bash 如何在gitlab ci的构建脚本中使用sudo?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19383887/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to use sudo in build script for gitlab ci?
提问by static
When I would like to do something that requiers sudo privelegies, the build process stucks and when ps auxfor that command, it hanging in the list but doing nothing.
当我想做一些需要 sudo 特权的事情时,构建过程会卡住,而ps aux对于该命令,它挂在列表中但什么也不做。
E.g.:
例如:
in the buildscript:
在构建脚本中:
# stop nginx
echo "INFO: stopping nginx. pid [$(cat /opt/nginx/logs/nginx.pid)]"
sudo kill $(cat /opt/nginx/logs/nginx.pid)
in the gitlab ci output console:
在 gitlab ci 输出控制台中:
INFO: stopping nginx. pid [2741]
kill $(cat /opt/nginx/logs/nginx.pid) # with a spinning wheel
in the bash:
在 bash 中:
> ps aux | grep nginx
root 6698 0.0 0.1 37628 1264 ? Ss 19:25 0:00 nginx: master process /opt/nginx/sbin/nginx
nobody 6700 0.3 0.3 41776 3832 ? S 19:25 0:00 nginx: worker process
kai 7015 0.0 0.0 4176 580 pts/0 S+ 19:27 0:00 sh -c sudo kill $(cat /opt/nginx/logs/nginx.pid)
kai 7039 0.0 0.0 7828 844 pts/2 S+ 19:27 0:00 grep nginx
So:
所以:
- not the
sudo kill $(cat /opt/nginx/logs/nginx.pid)is going to execute, butsh -c sudo kill $(cat /opt/nginx/logs/nginx.pid) - it is hanging up, without response (sounds for me like it asks for a password interactively)
- 不是
sudo kill $(cat /opt/nginx/logs/nginx.pid)要执行,而是sh -c sudo kill $(cat /opt/nginx/logs/nginx.pid) - 它挂断了,没有响应(对我来说听起来就像它以交互方式要求输入密码)
回答by Reactgular
There are a couple of ways to resolve this.
有几种方法可以解决这个问题。
Grant sudo permissions
授予sudo权限
You can grant sudo permissions to the gitlab-runneruser as this is who is executing the build script.
您可以向gitlab-runner用户授予 sudo 权限,因为这是执行构建脚本的人。
$ sudo usermod -a -G sudo gitlab-runner
You now have to remove the password restriction for sudofor the gitlab-runneruser.
现在,您可以删除密码,限制了sudo该gitlab-runner用户。
Start the sudo editor with
启动 sudo 编辑器
$ sudo visudo
Now add the following to the bottom of the file
现在将以下内容添加到文件底部
gitlab-runner ALL=(ALL) NOPASSWD: ALL
Do not do this for gitlab runners that can be executed by untrusted users.
不要对可以由不受信任的用户执行的 gitlab 运行程序执行此操作。
SSH Runner
SSH 运行程序
You can configure the gitlab-ci-runnerto connect to a remote host using SSH. You configure this to use a user remotely that has sudo permissions, and perform the build using that user. The remote host can be the same machine that the gitlab runner is executing on, or it can be another host.
您可以将 配置为gitlab-ci-runner使用 SSH 连接到远程主机。您将其配置为远程使用具有 sudo 权限的用户,并使用该用户执行构建。远程主机可以是 gitlab runner 正在执行的同一台机器,也可以是另一台主机。
This build user account will still need to have sudo and passwordless permissions. Follow the instruction below, except replace gitlab-runnerwith the build user.
此构建用户帐户仍需要具有 sudo 和无密码权限。请按照以下说明进行操作,除非替换gitlab-runner为构建用户。
