Skip to navigation

Automating new user creation on new slices

Published January 21, 2007 - Updated January 21, 2007

When setting up your Slicehost VPS for deprec love there’s two initial steps that are a bit of a pain in the butt:

  1. Creating the new deployment user with sudo
  2. Disabling SSH access for the root account

Update: The original code I posted below didn’t work (doing the interactive PTY password setting was tricky). The updated code now works, and uses String#crypt to encode the password for /etc/shadow.

Another update: You don’t even need this first one… just use the deprec cap task setup_admin_account.

For problem #1, creating a new deployment user with sudo, create the following slicehost.rake in lib/tasks:


require 'rubygems'
require 'capistrano/cli'


task :setup_deployment_user do

  print ’Slice host: ’

  host = STDIN.gets.chomp

password = Capistrano::CLI.password_prompt "Password for root@#{host}: "
begin
Net::SSH.start(host, ‘root’, password) do |session|
print "New sudo account login: "
new_login = STDIN.gets.chomp

new_password = Capistrano::CLI.password_prompt "New password for #{new_login}: "
shell = session.shell.sync
out = shell.useradd “—create-home —home /home/#{new_login} —shell /bin/bash —group nogroup —password #{new_password.crypt(‘hi’)} #{new_login}”
puts “Created account #{new_login}.”

out = shell.echo %(“#{new_login}  ALL=(ALL) NOPASSWD: ALL” >> /etc/sudoers)
puts “Added #{new_login} to /etc/sudoers.”

shell.exit
end
rescue Net::SSH::AuthenticationFailed
STDERR.puts “Authentication for root@#{host} failed”
end

end

Update #2: I forgot that Ruby might not be installed at this point. I’ve changed it to use sed instead.

For problem #2, disabling root access, here’s a cap task to chuck in your deploy.rb:


desc "Changes the sshd config to disable root access via SSH and reloads sshd"
task :disable_root_access_via_ssh do
  sudo "sed -i -e 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config"
  sudo "/etc/init.d/sshd reload"
end

I’ve now got a working slicehost running nginx, postgresql, rails and mongrel cluster, with the following commands:



rake setup_deployment_user

cap disable_root_access_via_ssh

cap setup_ssh_keys


cap install_rails_stack

cap install_nginx

cap install_postgresql

cap setup_smtp_server

cap setup_servers

cap setup_app


cap setup

cap setup_cached_repository

cap deploy_with_migrations

I’ll get hold of Mike and we should be able to work this into deprec in the next week or so.

Archived comments

Comments were previously allowed on articles. Though no new comments are being accepted you can see the old comments below.

  1. Dan Kubb

    Very nice, I can’t wait to see these commands integrated into deprec.

    As a side note, do you have any cap recipes to setup and configure iptables?

  2. Tim Lucas

    Dan: no iptables config yet. Haven’t locked my slice down too well yet, and deprec’s standard setup is far from secure. What I hope to help make happen is something like the following, for an app named “toolman”:

    1. Apache runs as “toolman-web”
    2. Mongrel runs as “toolman-rails”
    3. toolman-web and toolman-rails are both in group toolman
    4. /var/www/appname is chown’d toolman-rails:toolman
    5. /var/www/appname is chmod with only ug+r, with public having u+w for rails caching, uploads, etc

    The deploy user would use sudo to write to the app dirs, and fix perms on code update.

    Each app in ther server would run under different perms so neither could comprimise one another.

  3. Mike Bailey

    Nice site Tim. I’ finish with my current employer this week so will have a bit more time for deprec.

    Here’s the instructions I sent to Matt at Slicehost. You’ll want to use the ‘_as_root’ version of setup_admin_user.

    - Mike

    1. Install rails app on Slicehost.com server with deprec

    $ sudo gem install deprec —include-dependencies

    $ export HOSTS=63.99.9.165

    $ cap setup_admin_account_as_root
    Enter userid for new user: mbailey
    Password: xxxxxx
    Enter new UNIX password: : xxxxx
    Retype new UNIX password: : xxxxx

    $ cap setup_ssh_keys
    Password: xxxxx

    1. You can now log into your slicehost using your new account (with sudo)
    2. This alone saves a lot of manual work setting your login. (But wait, there’s more!)

    $ ssh 63.99.9.165
    Linux deprec 2.6.16.29-xen #3 SMP Sun Oct 15 13:15:34 BST 2006 x86_64 GNU/Linux

    $ sudo echo “sudo working new account!”
    sudo working for new account!

    $ logout
    Connection to 63.99.9.165 closed.

    1. You can now use the standard deprec commands to install your rails app

    $ cap install_rails_stack
    $ cd /path/to/railsapp
    $ deprec —apply-to . —name projectname —domain www.projectname.com

    1. edit config/deploy.rb to put in details of your subversion repository
      $ cap deprec_setup
      $ cap deploy_with_migrations
      $ cap restart_apache
    1. Your application should now be running on your slicehost server!

  4. Tim Lucas

    Thanks Mike.

Previously: Super-simple mocking

Next up: Interviewed on the Rails podcast

Thoughts

toolmantim

I’m Tim Lucas, a user experience developer currently in Sydney Australia.

I occasionally write, snap photos, present on various technical topics, tweet my going-ons, share teh codes and post tidbits to the scrapbook.

Most recently I published Simplifying ticket sales on sydneyoperahouse.com (February 16, 2010)

Work with me via Agency Rainford, or shoot an email to and say hello.

Powered by your inner voice