I work with Rails and deploy applications to servers using Capistrano. I have a Jenkins server (on my own linode).
What I’d like to know is how to setup a contractor so they have enough access to get work done and use the tools I have (like Jenkins), but not allow them to cause any critical damage.
The workflow might be as so:
- Commit changes to private git repo
- Deploy to Jenkins
- Deploy changes to staging server (my linode)
- Deploy changes to live server (client’s linode)
I use SSH for everything, but I’m wondering if I might be allowing users too much access in that they might be able to run sudo commands and change user passwords and bypass the SSH key/pair auth. Should each user have a limited Linux user account (maybe share the same limited account), and add their SSH key(s) to that?
My other question is, can I deploy to staging/live servers with Jenkins, and so only grant access to those servers from my Jenkins server?
Can I do all this by only allowing developers access to the git repo? Jenkins tracks that, then deploys to staging/live?
Basically, i think the apporach should be the next.
Also you shouldn’t give them sudo on staging machine. Just setup a deployment role which gives access to the directory with code. Because you even’don’t need do server restarts if you use passenger(just use touch %RAILS_ROOT%/tmp/restart.txt , if you know what i mean) And setup the ruby env via rvm