Reputation: 539
AWS CodeDeploy keeps running as root, breaks after first run
Previously I had CodeDeploy running properly as user www-data and everything was fine but I think CodeDeploy got corrupted somehow because it always runs as the root user now. Then, it breaks mid-deploy because of the "wrong permissions" because it shouldn't try to run as the root user, but the www-data user.
I checked another working server with a working CodeDeploy setup and the settings match EXCEPT there are no root user entries after running "ps aux | grep codedeploy-agent" seen here:
CodeDeploy says here that it's running as PID 3914 - so why is there a root entry with PID 3650? I think it is also using the root entry PID 3650 when running CodeDeploy because it is creating new directories with "root:root" permissions. However on the working servers, everything is created with "www-data:wheel" as I configured it.
So, how can I remove the root user here from executing everything without breaking anything else? (I prefer not to delete stuff without knowing if it's safe and this is also a server that another team works on so I am trying to avoid a full rebuild or uninstall - as well as breaking any of their stuff.)
FYI to get this working in the first place as www-data running CodeDeploy, I changed the user using this article and it's worked great on other servers for months now: https://aws.amazon.com/premiumsupport/knowledge-center/codedeploy-agent-non-root-profile/
*Note: Tried deleting the .pid and .pid.lock files recommended in another post and printed in screenshot, but that didn't do anything.
Upvotes: 1
Views: 898
Answers (1)
Reputation: 35146
This would come down to an update to the CodeDeploy agent. Possibly either an accidental replacement in the update process or incompatible changes which required settings to be reset to the default settings.
I would suggest leaving these default settings for CodeDeploy as it can be reconfigured during patching or future updates (which leaves it out of your control). Instead set permissions via the appspec file.
You can define the users that actions within CodeDeploy run as via the appspec file that is required for each deployed.
By specifying runas the hook will be run as that user, as seen in this example below.
version: 0.0
os: linux
files:
- source: Config/config.txt
destination: /webapps/Config
- source: source
destination: /webapps/myApp
hooks:
BeforeInstall:
- location: Scripts/UnzipResourceBundle.sh
- location: Scripts/UnzipDataBundle.sh
AfterInstall:
- location: Scripts/RunResourceTests.sh
timeout: 180
ApplicationStart:
- location: Scripts/RunFunctionalTests.sh
timeout: 3600
ValidateService:
- location: Scripts/MonitorService.sh
timeout: 3600
runas: codedeployuser
You can also set the permissions that particular directories or files have (from the files hierarchy.
Upvotes: 1
Related Questions
- CodeDeploy: Script at specified location: scripts/stop_server run as user root failed with exit code 1
- AWS CodeDeploy fails: Script at specified location run as user ubuntu failed with exit code 1
- Unable to deploy code on ec2 instance using codedeploy
- Issue running linux AWS CodeDeploy agent in non root context
- AWS CodeDeploy: Service role Cannot assume role provided
- AWS CodeDeploy failed without a reason
- AWS CodeDeploy deployment not starting
- AWS CodeDeploy Access Denied error
- Deploy issue with aws codedeploy & ubuntu on ec2
- AWS CodeDeploy Duplicate permission