I've been trying to set up webistrano on one of our servers. Everything went well, until I tried deploying my set up. Webistrano is currenlty set up to live on the test server, so I want it to deploy to 127.0.0.1
The configuration contains valid user, webistrano, that should have access to
/home/webistrano/.subversion/servers
the password for that user is correct. Could someone shed some light as to what might be going wrong with it?
*** SSH options: setting ssh_port to: 22
*** LOCAL SCM ERROR: svn: warning: Can't open file '/home/webistrano/.subversion/servers': Permission denied
* executing `deploy'
* executing `deploy:update'
** transaction: start
* executing `deploy:update_code'
* executing "svn checkout -q --username webistrano --password XXXXXXXX --no-auth-cache -r27687 http://server.com/repos/server/clients/site/trunk /var/www/vhosts/server.com/releases/20121001183038 && (echo 27687 > /var/www/vhosts/server.com/releases/20121001183038/REVISION)"
servers: ["127.0.0.1"]
*** [deploy:update_code] rolling back
* executing "rm -rf /var/www/vhosts/server.com/releases/20121001183038; true"
servers: ["127.0.0.1"]
** [deploy:update_code] exception while rolling back: Capistrano::ConnectionError, connection failed for: 127.0.0.1 (Errno::EACCES: Permission denied - connect(2))
*** connection failed for: 127.0.0.1 (Errno::EACCES: Permission denied - connect(2))
debugging with
puts system('id') in deployer.rb returns
uid=500(webistrano) gid=500(webistrano) groups=500(webistrano) context=unconfined_u:system_r:httpd_t:s0
and ls -all /home/webistrano returns:
drwxrwxr-x. 3 webistrano webistrano 4096 Sep 27 16:59 .subversion
ls -all /home/webistrano/.subversion returns:
drwxrwxr-x. 3 webistrano webistrano 4096 Oct 1 20:02 .
drwx------. 4 webistrano webistrano 4096 Oct 1 22:14 ..
drwx------. 6 webistrano webistrano 4096 Sep 27 16:59 auth
-rw-rw-r--. 1 webistrano webistrano 6866 Sep 27 16:59 config
-rw-rw-r--. 1 webistrano webistrano 4276 Sep 27 16:59 README.txt
-rw-rw-r--. 1 webistrano webistrano 7674 Oct 1 20:02 servers
Which shows that servers should be fully readable by everyone?
What's going on?
It turns out this was an issue with Passenger.
Phusion Passenger is supposed to run as the user who owns conf/environment.conf (which in my case was webistrano). Displaying the user id also showed webistrano, but if I changed it to run as nobody, the svn error stopped appearing. I was unable to svn export the code though, probably because nobody does not have a home directory.
I ended up running webistrano through mongrel, and starting it by doing:
$ su - webistrano
to make sure that the correct home environment is loaded and all the permissions are correct.
It works perfect now . Hope this helps somebody
Related
I'm on an ubuntu 20.04
Had a rails application that used to run until last month.
But a certificate issue made me reinstall nginx and passenger and some dependencies.
However all rails commands (console, server, assets:precompile) are now failing with the following error
/home/deploy/mark_antony/shared/bundle/ruby/2.7.0/gems/bootsnap-1.4.8/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:23:in `require': libffi.so.6: cannot open shared object file: No such file or directory - /home/deploy/mark_antony/shared/bundle/ruby/2.7.0/gems/ffi-1.13.1/lib/ffi_c.so (LoadError)
But when i check, everything seems perfectly fine.. the file does exist:
deploy#ubuntu-s-1vcpu:~/mark_antony/current$ cd /home/deploy/mark_antony/shared/bundle/ruby/2.7.0/gems/ffi-1.13.1/lib/
deploy#ubuntu-s-1vcpu:~/mark_antony/shared/bundle/ruby/2.7.0/gems/ffi-1.13.1/lib$ ll
total 476
drwxrwxr-x 3 deploy deploy 4096 Jan 7 19:08 ./
drwxrwxr-x 6 deploy deploy 4096 Jan 7 19:07 ../
drwxrwxr-x 4 deploy deploy 4096 Jan 7 19:07 ffi/
-rw-rw-r-- 1 deploy deploy 925 Jan 7 19:07 ffi.rb
-rwxr-xr-x 1 deploy deploy 467872 Jan 7 19:08 ffi_c.so*
Any idea on how to get the app working again?
