Deployer is an amazing tool that is used to deploy websites (hence the name). I have looked at other tools, but because Deployer is built and run using PHP, using it to deploy PHP sites makes sense. It also means that I don't have to figure out complex XML documents or learn Ruby just to understand what the deployment is doing.
I have been using Deployer for a little while now to deploy my own site but I have been using the root user to accoumplish the deployments to get around any permissions issues. When I sat down with the developers at work we looked into how to setup the server so that deployments could be run without giving the tool unfettered access to the server. To this end we set out a plan to create a 'deployer' user on our servers that would be the user Deployer uses to deploy sites.
Before we can begin setting up the user we need to collect a couple of variables. Essentially, we need to know what user Apache uses to server the websites. This information is used later to add the deployer user to the same group that Apache is in.
Centos uses a group called apache and a user called apache, you can confirm this using the following command.
cat /etc/httpd/conf/httpd.conf | grep "^[Group|User]"
Ubuntu uses a group called www-data and a user called www-data, you can confirm this using the following command.
To see a list of users currently on the system you can run:
To see a list of all of the groups on the system you can run:
Configuring Users And Groups Permissions
With that information in hand we can now look at creating our deployer user and assigning them to the correct groups.
Create the deployer user.
sudo useradd deployer
Add a password for the deployer user.
sudo passwd deployer
Add the deployer user to the Apache group.
usermod -a -G apache deployer
Next, we need to allow deployer access to be able to run sudo commands. This will typically only be things like restarting services. This is done by adding the user to the correct group.
On Centos the group that allows users access to the sudo command is called wheel.
usermod -a -G wheel deployer
On Ubuntu this group is called sudo.
usermod -a -G sudo deployer
To ensure that the deployer user has the access we need, using the following command.
getent group | grep deployer
Although you have created a password for this user it's probably best to setup a ssh key instead of handing out the password or (even worse) committing it to your codebase.
Ensuring Write Access To The Deployment Directory
Now that we have the user created we need to ensure that the user can access the directory that we want to deploy the website to. Assuming that we created a directory at /var/www/html/your-website, which is where deployer will do our deployments the permissions are set up in the following way.
First, we set the entire directory to belong to the Apache group and user.
sudo chown -R apache:apache /var/www/html/your-website
Next, we run through a few commands using the chmod and chgrp tools that set the permissions correctly on that directory. The next few commands will setup the proper permissions by first restricting access and then adding the access that we want.
The first thing to do is to make sure that no one but members of the Apache user can get access to that directory. We use the 'go' option (meaning 'group' and 'other') followed by '-rwx', meaning that we will be removing read, write and execute permissions from this directory. We also include the -R option to recursively do this to all sub directories.
chmod -R go-rwx /var/www/html/your-website
Next, we allow users of the same group (and 'other') to get access to the directory using the 'go' option again, followed by '+x', which gives execute access to just this directory.
chmod go+x /var/www/html/your-website
We are now in a possition to start granting access to the user and group to this directory and all sub-directories. This is done using the 'g' option, followed by the option '+rwx' which gives read, write and execute access to members of the same group to this directory.
chmod -R g+rwx /var/www/html/your-website
With that all done the directory should be ready to use.
The final step in all this is ensuring that the user has access to download the code from the git repository. The best way to achieve this is by using a deploy key. This is a key that allows read only access to the git repo, which is perfect for the user. There are numerous tutorials out there detailing how to do this, but on the server side you'll want to create the ssh key running something like this.
ssh-keygen -t rsa -b 4096
Since we are creating an automated route you shouldn't create a password for this key.
Next, copy the public part of the key and upload it to your git repository.
Finnally, log in using the deloyer user you created and use ssh to try and access the git repo host. For example, if you are using bitbucket you can use the following.
This will tell you that you have authenticated via a deploy key and tell you that shell access is disabled. It is useful just to check that you have the access you need before getting started on setting up your deployer recipies.