Setting permissions for your Gitlab CI Runner & W3 Total Cache

So in the last post on this, I looked at setting up auto deploy for a WordPress site using GitLab’s CI runner.  I also wanted the W3TC cache to be cleared, and thanks to WP-CLI, that was possible by adding:

- sudo -u www-data wp w3-total-cache flush

to the end of the script node in .gitlab-ci.yml.

Now. “sudo?!?!?!?!” I hear you say? There’s a security risk if ever I saw one. Luckily this doesn’t have to be the case if things are set up right. Make a separate user for GitLab Runner and limit it to sudo-ing as only www-data and only running that command while doing so.

It’s a good idea to setup a separate user in general too, for security.

There wasn’t an awful lot of info on that when I Googled though, so (from inital user creation):

adduser gitlabrunner
usermod -a -G www-data gitlabrunner
passwd gitlabrunner # set a password for your new user
# ...then ssh into the box with that user & pass and:
ssh-keygen -t rsa
# Set a new deploy key in Gitlab admin setting using your new id_rsa.pub so your new user can "git pull"
vi /home/gitlabrunner/.ssh/authorized_keys
# copy the public key from your GitLab box in. For instance from /root/.ssh/id_rsa.pub
chown -R gitlabrunner:gitlabrunner /home/gitlabrunner/.ssh
chmod -R go-rwx /home/gitlabrunner/.ssh
# Edit your sudoers file
visudo
# add:
gitlabrunner ALL=(www-data:www-data) NOPASSWD: /usr/local/bin/wp 

Done! Your CI script will now be able to run WP-CLI commands as www-data. No root access, no entering passwords.


Leave a Reply

Your email address will not be published. Required fields are marked *