Creating a Build Server
Automating Deployment: The Build Server
In this video, I create our build server, which has the parts needed listen for web requests (webhooks) and run our Fabric deploy process.
Create Users
First we'll create some users - one admin user (who can use sudo) and one that will run our deploy scripts.
sudo adduser admin
sudo adduser deployer
usermod -a -G sudo admin
groups admin
SSH Access
Let's setup our SSH keys so we can log in as these users.
On our local computer, we'll copy our local SSH key id to the new server. The new server still can only be accessed via password, so we'll say not to use public key based authentication to copy these SSH key ID's over.
ssh-copy-id -o "PubkeyAuthentication on" \
-i ~/.ssh/id_series \
admin@104.236.246.253
ssh-copy-id -o "PubkeyAuthentication on" \
-i ~/.ssh/id_series \
deployer@104.236.246.253
# We'll disable root user access
# but we'll add this key for now to log in more easily
# until we do that
ssh-copy-id -o "PubkeyAuthentication on" \
-i ~/.ssh/id_series \
root@104.236.246.253
Install Some Basics
Log back in as user root:
ssh -o "IdentitiesOnly yes" -i ~/.ssh/id_seris root@104.236.246.253
Then we can start installing the basics:
sudo apt-get update
sudo apt-get install -y vim curl tmux wget unzip htop
SSH Configuration/Security
Let's edit our SSHD configuration to add some security.
sudo vim /etc/ssh/sshd_config
These are the two settings we'll change:
PermitRootLogin without-password # PW auth disabled, key-only
PasswordAuthentication no # Key-only in general
You can read about these more using the man sshd_config command.
We'll disable root login completely and turn off password-based authentication:
PermitRootLogin no
PasswordAuthentication no
Finally restart SSH so that takes effect:
sudo service ssh restart
Firewalls
Let's setup firewall rules, exactly like we did on our application server.
sudo apt-get install -y iptables-persistent
sudo service iptables-persistent start
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -j DROP
sudo service iptables-persistent save
Software
After our access and security concerns, we can start getting the software we need to run deployments. This includes Python, pip and NodeJS.
# Python
sudo apt-get install -y python-pip python-dev build-essential
sudo pip install -U pip
sudo pip install virtualenv
# NodeJS
curl --silent --location https://deb.nodesource.com/setup_0.12 | sudo bash -
sudo apt-get install -y nodejs
Fabric Setup
User deployer will be running Fabric. Log in as user deployer and run the following steps to get the build server setup:
# A directory for our build files
cd ~/
mkdir build-server
cd build-server
# A virtualenv and python dependencies
# for fabric to run
virtualenv .venv
source .venv/bin/activate
pip install fabric
vim fabfile.py
# Copy the fabfile.py we created so far
vim deploy.py
# Copy the deploy.py file created in the last video
If we try to deploy, we'll see we don't have access to the application server yet!
SSH Access to App Server
Since we need to deploy to our application server, we'll need access to that server!
We'll create an SSH key pair used specifically to access our application servers from the deployment server.
We'll do that as user deployer, the user that will run the Fabric tasks. Let's create the SSH key with no password (leave the password prompts empty).
# Logged in as user deployer
cd ~/.ssh
ssh-keygen -t rsa -b 4096 -C "chris@serialapp.com" -f id_seriesdeploy
Then copy the pub key to authorized_keys file on web application server for user serial.
Finally we can create/edit the ~/.ssh/config file for user deployer in order to log in more easily.
File ~/.ssh/config:
Host serial-app
HostName 45.55.209.211
User serial
IdentitiesOnly yes
IdetityFile ~/.ssh/id_seriesdeploy
Try running the Fabfile command fab deploy to see it deploy!