords, so the user cannot be
impersonated if the runas user needs a password. This element applies
to Amazon Linux and Ubuntu Server instances only.
If you are already running the CodeDeploy Agent as ec2-user, then you do not need to supply the runas element in your AfterInstall hook.
If you are use SDK to trigger CodeDeploy, here is a param: ignoreApplicationStopFailures: true
see: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CodeDeploy.html#createDeployment-property
if you have codedeploy already configured as non root, then remove the runas commands from appspec.yml. Save it and retry!
Related
Just installed GitLab runner service and tried to run a basic job.
I got the following output:
Password: su: Authentication failure
ERROR: Job failed: prepare environment: exit status 1. Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more information
Googling, I found that the contents of the .bash_logout may be a problem, but my .bash_logout was blank. I created and added ssh keys for the gitlab-runner user, and was able to manually clone via ssh, but I can't get the job to run. Anyone experienced this that can offer a suggestion?
I found the issue was in the pam file. root couldn't su to gitlab-runner
Background story: GitLab runner is running as root user, in order to retrieve for example the /etc/gitlab-runner/config.toml file. If your gitlab-runner is already running rootless you might want to remove the --user gitlab-runner from the systemd service file. However, most likely your Gitlab Runner is running as root.
If you increase the security on your host machine and disable the root user and the su command. You could enable this again by editing /etc/pam.d/su file and set:
auth sufficient pam_rootok.so
Or only allow the root user to use the su command to only switch to the gitlab-runner user (without password):
auth [success=ignore default=1] pam_succeed_if.so user = gitlab-runner
auth sufficient pam_succeed_if.so use_uid user = root
When I ssh into an aws ec2 Linux instance, I am ec2-user. The instance is a Jenkins master. When I try su - jenkins and entered the correct password, the system says Last login: .... which looks like the switching succeeded. But whoami says I'm still ec2-user.
What am I missing? Thanks!
jenkins is a service account, it doesn't have a shell by design. It is generally accepted that service accounts shouldn't be able to log in interactively.
if you really want to login as Jenkins, you can do so with: sudo su -s /bin/bash jenkins
I've created a jenkins server, and I am trying to build a .net core 2.0.0 project on the server. I've been able to successfully pull from source control and store source files in the workspace. However, I'm running into an issue with running the dotnet build command. This is what I'm getting.
/usr/share/dotnet/sdk/2.0.0/Microsoft.Common.CurrentVersion.targets(4116,5):
error MSB3021: Unable to copy file
"obj/Debug/netcoreapp2.0/ubuntu.16.04-x64/Musify.pdb" to
"bin/Debug/netcoreapp2.0/ubuntu.16.04-x64/Musify.pdb". Access to the
path is denied. [/var/lib/jenkins/workspace/Musify/Musify.csproj]
now, I've given read write and execute permissions to every file and directory in /usr/share/dotnet/sdk/2.0.0/, and I've given read write and execute to every file and directory in my workspace (/var/lib/jenkins/workspace/Musify). I also believe my jenkins user is part of the sudo group.
The weird thing I am experiencing, is that I am able to, as root, run dotnet build in my workspace directory (/var/lib/jenkins/workspace/Musify), and the project builds. I cannot however, get the same results under the jenkins user (who should be part of the sudo group). My question is, how can I verify that Jenkins is using the jenkins system user, and that this user has the correct permissions to run this command. I am hosting jenkins on an ubuntu 16.04 x64 server.
UPDATE:
At the command line on your jenkins host run
ps -ef | grep jenkins
the first column will give you the USERID and it should be, as you say, jenkins
Then if you can login as jenkins to the host where the jenkins server is running run the following ....
groups
this will list out the groups that jenkins is a part of
If you want to fix the dotnet build issue take following actions:
Set DOTNET_CLI_HOME environment variable on the docker to a common
path like /tmp on the container. This path is used by the dotnet
to create necessary files to build the project. Check
Dotnet build permission denied in Docker container running Jenkins
Use -o or another accessible path to create the artifacts in the desired directory. e.g. dotnet build -o /tmp/dotnet/build/
microsoftisnotthatbad.sln
Re the jenkins user problem, run whoami in the container. If you get whoami: cannot find name for user ID blahblah it means the user is not found in the passwd file. There are 2 answers under Docker Plugin for Jenkins Pipeline - No user exists for uid 1005, if item 1 did not work, try the second:
Mount the host passwd to the container.
If the jenkins user is logged using an identity provider like LDAP on the Jenkins server or the slave server your job is using, the passwd file of the host will not have the jenkins user. Check the other answer on that post.
I am new to linux world. So please excuse for any stupid questions.
I have a linux machine and I don’t have root access. I have service account which have full access to app folder. My login (ssh) credentials don’t have access to that app folder.
So I will follow the below process.
1) Copy the app folder in windows machine to /tmp/ in linux using winscp.
2) Login to the machine using putty.
3) Change the user to service account using below command.
sudo su – “service account”
4) Then I will copy app files from /tmp/ folder to /app/ folder and start the other configurations.
I want to automate the above process. So for I did below.
#Copy files to tmp folder
winscp.com -hostkey=* user:"password"#host /command "put D:/app_folder/ /tmp/ app_folder"
#Execute the script remotely
plink user:#host -m D:\Install_app.sh
The above script is running fine until I run test echo commands. It is started throwing errors when I run configuration commands due to user don’t have access to app folder. Only service account has access. But service account doesn’t have remote login access. So I can’t run the script with service account.
So I tried to run commands inside the script with service account. I tried below
Echo “password” | sudo –S su - “service account” “commands”
It is not working. Could you please let me know is there any other way to achieve this. I want to change user inside the script, once script start executing.
Note: The process is following by linux admin team due to security reason. So I can’t change the process :(.
I have begun a deployment on amazon ec2 I have deployed my war file and putty(d) in sucessfully to the correct instance using SSH (I generated a key pair)
I am logging in as ec2-user (the default) but the file permissions I need access to are owned by tomcat7.
Any suggestions please on how to su in as tomcat7 (or even root)
ok. I used sudo su and that did the trick!