While setting up the environment, it dawned on me that I seem to be missing configuration settings for the server root user / cert. I have set up the regular users but I assume the commcare cloud system needs root access to add users and deploy software. Where does that certificate / those credentials go in the config?
Thanks!
Hi Ed
commcare-cloud
relies on priveledge escalation using sudo
so as long as the user you are connecting with has sudo
permissions to execute the commands that will work fine.
commcare-cloud
defaults to connecting to the remote machines using the ansible
user. If you want to change that you can set the commcare_cloud_remote_user
var in your public.yml
file.
To authenticate with as the remote user we recommend you set up public keys for your local user (e.g. erobinson
) to the remote user.
There are some special circumstances in which you want to use a different auth method in which case you can use the --use-factory-auth
command line flag which will make commcare-cloud
connect using the user specified by the commcare_cloud_root_user
var (defaults to root
). It will also look for a public key in the location set by commcare_cloud_pem
. If the var isn't set or it can't find the key file it will prompt for a password. This is generally only useful when you are first setting up a machine and haven't configured the users yet.
Thanks Simon, just to confirm, the user that commcare cloud is installed under should have sudo access on the Commcare cloud machine? I just want to make sure I understand this instruction correctly: https://dimagi.github.io/commcare-cloud/setup/installation.html
"Make sure that you have a non-root user account on the control machine."
In my system, Commcare cloud is installed on a local VM and I have an Azure Ubuntu 18.04 instance provisioned for my the CommcareHQ environment deployment (everything will reside on this server). At what point is the ansible user created - is that part automated when deploying my environment or do I need to create that user as a sudo user on the server first?
Currently the only users I have referenced in the config file is my own (erobinson) - a non sudo user (should it be a sudo user?). I obviously have the SSH .pub file for that user in the environment config.
I guess my question was which user does Commcare Cloud use on the Azure server to do the setup etc. and where do I configure that user in the environment config (including .pub key)? I see your last paragraph may apply, though I'm not sure if that's the usual way to go about it or if I can specify it all in the config files. Does first time setup always require the use of the --use-factory-auth
parmeter?
Thanks a ton for your support!
Hi Ed
The user that commcare-cloud is installed under doesn't need sudo access, only the remote user.
By default commcare-cloud will try to connect to the remote host using the ansible
username.
For new VMs that have not yet been provisioned you can use the bootstrap-users command to setup the user accounts. This command will connect using the root
user (unless overridden by the commcare_cloud_root_user
var) and will prompt for a login password or use the ssh key specified in the commcare_cloud_pem
var).
I hope that answers your question.
That does indeed sound like it answers my question, thanks a ton for being so helpful!
Cheers
Ed