capistrano-ext-superusers 0.2.0 → 0.3.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +59 -0
- data/capistrano-ext-superusers.gemspec +23 -0
- data/lib/capistrano/ext/superusers.rb +14 -0
- metadata +14 -10
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e1cab0c735883f7f277943a7f27a37e5ce8b955a
|
|
4
|
+
data.tar.gz: 0cd390a64b985483982053edc02517828cc191e8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9693dccf32d7e9a8caf7945a1b5822d5c369660a3e5629cb4b6a058801dbe2249f7e369539dfe103e990a3d0c13513e1ac56d668c3169bb8da705d65165a0c3e
|
|
7
|
+
data.tar.gz: 5fefdee5527f610b9ce75d5661644038dea0f7a01d35fa8ce11c6ca99976f9bfec7ac85f7f053875bc3463566ee4fcfa2c6192d5e51a9d83f385a8112c22152d
|
data/README.md
ADDED
|
@@ -0,0 +1,59 @@
|
|
|
1
|
+
Capistrano::Ext::Superusers
|
|
2
|
+
==
|
|
3
|
+
|
|
4
|
+
A simple rubygem to help run commands and environments as a named user to a common deploy user
|
|
5
|
+
|
|
6
|
+
Rationale
|
|
7
|
+
--
|
|
8
|
+
|
|
9
|
+
Its pretty common to want to have named access to a server but to be able to automate running and connecting as a shared/common user. And to not over engineer groups and ACLs
|
|
10
|
+
|
|
11
|
+
Config
|
|
12
|
+
--
|
|
13
|
+
|
|
14
|
+
```ruby
|
|
15
|
+
set :owner, 'common_user' # Defaults to 'nobody'
|
|
16
|
+
set :user_sudo, '/path/to/script' # Defaults to "sudo -u #{owner} -i"
|
|
17
|
+
set :ssh_forward, '/path/to/script' # Defaults to "setfacl -m #{owner}:rx $(dirname $SSH_AUTH_SOCK) && setfacl -m #{owner}:rwx $SSH_AUTH_SOCK")"
|
|
18
|
+
```
|
|
19
|
+
|
|
20
|
+
I don't get it....
|
|
21
|
+
--
|
|
22
|
+
|
|
23
|
+
Consider the simple bundler sort of task as per:
|
|
24
|
+
|
|
25
|
+
```ruby
|
|
26
|
+
namespace :deploy do
|
|
27
|
+
task :bundle do
|
|
28
|
+
run "cd #{current_path} && bundle install --deployment --binstubs --without test cucumber development ruby-debug"
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
We could prepend the sudo command (as above) and do:
|
|
34
|
+
|
|
35
|
+
```ruby
|
|
36
|
+
run "sudo -u nobody -i cd #{current_path} && bundle install --deployment --binstubs --without test cucumber development ruby-debug"
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
But this will change the dir as 'nobody' then drop back to the deploy user. We could then do, instead;
|
|
40
|
+
|
|
41
|
+
```ruby
|
|
42
|
+
run "sudo -u nobody -i bash -c 'cd #{current_path} && bundle install --deployment --binstubs --without test cucumber development ruby-debug'"
|
|
43
|
+
```
|
|
44
|
+
|
|
45
|
+
Or; more betterly:
|
|
46
|
+
|
|
47
|
+
```ruby
|
|
48
|
+
run "sudo -u nobody -i #{default_shell} -c 'cd #{current_path} && bundle install --deployment --binstubs --without test cucumber development ruby-debug'"
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
Which has already lost DRY points.