So we're using Gerrit Trigger (2.23.0) on our Jenkins CI build manager & using docker containers for the actual builds.
The issue that has recently popped up in some of our branches the Gerrit Repo polling is failing and causing it to "detect changes" every time, so it's constantly rebuilding despite no changes.
Checking the Gerrit Repo Polling Log for any of the affected jobs gives one of the following outputs:
Started on Feb 1, 2017 3:12:25 PM
Polling SCM changes on aosp-host
[workspace] $ repo init -u http://xxx.xxx.xxx.xxx/git/project/platform/manifest.git -b branch -m branch.xml
Get https://gerrit.googlesource.com/git-repo/clone.bundle
Get https://gerrit.googlesource.com/git-repo
fatal: Not a git repository: '/home/jenkins/workspace/.repo/manifests.git'
fatal: Not a git repository: '/home/jenkins/workspace/.repo/manifests.git'
fatal: cannot obtain manifest http://xxx.xxx.xxx.xxx/git/project/platform/manifest.git
Done. Took 1 min 19 sec
Changes found
or, if the build was already building (gerrit waits for the build to finish before doing the scm poll)
Started on Feb 2, 2017 3:24:15 AM
Polling SCM changes on aosp-host
[workspace] $ repo init -u http://xxx.xxx.xxx.xxx/git/project/platform/manifest.git -b branch -m branch.xml
fatal: cannot make /home/jenkins/workspace/.repo/repo directory: File exists
Done. Took 2 hr 4 min
Changes found
The builds, which are triggered by this failure, use the same commands and work fine:
[workspace] $ repo init -u http://xxx.xxx.xxx.xxx/git/project/platform/manifest.git -b branch -m branch.xml
Navigating to the manifest directory, we see the symptom:
jenkins#f052b3453d95:~/workspace/.repo$ ll
total 32
drwxr-xr-x 1 jenkins jenkins 180 Dec 20 11:08 ./
drwxrwxr-x 1 jenkins jenkins 778 Dec 20 11:07 ../
-rw-r--r-- 1 jenkins jenkins 20087 Dec 20 10:14 .repo_fetchtimes.json
lrwxrwxrwx 1 jenkins jenkins 20 Dec 20 10:13 manifest.xml -> manifests/branch.xml
drwxr-xr-x 1 jenkins jenkins 8 Dec 16 17:33 manifests/
drwxr-xr-x 1 jenkins jenkins 50 Dec 16 17:33 manifests.git/
drwxr-xr-x 1 jenkins jenkins 28 Dec 16 17:43 project-objects/
-rw-r--r-- 1 jenkins jenkins 7756 Dec 20 10:14 project.list
drwxr-xr-x 1 jenkins jenkins 410 Dec 16 17:46 projects/
with
lrwxrwxrwx 1 jenkins jenkins 20 Dec 20 10:13 manifest.xml -> manifests/branch.xml
highlighted in red, because the associated branch.xml is not found... so the Gerrit Log from above is accurate, it's failing to init properly. This is confirmed via a repo status in the main directory:
jenkins#f052b3453d95:~/workspace$ repo status
Traceback (most recent call last):
File "/home/jenkins/workspace/.repo/repo/main.py", line 531, in <module>
_Main(sys.argv[1:])
File "/home/jenkins/workspace/.repo/repo/main.py", line 507, in _Main
result = repo._Run(argv) or 0
File "/home/jenkins/workspace/.repo/repo/main.py", line 180, in _Run
result = cmd.Execute(copts, cargs)
File "/home/jenkins/workspace/.repo/repo/subcmds/status.py", line 130, in Execute
all_projects = self.GetProjects(args)
File "/home/jenkins/workspace/.repo/repo/command.py", line 140, in GetProjects
all_projects_list = manifest.projects
File "/home/jenkins/workspace/.repo/repo/manifest_xml.py", line 350, in projects
self._Load()
File "/home/jenkins/workspace/.repo/repo/manifest_xml.py", line 407, in _Load
self.manifestProject.worktree))
File "/home/jenkins/workspace/.repo/repo/manifest_xml.py", line 443, in _ParseManifestXml
root = xml.dom.minidom.parse(path)
File "/usr/lib/python2.7/xml/dom/minidom.py", line 1918, in parse
return expatbuilder.parse(file)
File "/usr/lib/python2.7/xml/dom/expatbuilder.py", line 922, in parse
fp = open(file, 'rb')
IOError: [Errno 2] No such file or directory: '/home/jenkins/workspace/.repo/manifest.xml'
The issue is, running repo init -u <url> -m branch.xml via the command line works fine, and produces a valid repo.
