Run Frappe bench as 'frappe' system user
Create a dedicated 'frappe' user and run all bench/uv commands as that user. Chown /opt, install frappe-bench and perform bench init, get-app and new-site via sudo -u frappe (preserving PATH), and run 'bench setup production frappe --yes'. Update the systemd service to User=frappe so Gunicorn and bench processes do not run as root, improving security and isolation.
This commit is contained in:
@@ -16,6 +16,7 @@ update_os
|
|||||||
msg_info "Installing Dependencies"
|
msg_info "Installing Dependencies"
|
||||||
$STD apt install -y \
|
$STD apt install -y \
|
||||||
git \
|
git \
|
||||||
|
sudo \
|
||||||
build-essential \
|
build-essential \
|
||||||
libffi-dev \
|
libffi-dev \
|
||||||
libssl-dev \
|
libssl-dev \
|
||||||
@@ -53,23 +54,16 @@ rm -f /tmp/wkhtmltox.deb
|
|||||||
msg_ok "Installed wkhtmltopdf"
|
msg_ok "Installed wkhtmltopdf"
|
||||||
|
|
||||||
msg_info "Installing Frappe Bench"
|
msg_info "Installing Frappe Bench"
|
||||||
$STD uv tool install frappe-bench
|
useradd -m -s /bin/bash frappe
|
||||||
export PATH="$HOME/.local/bin:$PATH"
|
chown frappe:frappe /opt
|
||||||
|
$STD sudo -u frappe bash -c 'export PATH="$HOME/.local/bin:$PATH"; uv tool install frappe-bench'
|
||||||
msg_ok "Installed Frappe Bench"
|
msg_ok "Installed Frappe Bench"
|
||||||
|
|
||||||
msg_info "Initializing Frappe Bench"
|
msg_info "Initializing Frappe Bench"
|
||||||
ADMIN_PASS=$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | head -c13)
|
ADMIN_PASS=$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | head -c13)
|
||||||
cd /opt
|
$STD sudo -u frappe bash -c 'export PATH="$HOME/.local/bin:$PATH"; cd /opt && bench init --frappe-branch version-15 frappe-bench'
|
||||||
export CI=1
|
$STD sudo -u frappe bash -c 'export PATH="$HOME/.local/bin:$PATH"; cd /opt/frappe-bench && bench get-app erpnext --branch version-15'
|
||||||
export FRAPPE_ALLOW_SUPERUSER=1
|
$STD sudo -u frappe bash -c "export PATH=\"\$HOME/.local/bin:\$PATH\"; cd /opt/frappe-bench && bench new-site site1.local --db-root-username root --admin-password \"$ADMIN_PASS\" --install-app erpnext --set-default"
|
||||||
$STD bench init --frappe-branch version-15 frappe-bench
|
|
||||||
cd /opt/frappe-bench
|
|
||||||
$STD bench get-app erpnext --branch version-15
|
|
||||||
$STD bench new-site site1.local \
|
|
||||||
--db-root-username root \
|
|
||||||
--admin-password "$ADMIN_PASS" \
|
|
||||||
--install-app erpnext \
|
|
||||||
--set-default
|
|
||||||
msg_ok "Initialized Frappe Bench"
|
msg_ok "Initialized Frappe Bench"
|
||||||
|
|
||||||
msg_info "Configuring ERPNext"
|
msg_info "Configuring ERPNext"
|
||||||
@@ -81,7 +75,7 @@ $STD systemctl enable --now redis-server
|
|||||||
msg_ok "Configured ERPNext"
|
msg_ok "Configured ERPNext"
|
||||||
|
|
||||||
msg_info "Setting up Production"
|
msg_info "Setting up Production"
|
||||||
$STD bench setup production root --yes
|
$STD sudo -u frappe bash -c 'export PATH="$HOME/.local/bin:$PATH"; cd /opt/frappe-bench && bench setup production frappe --yes'
|
||||||
msg_ok "Set up Production"
|
msg_ok "Set up Production"
|
||||||
|
|
||||||
msg_info "Creating Service"
|
msg_info "Creating Service"
|
||||||
@@ -92,7 +86,7 @@ After=network.target mariadb.service redis-server.service
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=simple
|
Type=simple
|
||||||
User=root
|
User=frappe
|
||||||
WorkingDirectory=/opt/frappe-bench
|
WorkingDirectory=/opt/frappe-bench
|
||||||
ExecStart=/opt/frappe-bench/env/bin/gunicorn --bind 0.0.0.0:8000 --workers 4 --timeout 120 frappe.app:application
|
ExecStart=/opt/frappe-bench/env/bin/gunicorn --bind 0.0.0.0:8000 --workers 4 --timeout 120 frappe.app:application
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
|
|||||||
Reference in New Issue
Block a user