So in the last post on this, I looked at setting up auto deploy for a WordPress site using GitLab’s CI runner. I also wanted the W3TC cache to be cleared, and thanks to WP-CLI, that was possible by adding:
- sudo -u www-data wp w3-total-cache flush
to the end of the script node in .gitlab-ci.yml.
Now. “sudo?!?!?!?!” I hear you say? There’s a security risk if ever I saw one. Luckily this doesn’t have to be the case if things are set up right. Make a separate user for GitLab Runner and limit it to sudo-ing as only www-data and only running that command while doing so.
It’s a good idea to setup a separate user in general too, for security.
There wasn’t an awful lot of info on that when I Googled though, so (from inital user creation):
adduser gitlabrunner usermod -a -G www-data gitlabrunner passwd gitlabrunner # set a password for your new user # ...then ssh into the box with that user & pass and: ssh-keygen -t rsa # Set a new deploy key in Gitlab admin setting using your new id_rsa.pub so your new user can "
git pull"vi /home/gitlabrunner/.ssh/authorized_keys # copy the public key from your GitLab box in. For instance from /root/.ssh/id_rsa.pub chown -R gitlabrunner:gitlabrunner /home/gitlabrunner/.ssh chmod -R go-rwx /home/gitlabrunner/.ssh # Edit your sudoers file visudo # add: gitlabrunner ALL=(www-data:www-data) NOPASSWD: /usr/local/bin/wp
Done! Your CI script will now be able to run WP-CLI commands as www-data. No root access, no entering passwords.