this is my first Django project, I apologies if I say some nonsense
To start a game server, I have to login with ssh as the user running the server, then type./server start to start it.
I want to be able to run this command from a webapp.
As of now, I've managed to do this on Django.
What I want to do is that when I press the "Start" button, this commands run on the server side:
su - gameuser -c '/home/gameuser/server start' > /dev/null 2>&1
The problem I'm facing is that I don't know how to login as the gameuser since I'm not a running the webapp as a sudo user.
How can I approach this problem?
Thanks in advance :D
You can configure ssh keys for webapp user to login as gameuser without entering password and execute:
ssh gameuser#localhost -c '/home/gameuser/server start' > /dev/null 2>&1
You can configure webuser to execute specified command with sudo (sudoers file is pretty flexible)
add the following to /etc/sudoers
webapp ALL = (gameuser) ALL
and then you can run the following as webapp user
sudo su - gameuser -c '/home/gameuser/server start' > /dev/null 2>&1
You can improve the second option, allowing webapp user to execute only specific command as gameuser, for example write start script ( /home/gameuser/server_start.sh ) and add to the /etc/sudoers:
webapp ALL = (gameuser) /home/gameuser/server_start.sh
and again you will able to run the following in more secure way.
sudo su -gameuser -c /home/gameuser/server_start.sh
Related
I have a docker container running and it's exposing port 22 to local host port 1312. I am using the following command to run the container:
docker run -it -d -p 127.0.0.1:1312:22 -v
/workspace/project:/root --name
cpp_dep cpp_dep
Now to build the project in CLion, it need to be able to ssh into the container. I entered the container in interactive mode and ran "service ssh restart".
Now when I try to ssh into root#127.0.0.1:1312, it asks for my password. But when I enter my sudo (root) password, it keeps saying permission denied.
Is it an issue with ssh key? Which password should i use? or is there any way to bypass the password?
I am running a MAC OS.
Thanks in advance.
You may enter the container in interactive mode, use whoami to find the current user while use passwd to change the password of current user, then ssh into it using the updated passwd.
More details if you are interested:
User running the container is decided by
USER config in your Dockerfile: https://docs.docker.com/engine/reference/builder/#user
-u option in docker run command: https://docs.docker.com/engine/reference/run/#user
By default it's root (uid = 0), but it depends on your settings.
User password is stored in /etc/passwd file, which is different inside the container and in the host, so the same uid may have different password inside the container. It's a workaround to mannually reset it using passwd in the interactive mode but your may also set it in Dockerfile like
RUN echo 'root:Docker!' | chpasswd // (NOTICE: unsafe!)
It changes the password for root as "Docker!"
EDIT #1
As emphasized by David Maze in comments, it's unsafe to store plain password in the Dockerfile as it's public to anyone who get the source file, and it's not uncommon source files intended to be private mistakenly submitted to open github repository. If the container needs to provide public service, you must use build args (https://docs.docker.com/engine/reference/commandline/build/#set-build-time-variables---build-arg) so password can be secretly specified at build time.
Dockerfile:
ARG PASSWD
RUN echo 'root:${PASSWD}' | chpasswd
build:
docker build --build-arg PASSWD=<secret stored safely>
I am trying to setup hyperledger fabric blockchain network using amazon managed blockchain following this guide. To entroll, I have used the following command,
fabric-ca-client enroll -u 'https://admin:#D7a22hjjh*9b9#ca.m-zzz.n-zzzz.managedblockchain.us-east-1.amazonaws.com:30002' --tls.certfiles /home/ec2-user/managedblockchain-tls-chain.pem -M /home/ec2-user/admin-msp
I got the following error,
Error: The URL of the fabric CA server is missing the enrollment ID and secret; found 'https://admin:#D7a22613ac75c9b9#ca.m-zzz.n-zzzz.managedblockchain.us-east-1.amazonaws.com:30002' but expecting 'https://<enrollmentID>:<secret>#admin:'
I thought this is due to # symbol in the password. For testing purpose I remove the # symbol and tried. I got the following error.
Error: Failed to create keystore directory: mkdir /home/ec2-user/admin-msp: permission denied
when I use sudo, I am getting the following error,
sudo: fabric-ca-client: command not found
Help me to fix this issue.
What user are you logged in as? whoami
You should be using ec2-user, which has access to the /home/ec2-user/ directory.
You can try manually creating the admin-msp directory before running enrolling the admin:
cd ~ && mkdir admin-msp
Then try running your command.
If that doesn't work, use sudo to create the directory and then chown it to be owned by ec2-user:
cd ~
sudo mkdir admin-msp
sudo chown ec2-user ~/admin-msp
Then try your command.
Note that you can also wrap the username/password in quotes:
fabric-ca-client enroll -u 'https://"admin":"#D7a22hjjh*9b9"#ca.m-zzz.n-zzzz.managedblockchain.us-east-1.amazonaws.com:30002' --tls.certfiles /home/ec2-user/managedblockchain-tls-chain.pem -M /home/ec2-user/admin-msp
Boiling my issue down to the simplest case, I'm using Compute Engine with the following startup-script:
#! /bin/bash
sudo useradd -m drupal
su drupal
cd /home/drupal
touch test.txt
I can confirm the drupal user exists after this command, so does the test file. However I expect the owner of the test file to be 'drupal' (hence the su). However, when I use this as a startup script I can still confirm ROOT is the owner of the file:
meaning my
su drupal
did not work. sudo su drupal also does not make any difference. I'm using Google Container OS, but same happens on a Debian 8 image.
sudo su is not a command run within a shell -- it starts a new shell.
