Environment config - root user

While setting up the environment, it dawned on me that I seem to be missing configuration settings for the server root user / cert. I have set up the regular users but I assume the commcare cloud system needs root access to add users and deploy software. Where does that certificate / those credentials go in the config?

Hi Ed

commcare-cloud relies on priveledge escalation using sudo so as long as the user you are connecting with has sudo permissions to execute the commands that will work fine.

commcare-cloud defaults to connecting to the remote machines using the ansible user. If you want to change that you can set the commcare_cloud_remote_user var in your public.yml file.

To authenticate with as the remote user we recommend you set up public keys for your local user (e.g. erobinson) to the remote user.

There are some special circumstances in which you want to use a different auth method in which case you can use the --use-factory-auth command line flag which will make commcare-cloud connect using the user specified by the commcare_cloud_root_user var (defaults to root). It will also look for a public key in the location set by commcare_cloud_pem. If the var isn’t set or it can’t find the key file it will prompt for a password. This is generally only useful when you are first setting up a machine and haven’t configured the users yet.

Thanks Simon, just to confirm, the user that commcare cloud is installed under should have sudo access on the Commcare cloud machine? I just want to make sure I understand this instruction correctly: https://dimagi.github.io/commcare-cloud/setup/installation.html
“Make sure that you have a non-root user account on the control machine.”

In my system, Commcare cloud is installed on a local VM and I have an Azure Ubuntu 18.04 instance provisioned for my the CommcareHQ environment deployment (everything will reside on this server). At what point is the ansible user created - is that part automated when deploying my environment or do I need to create that user as a sudo user on the server first?

Currently the only users I have referenced in the config file is my own (erobinson) - a non sudo user (should it be a sudo user?). I obviously have the SSH .pub file for that user in the environment config.

I guess my question was which user does Commcare Cloud use on the Azure server to do the setup etc. and where do I configure that user in the environment config (including .pub key)? I see your last paragraph may apply, though I’m not sure if that’s the usual way to go about it or if I can specify it all in the config files. Does first time setup always require the use of the --use-factory-auth parmeter?

Thanks a ton for your support!

Hi Ed

The user that commcare-cloud is installed under doesn’t need sudo access, only the remote user.

By default commcare-cloud will try to connect to the remote host using the ansible username.

For new VMs that have not yet been provisioned you can use the bootstrap-users command to setup the user accounts. This command will connect using the root user (unless overridden by the commcare_cloud_root_user var) and will prompt for a login password or use the ssh key specified in the commcare_cloud_pem var).

I hope that answers your question.

That does indeed sound like it answers my question, thanks a ton for being so helpful!