aws-codedeploy-agent: Scripts fail to run as non-root user

Having issues on Ubuntu 16.04 while running ApplicationStart script as non-root user in us-east-2 region

Here is my appspec file:

os: linux
files:
  - source: /
    destination: /opt/nd/apps/nd-platform/
    owner: nd-deploy
permissions:
  - object: /opt/nd
    pattern: "**"
    owner: nd-deploy
    group: nd-deploy
    mode: 755

hooks:

  ApplicationStop:
    - location: bin/application-stop.sh
      timeout: 300
    - location: bin/wait_for_bootstrap.sh
      runas: root

  ApplicationStart:
    - location: bin/application-start.sh
      timeout: 600
      runas: nd-deploy

Errror from the AWS console:

ScriptFailed Script Namebin/application-start.sh MessageScript at specified location: bin/application-start.sh run as user nd-deploy failed with exit code 126 Log TailLifecycleEvent - ApplicationStart Script - bin/application-start.sh [stderr]/bin/bash: /opt/codedeploy-agent/deployment-root/abef4fc8-8f7b-4974-af74-2d71a7f68342/d-6PWC3F03L/deployment-archive/bin/application-start.sh: Permission denied

Error from codedeploy-agent log

2017-05-21 07:57:36 ERROR [codedeploy-agent(16392)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Error during perform: InstanceAgent::Plugins::CodeDeployPlugin::ScriptError - Script at specified location: bin/application-start.sh run as user nd-deploy failed with exit code 126 - /opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/hook_executor.rb:158:in `execute_script'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/hook_executor.rb:115:in `block (2 levels) in execute'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/hook_executor.rb:103:in `each'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/hook_executor.rb:103:in `block in execute'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/hook_executor.rb:173:in `create_script_log_file_if_needed'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/hook_executor.rb:101:in `execute'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_executor.rb:142:in `block (3 levels) in map'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_executor.rb:130:in `each'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_executor.rb:130:in `block (2 levels) in map'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_executor.rb:62:in `execute_command'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_poller.rb:132:in `process_command'
/opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/command_poller.rb:65:in `perform'
/opt/codedeploy-agent/lib/instance_agent/agent/base.rb:28:in `run'
/opt/codedeploy-agent/lib/instance_agent/runner/child.rb:38:in `block in run'
/opt/codedeploy-agent/lib/instance_agent/runner/child.rb:55:in `with_error_handling'
/opt/codedeploy-agent/lib/instance_agent/runner/child.rb:37:in `run'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/child.rb:70:in `block in run_with_error_handling'
/opt/codedeploy-agent/lib/instance_agent/runner/child.rb:55:in `with_error_handling'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/child.rb:69:in `run_with_error_handling'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/child.rb:33:in `block in start'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/child.rb:22:in `loop'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/child.rb:22:in `start'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/master.rb:206:in `block in spawn_child'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/master.rb:204:in `fork'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/master.rb:204:in `spawn_child'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/master.rb:196:in `block in spawn_children'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/master.rb:195:in `times'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/master.rb:195:in `spawn_children'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/master.rb:134:in `start'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/master.rb:37:in `block in start'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/master.rb:36:in `fork'
/opt/codedeploy-agent/vendor/gems/process_manager-0.0.13/lib/process_manager/master.rb:36:in `start'
/opt/codedeploy-agent/bin/../lib/codedeploy-agent.rb:41:in `block (2 levels) in <main>'
/opt/codedeploy-agent/vendor/gems/gli-2.5.6/lib/gli/command_support.rb:130:in `execute'
/opt/codedeploy-agent/vendor/gems/gli-2.5.6/lib/gli/app_support.rb:262:in `block in call_command'
/opt/codedeploy-agent/vendor/gems/gli-2.5.6/lib/gli/app_support.rb:275:in `call_command'
/opt/codedeploy-agent/vendor/gems/gli-2.5.6/lib/gli/app_support.rb:69:in `run'
/opt/codedeploy-agent/bin/../lib/codedeploy-agent.rb:88:in `<main>'
2017-05-21 07:57:46 INFO  [codedeploy-agent(16392)]: Version file found in /opt/codedeploy-agent/.version.

Shouldn’t it run from destination path rather then /opt/codedeploy-agent/... ?

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Reactions: 3
  • Comments: 34 (15 by maintainers)

Most upvoted comments

Frustrating here too. I have been dealing with this issue for days and still look for a solution. In my situation, codedeploy agent was working well as root within Amazon Linux 2. I had to switch to CIS Harden Amazon Linux2 Level2, deployment-root is automatically setup to 711 which made my script with ‘runas’ not working.

I had to add a custom “chmod 755 /opt/codedeploy-agent/deployment-root” to make sure the scripts downloaded in boundle can be executed. It works for me.

+1
d02540315 on May 10, 2021

I’ve been dealing with this issue as well.

My appspec.yml as:

  ApplicationStart:
    - location: scripts/autostart.sh
      timeout: 300
      runas: ec2-user
    - location: scripts/register_with_elb.sh

My autostart.sh:

NODE_ENV="$NODE_ENV" pm2 start "${PROCESSES["$proc"]}" --name "$proc" --node-args="--max_old_space_size=800" --log-date-format="MMM D/YY - HH:mm:ss"

Very frustrating. The runas simply does not function as intended.

Update

I noticed that the bash script automatically adds sudo in front of the pm2 call, so it runs as ec2-user but in sudoer mode, which isn’t the same as running as root user. I noticed that my symbolic links to sudo pm2 were set to /usr/bin/pm2 while pm2 navigated to /usr/local/bin/pm2, both of which were different builds, hence why I was experiencing versioning issues.

The solution was to ensure my symbolic links for sudo pm2 were correct, and remove pm2 completely from the root user:

sudo npm install pm2 -g
sudo ln -s /usr/local/bin/pm2 /usr/bin/pm2
sudo pm2 update

sudo su
pm2 kill
npm remove pm2 -g
exit
+1
BuffMcBigHuge on Sep 27, 2017

Yes that could be a workaround but … still needs investigating/fixing imho

+1
vlebo on Aug 4, 2017
Read more comments on GitHub
← aws-codedeploy-agent: Rebooting the instance during deployment causes an error
aws-codedeploy-agent: Two deployments in the same directory: the second one fails →