So in the last post on this, I looked at setting up auto deploy for a WordPress site using GitLab’s CI runner. I also wanted the W3TC cache to be cleared, and thanks to WP-CLI, that was possible by adding:
- sudo -u www-data wp w3-total-cache flush
to the end of the script node in .gitlab-ci.yml.
Now. “sudo?!?!?!?!” I hear you say? There’s a security risk if ever I saw one. Luckily this doesn’t have to be the case if things are set up right. Make a separate user for GitLab Runner and limit it to sudo-ing as only www-data and only running that command while doing so.
It’s a good idea to setup a separate user in general too, for security.
There wasn’t an awful lot of info on that when I Googled though, so (from inital user creation):
usermod -a -G www-data gitlabrunner
passwd gitlabrunner # set a password for your new user
# ...then ssh into the box with that user & pass and:
ssh-keygen -t rsa
# Set a new deploy key in Gitlab admin setting using your new id_rsa.pub so your new user can "<code>git pull"
# copy the public key from your GitLab box in. For instance from /root/.ssh/id_rsa.pub
chown -R gitlabrunner:gitlabrunner /home/gitlabrunner/.ssh
chmod -R go-rwx /home/gitlabrunner/.ssh
# Edit your sudoers file
gitlabrunner ALL=(www-data:www-data) NOPASSWD: /usr/local/bin/wp
Done! Your CI script will now be able to run WP-CLI commands as www-data. No root access, no entering passwords.