All geek questions in one place

AWS Code Deployment Permission Failure Scenarios

I try to run multiple scripts when deploying using AWS Code Deploy, but they never run due to lack of permissions to run scripts.

Here is my appspec.yml file:

version: 0.0 os: linux files: - source: / destination: /var/www/html permissions: - object: /var/www/html/codedeploy-scripts owner: root mode: 777 type: - directory hooks: ApplicationStop: - location: codedeploy-scripts/application-stop timeout: 300 runas: root BeforeInstall: - location: codedeploy-scripts/before-install timeout: 300 runas: root AfterInstall: - location: codedeploy-scripts/after-install timeout: 600 runas: root ApplicationStart: - location: codedeploy-scripts/application-start timeout: 300 runas: root ValidateService: - location: codedeploy-scripts/validate-service timeout: 300 runas: root

The codedeploy-scripts folder will be deployed with the application, and the permissions set by me in the folder will not be set. Permissions in the folder always get reset:

 [ ec2-user@ip-10-0-8-181 html]$ ls -al total 156 drwxrwsr-x 7 ec2-user www 4096 Oct 13 16:36 . drwxrwsr-x 3 ec2-user www 4096 Oct 13 15:01 .. -rw-rw-r-- 1 ec2-user www 740 Oct 13 16:28 appspec.yml drwxr-sr-x 2 ec2-user www 4096 Oct 13 16:36 codedeploy-scripts ...

The files in the folder seem to have execute rights:

 [ ec2-user@ip-10-0-8-181 alio]$ ls -al codedeploy-scripts total 28 drwxr-sr-x 2 ec2-user www 4096 Oct 13 16:36 . drwxrwsr-x 7 ec2-user www 4096 Oct 13 16:36 .. -rwxr-xr-x 1 ec2-user www 343 Oct 13 16:28 after-install -rwxr-xr-x 1 ec2-user www 12 Oct 13 16:28 application-start -rwxr-xr-x 1 ec2-user www 12 Oct 13 16:28 application-stop -rwxr-xr-x 1 ec2-user www 889 Oct 13 16:28 before-install -rwxr-xr-x 1 ec2-user www 12 Oct 13 16:28 validate-service

Why the code does not deploy with the rights set in the appspec file. The codedeploy-scripts folder should have 777 permissions, but it never does.

This is the error I get in / var / log / aws / codedeploy -agent / codedeploy-agent.log for each of these scripts:

 2015-10-13 16:36:23 WARN [codedeploy-agent(9918)]: InstanceAgent::Plugins::CodeDeployPlugin::HookExecutor: Script at specified location: codedeploy-scripts/validate-service is not executable. Trying to make it executable.

Any help would be appreciated.

+5
source share
3 answers

The agent executes scripts directly from the extracted archive package not from any arbitrary places that you may have copied using the files section. You will need to set the execution bit in your archive in the S3 or Git repository.

What you have is:

  • Copy all the files to /var/www/html .
  • Set permissions in the directory with the contents of /var/www/html/codedeploy-scripts up to 777, but not by the directory itself (see applicationpec.yml reference ). This will also be affected by umask, which you can install /etc/profile .
  • Run each of the scripts for life cycle events (as they occur) from the root of the archive. So your ValidateSerivce script is running from <deployment-archive-root>/codedeploy-scripts/validate-service not from /var/www/html/codedeploy-scripts/validate-service

Note. ApplicationStop is special because it starts before a new new package is downloaded.

+6
source

Without additional information, I will not talk about why installing executable scripts fixed your problem, but the accepted answer should not have solved anything except the log statement that you saw.

Take a closer look at the magazine:

 2015-10-13 16:36:23 WARN [codedeploy-agent(9918)]: InstanceAgent::Plugins::CodeDeployPlugin::HookExecutor: Script at specified location: codedeploy-scripts/validate-service is not executable. Trying to make it executable.

This is only a warning, not a mistake. The Code Deployment agent noticed that your validate_service.sh script was not executable, and that was " Trying to make it executable." If we look at the appropriate code for the code for deploying the code , you will see that the agent will be chmod +x the script itself.

When you install the scripts in an executable file, you just turned off this warning, and this should not have affected anything else. Looking back at the Deploy agent code in L106, if the agent could not execute your scripts, you would see an error in your logs.

To answer your permission question, you have an incorrectly configured appspec.yml file. When you speak:

  permissions: - object: /var/www/html/codedeploy-scripts owner: root mode: 777 type: - directory

You tell Code Deploy that all files of the directory type in /var/www/html/codedeploy-scripts have 777 permissions.

All your scripts under codedeploy-scripts are "file" types (not "folders"), so their permissions have not been set, and permissions apply only to the files in the directory you specify, therefore permissions in the codedeploy-scripts directory codedeploy-scripts not been set.

Here's a description of the appspec.yml type option from AWS docs :

type - Optional. Types of objects to which the specified permissions apply. This can be installed in a file or directory. If a file is specified, permissions will be applied only to files that are immediately contained in the object after the copy operation (and not for the object itself). If a directory is specified, permissions will be recursively applied to all directories / folders that are located somewhere inside the object after the copy operation (but not for the object itself).

+4
source

I would like to dwell on the issue mentioned by Jonathan Turpy, which can create a very strange situation.

In ApplicationStop docs:

This deployment lifecycle event occurs before the application version is loaded .... The AppSpec file and scripts used for this deployment lifecycle event refer to the previous successfully deployed version of the application.

Now imagine this situation:

  • The version has been deployed with ApplicationStop script fixes. Deployment all the same stopped because the previous version was used.
  • The new revision is pushed out and the ApplicationStop step is not executed (since now he tried to execute the failed script from step 1).
  • You noticed your mistake, correct the code, publish the new version, but it still fails with the same error!

At this point, it is not possible to fix the error by deploying the new code. You have only two options:

  • In the deployment settings, activate "Ignore failure errors" (for example, with the CLI flag --ignore-application-stop-failures [1])
  • Manually lock file permissions in a previous successful deployment root.

This applies to any script stops, and not just rights, of course.

[1] https://docs.aws.amazon.com/cli/latest/reference/deploy/create-deployment.html

0
source

Source: https://habr.com/ru/post/1233645/

More articles:


All Articles