Fabric Sudo No Password Solution

2019-04-08 00:27发布

站内问答 / Python
1522 7 3

This question is about best practices. I'm running a deployment script with Fabric. My deployment user 'deploy' needs sudo to restart services. So I am using the sudo function from fabric to run these commands in my script. This works fine but prompts for password during script execution. I DON'T want to type a password during deployments. What's the best practice here. The only solution I can think of is changing the sudo permissions to not require password for the commands my deployment user runs. This doesn't seem right to me.

7条回答
Viruses.
2楼-- · 2019-04-08 00:45

Use the keyring module to store and access passwords securely.

Here's how I do it with Fabric 2:

from fabric import task
import keyring

@task
def restart_apache(connection):
    # set the password with keyring.set_password('some-host', 'some-user', 'passwd')
    connection.config.sudo.password = keyring.get_password(connection.host, 'some-user')
    connection.sudo('service apache2 restart')
查看更多
0人赞 添加讨论(0) 举报
老娘就宠你
3楼-- · 2019-04-08 00:46

The best way to do this is with subtasks. You can prompt for a password in the fabfile and never expose any passwords, nor make reckless configuration changes to sudo on the remote system(s).

import getpass

from fabric.api import env, parallel, run, task
from fabric.decorators import roles
from fabric.tasks import execute


env.roledefs = {'my_role': ['host1', 'host2']}


@task
# @parallel -- uncomment if you need parallel execution, it'll work!
@roles('my_role')
def deploy(*args, **kwargs):
    print 'deploy args:', args, kwargs
    print 'password:', env.password
    run('echo hello')


@task
def prompt(task_name, *args, **kwargs):
    env.password = getpass.getpass('sudo password: ')
    execute(task_name, *args, role='my_role', **kwargs)

Note that you can even combine this with parallel execution and the prompt task still only runs once, while the deploy task runs for each host in the role, in parallel.

Finally, an example of how you would invoke it:

$ fab prompt:deploy,some_arg,another_arg,key=value
查看更多
0人赞 添加讨论(0) 举报
劳资没心,怎么记你
4楼-- · 2019-04-08 00:46

You can also use passwords for multiple machines:

from fabric import env
env.hosts = ['user1@host1:port1', 'user2@host2.port2']
env.passwords = {'user1@host1:port1': 'password1', 'user2@host2.port2': 'password2'}

See this answer: https://stackoverflow.com/a/5568219/552671

查看更多
0人赞 添加讨论(0) 举报
聊天终结者
5楼-- · 2019-04-08 00:50

The ideal solution is to create a user on your server that is used only for deployment (eg, deploy). Then, set env.user=deploy in your fabfile. Then on your servers, you can give the user the necessary permission on a command-by-command basis in a sudoers file:

IMPORTANT: Always use sudo visudo to modify a sudoers file

Cmnd_Alias RELOAD_SITE = /bin/bash -l -c supervisorctl*, /usr/bin/supervisorctl*
deploy ALL = NOPASSWD: RELOAD_SITE

You can add as many Cmnd_Alias directives as is needed by the deploy user, then grant NOPASSWD access for each of those commands. See man sudoers for more details.

I like to keep my deploy-specific sudoers config in /etc/sudoers.d/deploy and include that file from /etc/sudoers by adding: includedir /etc/suoders.d at the end.

查看更多
0人赞 添加讨论(0) 举报
手持菜刀,她持情操
6楼-- · 2019-04-08 00:52

As Bartek also suggests, enable password-less sudo for the deployment 'user' in the sudoers file.

Something like:

run('echo "{0} ALL=(ALL) ALL" >> /etc/sudoers'.format(env.user))
查看更多
0人赞 添加讨论(0) 举报
男人必须洒脱
7楼-- · 2019-04-08 00:56

You can use: 

fabric.api import env
# [...]
env.password = 'yourpassword'
查看更多
0人赞 添加讨论(0) 举报
1 2 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(3)