Any insight one can offer for this issue?
I am trying to build Gerrit plugin "events-log" jar ( https://gerrit.googlesource.com/plugins/events-log) via Buck build, but its failing with below error:
root#jenkins-test:~/events-log# ll
drwxr-xr-x 7 root root 4096 Jun 29 13:25 ./
drwxrwxr-x 24 root root 4096 Jun 29 13:22 ../
-rw-r--r-- 1 root root 1017 Jun 29 12:57 BUCK
-rw-r--r-- 1 root root 173 Jun 29 12:57 .buckconfig
drwxr-xr-x 3 root root 4096 Jun 29 13:25 .buckd/
drwxr-xr-x 6 root root 4096 Jun 29 13:05 buck-out/
drwxr-xr-x 8 root root 4096 Jun 29 13:27 .git/
-rw-r--r-- 1 root root 146 Jun 29 12:57 .gitignore
drwxr-xr-x 5 root root 4096 Jun 29 12:57 lib/
drwxr-xr-x 4 root root 4096 Jun 29 12:57 src/
root#jenkins-test:~/events-log# /root/buck/bin/buck build events-log:events-
log
Using buckd.
BUILD FAILED: No build file at events-log/BUCK when resolving target
//events-log:events-log.
Can somebody please tell how to fix it and build the jar.
Thanks
I think I've finally figured it out ...
What I wound up doing is checking out Gerrit and building the events-log plugin in the Gerrit tree.
git clone https://gerrit.googlesource.com/gerrit
cd gerrit
git co v2.11.2
git submodule init
git submodule update
git clone https://gerrit.googlesource.com/plugins/events-log plugins/events-log
buck build plugins/events-log
I'm pretty sure you just want /root/buck/bin/buck build //:events-log. See http://buckbuild.com/concept/build_target.html
Eventually I found src/main/resources/Documentation/build.md, with which I finally succeeded in building events-log:
git clone https://gerrit.googlesource.com/plugins/events-log
git clone https://gerrit.googlesource.com/bucklets
cd events-log
git checkout stable-2.12
ln -s ../bucklets .
ln -s bucklets/buckversion .buckversion
ln -s bucklets/watchmanconfig .watchmanconfig
buck build plugin
This builds buck-out/gen/events-log.jar.
If the version is 2.14 or later, please use bazle to build
And I also try to build v2.13 with buck, you need to modify gerrit_plugin.bucklet which is under bucklets folder
Old content:
target_suffix = ''):
from multiprocessing import cpu_count
from os import path,getcwd
New content:
target_suffix = ''):
with allow_unsafe_import():
from multiprocessing import cpu_count
from os import path,getcwd
Then execute "buck build plugin
Out put:
ruhu#CCM-P700:~/tools/events-log$ buck build plugin
Download http://repo1.maven.org/maven2/com/google/code/gson/gson/2.3.1/gson-2.3.1-sources.jar
Download http://repo1.maven.org/maven2/com/google/code/gson/gson/2.3.1/gson-2.3.1.jar
Download http://repo1.maven.org/maven2/com/google/gerrit/gerrit-plugin-api/2.13/gerrit-plugin-api-2.13.jar
Parsing buck files: finished in 1.3 sec (100%)
Creating action graph: finished in 1.6 sec (100%)
Building: finished in 03:47.3 min (100%) 19/19 jobs, 19 updated, 94.7% cache mis
Total time: 03:50.3 min
I have some basic issues with capistrano deployment. First of all, I need to know whether capistrano is using git clone even for the second or third when the git repo is already existing. Is there any issue if it uses git pull? I have added set :deploy_via, :remote_cache in my capfile. I am asking this because I tried adding a new file in the path in the server, and not in the git repo as it was a server specific file. The next time I deployed using capistrano, the file disappeared. It seems like capistrano is using git clone even when a git repo is already created. Why cant capistrano use git pull to update the code?
