Maybe I'm looking at this the wrong way, but I'm trying to setup my gitlab ci to be able to autodeploy code on push. Seems like a fairly simple process, and I've successfully gotten most of it working. I may be completely misunderstanding how systemd works, also, as I'm fairly new to it.
I have a node application that I'm pushing to gitlab, and that will successfully kick off deploy logic, but the last step I'm doing is to restart the application in order to make sure I'm actually pulling in all the code changes (as I understand it, changes to modules would not happen w/o restarting the service, as the npm cache keeps modules in memory once required).
My gitlab ci yaml file looks like this:
stages:
- deploy
deploy-prod:
stage: deploy
variables:
BRANCH_REF: master
script:
- git fetch
- git checkout $BRANCH_REF
- git pull origin $BRANCH_REF
- npm install
- rm -rf /opt/my-app/www
- ln -s $CI_PROJECT_DIR /opt/my-app/www
- sh /home/gitlab-runner/restart.sh
tags:
- production
I probably don't need the indirection of the symlink, but that doesn't matter for this question. I made that restart.sh
file because I was getting the error sudo: sorry, you must have a tty to run sudo
, and I thought I could wrap it in a shell file. But that didn't change things.
So, how do I let my gitlab-runner user restart the service when it updates the files?
My systemd config looks like this:
[Unit]
After=mongod.service
[Service]
ExecStart=/usr/bin/node /opt/my-app/www/server
Restart=always
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=my-app
User=my-app
Group=my-app
Environment=NODE_ENV=production
And my visudo is setup to allow the git-runner user to run systemctl restart my-app.service
without a password, and I've tested that successfully by su'ing to gitlab-runner and running the command without error but again the error indicates I should not even be allowed to use the keyword sudo
at all. Here's the relevant sudoers entry:
gitlab-runner ALL=(ALL) NOPASSWD: /bin/systemctl restart my-app
Thanks
I do something much like this. You don't need a TTY in this case, but you do need to for the path you are calling with sudo to exactly what match what's in your
sudoers
file. In you case, that means you need to make sure your restart script script does:And NOT
You can easily test that your
sudo
setup is working right becoming root and usingsu -l gitlab-runner
to become that user. Finally, manually run yourrestart.sh
script. You should not be prompted for a password (which is the part that's attempting to use the TTY).Ok, so after digging around some more, it turns out that there was the entry in my sudoers file:
Commenting that out fixes the problem, and from some research it looks like there's no real security benefit from keeping it there.