AWS CodeDeploy用于一个简单的WordPress应用程序。在以下脚本的帮助下,在ubuntu 20.04上安装了AWS代码部署代理
#!/bin/bash
apt update
apt install ruby -y
gem install bundler
git clone https://github.com/aws/aws-codedeploy-agent.git /opt/codedeploy-agent
sudo chown -R root.root /opt/codedeploy-agent
sudo chmod 644 /opt/codedeploy-agent/conf/codedeployagent.yml
sudo chmod 755 /opt/codedeploy-agent/init.d/codedeploy-agent
sudo chmod 644 /opt/codedeploy-agent/init.d/codedeploy-agent.service
cd /opt/codedeploy-agent
bundle install --system
rake clean && rake
cp /opt/codedeploy-agent/init.d/codedeploy-agent /etc/init.d/
systemctl daemon-reload
systemctl start codedeploy-agent
systemctl enable codedeploy-agent
使用下面的appspec.yml进行代码部署。与runas root配合使用效果良好
问题:
- 如何作为
ubuntu用户运行它 - 以
root用户身份运行时是否有任何问题?
appspec.yaml文件
version: 0.0
os: linux
files:
- source: /
destination: /var/www/html/
overwrite: true
hooks:
BeforeInstall:
- location: scripts/before_install.sh
timeout: 300
runas: root
AfterInstall:
- location: scripts/setup_environment.sh
timeout: 300
runas: root
- location: scripts/after_install.sh
timeout: 900
runas: root
ApplicationStart:
- location: scripts/start_server.sh
timeout: 300
ApplicationStop:
- location: scripts/stop_server.sh
timeout: 300
ValidateService:
- location: scripts/validate_service.sh
timeout: 300
运行时,ubuntu收到以下错误。
Error code
ScriptFailed
Script name
scripts/setup_environment.sh
Message
Script at specified location: scripts/setup_environment.sh run as user ubuntu failed with exit code 4
LifecycleEvent - AfterInstall
Script - scripts/setup_environment.sh
[stderr]shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
[stderr]shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
[stderr]/opt/codedeploy-agent/deployment-root/44d6390b-485e-87ef-b50855bbf251/d-D0RTN7AR5/deployment-archive/scripts/setup_environment.sh: line 4: /var/www/html/.env: Permission denied
[stderr]sed: couldn't open temporary file /var/www/html/scripts/seTwGZAv: Permission denied
如果您以ubuntu用户身份运行它,它将不会工作,因为您遇到的权限不足:
couldn't open temporary file /var/www/html/scripts/seTwGZAv: Permission denied
原因是ubuntu用户无法访问/var/www/html/。要使其正常工作,您必须更改其默认权限,这是一种错误做法。
有些事情必须作为root执行,除非您想开始更改ubuntu操作系统的默认配置和权限模型。
由于appspec.yml文件和脚本由您管理,在以root身份运行脚本时没有任何安全问题。你将要写的就是你将要得到的。
在使用任何非root用户时,向该用户提供所有必需的权限是很重要的。在大多数情况下,您必须在每个命令之前使用sudo,并确保您的用户已添加到sudoers中。
你需要确保
- 您的git是安全的,不会受到任何未经授权的更改
- CodeDeploy只能由受信任的资源访问
如果检查了这两件事,就不可能在系统上运行任何异常命令