|
|
52
|
+
|
|
53
|
+
But what, then, if the Gemfile has gems pointing to git repos we need a key for? We would then need to do two things; add `$SSH_AUTH_SOCK` to env_keep in our sudoers file and then give the `:owner` access to this to. We could extend further without this gem and chain out a massive:
|
|
54
|
+
|
|
55
|
+
```ruby
|
|
56
|
+
run "#{update_perms_on_key} && sudo -u nobody -i #{default_shell} -c 'cd #{current_path} && bundle install --deployment --binstubs --without test cucumber development ruby-debug'"
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
And, because every new session creates another of these and Capistrano is a tad wasteful we'd end up needing to do this for every `run`.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
$:.push File.expand_path("../lib", __FILE__)
|
|
2
|
+
|
|
3
|
+
Gem::Specification.new do |spec|
|
|
4
|
+
spec.name = 'capistrano-ext-superusers'
|
|
5
|
+
spec.version = '0.3.1'
|
|
6
|
+
spec.platform = Gem::Platform::RUBY
|
|
7
|
+
spec.authors = ['Funding Circle Engineering']
|
|
8
|
+
spec.email = ['engineering+capistrano-ext-superusers@fundingcircle.com']
|
|
9
|
+
spec.summary = 'Run Capistrano commands as a superuser'
|
|
10
|
+
spec.description = 'Capistrano extension to run commands as an unprivileged user in a sensible manner'
|
|
11
|
+
spec.homepage = 'https://github.com/FundingCircle/capistrano-ext-superusers'
|
|
12
|
+
spec.license = 'BSD-3-Clause'
|
|
13
|
+
|
|
14
|
+
spec.files = `git ls-files -z -- ./* ':(exclude)spec/*'`.split("\x0")
|
|
15
|
+
|
|
16
|
+
spec.add_dependency 'capistrano', '>=2.11.0'
|
|
17
|
+
spec.add_dependency 'capistrano-ext'
|
|
18
|
+
|
|
19
|
+
spec.add_development_dependency 'rspec'
|
|
20
|
+
spec.add_development_dependency 'capistrano-spec'
|
|
21
|
+
|
|
22
|
+
spec.require_path = 'lib'
|
|
23
|
+
end
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
require 'capistrano'
|
|
2
|
+
Capistrano::Configuration.class_eval do
|
|
3
|
+
def superuser cmd, options={}
|
|
4
|
+
owner = fetch(:owner, 'nobody')
|
|
5
|
+
|
|
6
|
+
user_sudo = fetch(:user_sudo, "sudo -u #{owner} -i")
|
|
7
|
+
ssh_forward = fetch(:ssh_forward, "setfacl -m #{owner}:rwx $(dirname $SSH_AUTH_SOCK) && setfacl -m #{owner}:rwx $SSH_AUTH_SOCK")
|
|
8
|
+
shell = fetch(:user_shell, :default_shell)
|
|
9
|
+
|
|
10
|
+
cmd.gsub! "\n", ""
|
|
11
|
+
|
|
12
|
+
run "#{ssh_forward} && #{user_sudo} #{shell} -c '#{cmd}'", options
|
|
13
|
+
end
|
|
14
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: capistrano-ext-superusers
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.3.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
|
-
- Funding Circle
|
|
7
|
+
- Funding Circle Engineering
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-10-30 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: capistrano
|
|
@@ -66,16 +66,20 @@ dependencies:
|
|
|
66
66
|
- - ">="
|
|
67
67
|
- !ruby/object:Gem::Version
|
|
68
68
|
version: '0'
|
|
69
|
-
description: Capistrano extension to run sensible
|
|
69
|
+
description: Capistrano extension to run commands as an unprivileged user in a sensible
|
|
70
|
+
manner
|
|
70
71
|
email:
|
|
71
|
-
-
|
|
72
|
+
- engineering+capistrano-ext-superusers@fundingcircle.com
|
|
72
73
|
executables: []
|
|
73
74
|
extensions: []
|
|
74
75
|
extra_rdoc_files: []
|
|
75
|
-
files:
|
|
76
|
-
|
|
76
|
+
files:
|
|
77
|
+
- README.md
|
|
78
|
+
- capistrano-ext-superusers.gemspec
|
|
79
|
+
- lib/capistrano/ext/superusers.rb
|
|
80
|
+
homepage: https://github.com/FundingCircle/capistrano-ext-superusers
|
|
77
81
|
licenses:
|
|
78
|
-
-
|
|
82
|
+
- BSD-3-Clause
|
|
79
83
|
metadata: {}
|
|
80
84
|
post_install_message:
|
|
81
85
|
rdoc_options: []
|
|
@@ -93,8 +97,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
93
97
|
version: '0'
|
|
94
98
|
requirements: []
|
|
95
99
|
rubyforge_project:
|
|
96
|
-
rubygems_version: 2.6.
|
|
100
|
+
rubygems_version: 2.6.14
|
|
97
101
|
signing_key:
|
|
98
102
|
specification_version: 4
|
|
99
|
-
summary:
|
|
103
|
+
summary: Run Capistrano commands as a superuser
|
|
100
104
|
test_files: []
|