That new shell is no longer running your script, and the old shell that is running the script waits for the new one to exit before it continues.
The sudo su command will start a new shell. The old shell waits for the old one to exit and continues executing the rest of the code.
Your script is running in the 'old' shell, which means these commands:
cd /home/drupal
touch test.txt
are still executed as root and thus the owner of these files is root as well.
You can modify your script to this:
#! /bin/bash
sudo useradd -m drupal
sudo -u drupal bash -c 'cd ~/; touch text2.txt'
and it should work.
The -u flag executes the command as the user specified, in this case 'drupal'
I wrote some stuff underneath - but looks like this should work:
how to run script as another user without password
The other option would be to ssh into your own machine as the other user, you can use sshpass to send the password, or get your own public key.
When I test a similar script:
su [my username]
touch test.txt
It actually logs in as me, and doesn't finish until I ctrl-d
Further testing reveals that the only way to own the file is if I invoke the script from the shell, ie:
su me
touch test.txt
./test2.sh
test2.sh:
touch test2.txt
gives both files to root, even if I own both scripts.
This follows that everything YOU do is yours, you can't make something for someone else.
Using AWS (Amazon Web Services) I have created an Ubuntu 16.10 instance and I am able to login using a pem file like this:
ssh -i key.pem ubuntu#52.16.73.14.54
After I am logged, I can see that I am able to execute:
sudo su
(with no password), however the file /etc/sudoers does NOT contain any reference to the user current user: ubuntu.
How can I create another user with exactly the same behavior (without touching the sudoers file) from terminal in a NON interactive way?
I tried:
sudo useradd -m -c "adding a test user" -G sudo,adm -s /bin/bash testuser
But after I become "testuser" if I invoke:
sudo su
I have to provide a password. Which is exactly the way I want to avoid.
You can't do this without touching sudo, beacuse the ubuntu user is given passwordless access specifically.
$ for group in `groups ubuntu`; do sudo grep -r ^[[:space:]]*[^#]*$group[[:space:]] /etc/sudoers* ; done
/etc/sudoers.d/90-cloud-init-users:ubuntu ALL=(ALL) NOPASSWD:ALL
/etc/sudoers.d/90-cloud-init-users:ubuntu ALL=(ALL) NOPASSWD:ALL
/etc/sudoers:%sudo ALL=(ALL:ALL) ALL
But what you can do is create a new sudoers file without touching any existing files. sudo is typically configured these days to read all the configurations in a directiory, usually /etc/sudoers.d/, preceisely so that one failing config doesn't effect the rest of sudo.
In your case, you might want to give an admin group sudoless access rather than your user. Then you can add access in the future to other users without changing sudo config.
I am running a Play 2.2.3 web application on AWS Elastic Beanstalk, using SBTs ability to generate Docker images. Uploading the image from the EB administration interface usually works, but sometimes it gets into a state where I consistently get the following error:
Docker container quit unexpectedly on Thu Nov 27 10:05:37 UTC 2014:
Play server process ID is 1 This application is already running (Or
delete /opt/docker/RUNNING_PID file).
And deployment fails. I cannot get out of this by doing anything else than terminating the environment and setting it up again. How can I avoid that the environment gets into this state?
Sounds like you may be running into the infamous Pid 1 issue. Docker uses a new pid namespace for each container, which means first process gets PID 1. PID 1 is a special ID which should be used only by processes designed to use it. Could you try using Supervisord instead of having playframework running as the primary processes and see if that resolves your issue? Hopefully, supervisord handles Amazon's termination commands better than the play framework.
#dkm was having the same issue with my dockerized play app. I package my apps as standalone for production using '$ sbt clean dist` commands. This produces a .zip file that you can deploy to some folder in your docker container like /var/www/xxxx.
Get a bash shell into your container: $ docker run -it <your image name> /bin/bash
Example: docker run -it centos/myapp /bin/bash
Once the app is there you'll have to create an executable bash script I called mine startapp and the contents should be something like this:
Create the script file in the docker container:
$ touch startapp && chmod +x startapp
$ vi startapp
Add the execute command & any required configurations:
#!/bin/bash
/var/www/<your app name>/bin/<your app name> -Dhttp.port=80 -Dconfig.file=/var/www/pointflow/conf/<your app conf. file>
Save the startapp script then from a new terminal and then you must commit your changes to your container's image so it will be available from here on out:
Get the running container's current ID:
$ docker ps
Commit/Save the changes
$ docker commit <your running containerID> <your image's name>
Example: docker commit 1bce234 centos/myappsname
Now for the grand finale you can docker stop or exit out of the running container's bash. Next start the play app using the following docker command:
$ docker run -d -p 80:80 <your image's name> /bin/sh startapp
Example: docker run -d -p 80:80 centos/myapp /bin/sh startapp
Run docker ps to see if your app is running. You see something similar to this:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
19eae9bc8371 centos/myapp:latest "/bin/sh startapp" 13 seconds ago Up 11 seconds 0.0.0.0:80->80/tcp suspicious_heisenberg
Open a browser and visit your new dockerized app
Hope this helps...