Capistrano creates a new subdirectory in realeases for each release like this
horse:releases xxx$ ls -lart
total 0
drwxrwxr-x 22 xxx staff 748 Jun 26 20:08 20120626180809
drwxrwxr-x 22 xxx staff 748 Jun 26 20:11 20120626181103
drwxrwxr-x 22 xxx staff 748 Jun 26 20:29 20120626182908
drwxrwxr-x 22 xxx staff 748 Jun 26 20:34 20120626183442
drwxrwxr-x 22 xxx staff 748 Jun 26 20:35 20120626183525
drwxrwxr-x 8 xxx staff 272 Jun 27 13:11 .
drwxrwxr-x 22 xxx staff 748 Jun 27 13:11 20120627111102
drwxrwxr-x 5 xxx staff 170 Jun 27 13:11 ..
and then simply sets a symlink to the current release like this
horse:deployed xxx$ ls -lart
total 8
drwxrwxr-x 4 xxx staff 136 Jun 26 19:51 ..
drwxrwxr-x 7 xxx staff 238 Jun 26 20:22 shared
drwxrwxr-x 8 xxx staff 272 Jun 27 13:11 releases
lrwxrwxr-x 1 xxx staff 70 Jun 27 13:11 current -> /Users/xxx/RailsDeployment/server/deployed/releases/20120627111102
This way, rollback of the deployment on the server is really easy as you just have to change the symlink back to the last (working) deployment, but as a new complete subdir is created each time it makes sense using git clone instead of git pull.
If you want to have server-specific files, you have to add a capistrano deploy task to your config/deploy.rb file to copy it from somewhere else outside the app directory (typically the shared subfolder). The reason for this is that the deployment should be fully automatic and document all necessary steps in an automated procedure, and not depend on files on the server that were put there manually as this is the first step to a snowflake server. So, if you need a file that is not part of your git repository, as typically something containing production passwords, you need to change config/deploy.rb to copy this file to where you need it. To see how to do this look at the copy_db_credentials tasks in my deploy.rb:
namespace :deploy do
desc "cause Passenger to initiate a restart"
task :restart do
run "touch #{current_path}/tmp/restart.txt"
end
desc "Copies database credentials"
task :copy_db_credentials do
run "cp #{shared_path}/credentials/database.yml #{current_path}/config/database.yml"
end
desc "reload the database with seed data"
task :seed do
run "cd #{current_path}; rake db:seed RAILS_ENV=#{rails_env}"
end
end
after :deploy, "deploy:copy_db_credentials"
after "deploy:update_code", :bundle_install
desc "install the necessary prerequisites"
task :bundle_install, :roles => :app do
run "cd #{release_path} && bundle install"
end
I am in the process of setting up a server to run a Ruby on Rails application on Fedora 12, using Passenger.
I am at the stage where I've installed Passenger, set it up as prescribed, but get the following errors when I restart Apache:
[Wed Jan 13 15:41:38 2010] [notice] caught SIGTERM, shutting down
[Wed Jan 13 15:41:40 2010] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Wed Jan 13 15:41:40 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Jan 13 15:41:40 2010] [error] *** Passenger could not be initialized because of this error: Cannot create FIFO file /tmp/passenger.25235/.guard: Permission denied (13)
[Wed Jan 13 15:41:40 2010] [notice] Digest: generating secret for digest authentication ...
[Wed Jan 13 15:41:40 2010] [notice] Digest: done
[Wed Jan 13 15:41:40 2010] [error] *** Passenger could not be initialized because of this error: Cannot create FIFO file /tmp/passenger.25235/.guard: Permission denied (13)
[Wed Jan 13 15:41:40 2010] [error] python_init: Python version mismatch, expected '2.6', found '2.6.2'.
[Wed Jan 13 15:41:40 2010] [error] python_init: Python executable found '/usr/bin/python'.
[Wed Jan 13 15:41:40 2010] [error] python_init: Python path being used '/usr/lib/python26.zip:/usr/lib/python2.6/:/usr/lib/python2.6/plat-linux2:/usr/lib/python2.6/lib-tk:/usr/lib/python2.6/lib-old:/usr/lib/python2.6/lib-dynload'.
