Saturday, January 02, 2016

Amazon EC2 instance with LAMP and Git and multiple Git collaborators

Brace yourself, this is going to be --long. I'm not going to explain a lot. I basically followed what was here, but procedures are outdated and can be confusing if you don't know what you're doing.

I'm just going to give an overview of what's different from that page now:
  •  When you launch a new EC2 instance, the wizard is now different. You will no longer have a choice between "Classic Wizard", "Quick Launch Wizard" etc.
  • Select Ubuntu server 14.04 64-bit with HVM (not PV).
  • Remember to add an EBS volume or expand the root volume. I don't recommend expanding root volume, but rather to use another volume to store your data. That way you can wipe you root volume and start over again without data loss. (I almost did, coz I stupidly sudo rm * in an important directory - but I managed to recover.)
  • You won't be creating key pairs in the wizard itself. You will be asked to do so after you click on Launch to start up the instance. The procedure to create key pair is still the same.
  • Remember to convert the downloaded *.pem file to *.ppk if you want to use PuTTY (my favorite SSH client). There are separate guides available for it.
  • WARNING! Half of the commands shown in the guide are to be executed in the local machine, with the other half on the EC2 instance. The guide assumes that your local machine is a Unix/Linux machine, but I'm on Windows. The local machine commands become unnecessary if you're on Windows, and procedures to achieve similar results would be different. For one thing, there's absolutely no notion of "Unix-style permissions" in Windows. If you have a hard time figuring out, here's a rough guide:
    • "Connect to server with your PEM Key using SSH" - commands for local machine. Not needed on Windows as you will use PuTTY or some graphical client.
    • "Install Linux Apache MySQL PHP (LAMP) Server" - commands for EC2 instance. Just run them once connected by PuTTY.
    • "Connecting with SSH without a PEM key" - commands for local machine. I actually skipped this entire section because I don't mind using the PEM key to connect to shell. For Git access, I set up additional user accounts which have password access and are limited to git-shell. More on that below. If you want to do this anyway, you will need to do this on Windows - and yes, you will need to figure out how - or just use PuTTYgen (easy peasy!).
    • "Setup GIT for web deployment and version control" - mostly commands for EC2 instance, until it says "local computer". This section should not be followed ditto as it's showing you how to set up a bare Git repo as well as live Git repo, and to link them so they are updated together. Be sure to understand the section well. The mod_rewrite commands at the end are also for EC2 instance.
  • The guide uses editors like nano and vi. I stick to using vim for all required edits as it's awesome. If you don't know how to use vim, you should learn. Just Google "vim cheatsheet" and you'll get a lot.
  • The added volume will need to be formatted and mounted manually. For this, see the answer here.
Outside the guide, I also set up users for each person I am going to collaborate with (including myself). Here's how I did that (following some parts of this guide, but my users will have write access):
  1. To make things easier, create a group where you will add your Git users. Let's call this group gitusers. So just run sudo addgroup gitusers.
  2. We will create the users one by one and add them to our gitusers group:
    sudo adduser username --ingroup gitusers --shell /usr/bin/git-shell
    • Be sure to replace username with the actual username of each user. Execute once per user.
    • The --shell part is important so that your new user can only do Git stuff, and not SSH into the server with terminal access.
    • Every time you need to add another user, just do this again. To remove a user, you can deluser or just move the user out of the gitusers group.
  3. Allow password-based authentication for your Git users. Note that you can also set up public-private keys as described in "Connecting with SSH without a PEM key", but I chose to go with a password route. To do this, I enable password-based authentication for only the gitusers group.
    1. Edit using sudo vim (or whatever) the file /etc/ssh/sshd_config
    2. At the end of the file, add this: (vim tip: press Shift-G to quickly go there, then press i and start typing)
      Match Group gitusers
              PasswordAuthentication yes
    3. Save (vim tip: press Esc to exit Insert mode, then type :wq Enter)
    4. Execute sudo service ssh restart so that ssh will pick up the changes.
  4. Remember you changed owner to ubuntu for two folders in "Setup GIT for web deployment and version control"? You need to change the group and add group write permissions to the same two folders, like this:
    sudo chgrp -R gitusers /var/git/
    sudo chgrp -R gitusers /var/www/
    sudo chmod -R g+w /var/git/
    sudo chmod -R g+w /var/www/
  5. That's it. If you ever need read-only Git users, just create another group for them and give the group password-based authentication in sshd_config:
    Match Group gitusers,gitreadonly
    Create the users the same way, except change to --ingroup gitreadonly.
  6. When you clone a git repo to a local machine on a command line, connect by ssh as follows:
    git clone ssh://username@hostname-or-ip-address/path/to/the/repository.git
    For a GUI tool, provide repo URL as above (without the git clone part).

Bonus:

Better to install extundelete using sudo apt-get install extundelete so that you can run it if ever you accidentally rm some important file. I accidentally rm'ed the entire /etc/ssh folder contents losing everything, but managed to recover them using this tool.

I also set up and used No-IP service to give my instance a fixed name, so it's reachable by same host name even if I stop and restart it. To have noip2 always start at boot, do sudo crontab -e and add the line:
@reboot sleep 30 && /usr/local/bin/noip2

That's it!

No comments:

Post a Comment

Comments are moderated, and are usually posted within 24 hours if approved. You must have a minimum of OpenID to post comments.

LinkWithin

Related Posts with Thumbnails