This question is about best practices. I'm running a deployment script with Fabric. My deployment user 'deploy' needs sudo to restart services. So I am using the sudo function from fabric to run these commands in my script. This works fine but prompts for password during script execution. I DON'T want to type a password during deployments. What's the best practice here. The only solution I can think of is changing the sudo permissions to not require password for the commands my deployment user runs. This doesn't seem right to me.
Python – Fabric Sudo No Password Solution
deploymentfabricpythonsudo
Best Answer
The ideal solution is to create a user on your server that is used only for deployment (eg,
deploy
). Then, setenv.user=deploy
in your fabfile. Then on your servers, you can give the user the necessary permission on a command-by-command basis in a sudoers file:IMPORTANT: Always use
sudo visudo
to modify a sudoers fileYou can add as many
Cmnd_Alias
directives as is needed by the deploy user, then grantNOPASSWD
access for each of those commands. Seeman sudoers
for more details.I like to keep my deploy-specific sudoers config in
/etc/sudoers.d/deploy
and include that file from/etc/sudoers
by adding:includedir /etc/suoders.d
at the end.