[Wed Jan 13 15:41:40 2010] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Wed Jan 13 15:41:40 2010] [notice] mod_python: using mutex_directory /tmp
[Wed Jan 13 15:41:40 2010] [notice] Apache/2.2.14 (Unix) DAV/2 Phusion_Passenger/2.2.9 PHP/5.3.0 mod_python/3.3.1 Python/2.6.2 mod_ssl/2.2.14 OpenSSL/1.0.0-fips-beta3 mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations
As you can see, there is a permissions problem when Passenger is trying to initialize:
[Wed Jan 13 15:41:40 2010] [error] *** Passenger could not be initialized because of this error: Cannot create FIFO file /tmp/passenger.25235/.guard: Permission denied (13)
When Apache is starts, it does create a file in /tmp:
d-ws--x--x. 2 root root 4096 2010-01-13 16:04 passenger.26117
If instead I run the app by firing up mongrel directly with mongrel_rails start -e production, I see the following:
ActiveRecord::StatementInvalid (Mysql::Error: Can't create/write to file '/tmp/#sql_5d3_0.MYI' (Errcode: 13): SHOW FIELDS FROM `users`):
Again the error points to permission issues with the /tmp directory.
I am at a loss as to what the solution is. I'm not sure if it is related to simply directory permissions or Fedora's SELinux security.
Any help would be appreciated. Thanks.
I did the same as Fred, except that instead of doing it one error at a time:
Go into permissive mode by running setenforce 0
Restart apache, and hit your site and use it for a while as normal
Run grep httpd /var/log/audit/audit.log | audit2allow -M passenger
semodule -i passenger.pp
Go back to enforcing mode by running setenforce 1
Restart apache and test your site - hopefully it should all be working as before!
Note that this is basically a specific example of the procedure on the Centos SELinux help - check it out.
I'm having the same issue in CentOS 5.4, SELinux getting in the way of Passenger.
Setting PassengerTempDir to /var/run/passenger simply gives you the same permission errors in the new directory instead of /tmp :
[Mon Feb 22 11:42:40 2010] [error] *** Passenger could not be initialized because of this error: Cannot create directory '/var/run/passenger/passenger.3686'
I can then change the security context of /var/run/passenger to get past this error:
chcon -R -h -t httpd_sys_content_t /var/run/passenger/
...and that lets Passenger create the temp directory, but not files within that directory:
[Mon Feb 22 12:07:06 2010] [error] *** Passenger could not be initialized because of this error: Cannot create FIFO file /var/run/passenger/passenger.3686/.guard: Permission denied (13)
Oddly, re-running the recursive chcon again doesn't get past this error, it keeps dying at this point, and this is where my SELinux knowledge gets murky.
The Phusion Passenger guide sections 6.3.5 and 6.3.7 have some useful thoughts, but they don't seem to completely resolve the problem.
You need more than just the httpd_sys_content_t permission. I use the following technique to get things started:
start a tail on the audit log: tail -f /var/log/audit/audit.log
reload apache: apachectl restart
Go to the /tmp/directory: cd /tmp
If just 1 line is added use the command: tail -1 /var/log/audit/audit.log | audit2allow -M httpdfifo
Note that the name 'httpdfifo' is just a name chosen to reflect the kind of error that has been observed.
This will create a file named 'httpdfifo.pp'. To allow apache to create a FIFO from here on after you have to issue the command: semodule -i httpdfifo.pp
Continue to do this until all audit errors have been resolved (It took 4 different kind of permissions on my system running Centos 5.4)
Running setenforce 0 before starting will let you test if it's SELinux. Don't forget to run setenforce 1 afterwards.
I tried what Dan Sketcher and Fred Appleman suggested, i.e. repeat the following:
yum install setroubleshoot
echo > /var/log/audit/audit.log # clear irrelevant errors
cd ~
service httpd restart # try booting passenger -- audit.log now shows the relevant permission errors
tail -f /var/log/httpd/error_log # check that passenger is still failing due to permission errors
sealert -a /var/log/audit/audit.log > selinux-diag.txt # translate the permission errors
# read and check that you are happy with selinux-diag.txt
# and either follow its specific advice, or if it just wants you to grep into audit2allow, then:
cat /var/log/audit/audit.log | audit2allow -M mypol # grant everything just denied
semodule -i mypol.p # commit new permissions
But after doing this 5 or 6 times, I kept coming up against new errors, and some of the same errors came up even after I had tried to permit them with "audit2allow".
In the end I just turned off SELinux, with:
echo 0 >/selinux/enforce