Instance Backup fails with Permission Denied due to missing SSH key setup in deployment script #428
Description
Hello Teams,
After extensive debugging, we've identified a bug in the action_deploy_undeploy.sh script that prevents subsequent management tasks, like automated backups, from working on newly created instances.
The Problem:
When trying to run a backup on a new instance from the SellYourSaas interface, the process fails. The error log shows Permission denied (publickey,password) when trying to access the instance's OS user account (e.g., osu...@localhost) on the deployment server.
Root Cause Analysis:
The action_deploy_undeploy.sh script successfully creates the instance user and their jailed home directory. However, it fails to automatically install the maintenance public key (which should be /home/admin/.ssh/id_rsa_sellyoursaas.pub on the deployment server) into the new user's ~/.ssh/authorized_keys file.
Because this step is missing, any automated process running as the admin user on the deployment server cannot access the instance user's files, causing backups and potentially other tasks to fail.
Verification:
We confirmed this is the root cause by performing the step manually. After creating an instance, we manually did the following on the deployment server:
Created the ~/.ssh directory for the instance user.
Appended the content of /home/admin/.ssh/id_rsa_sellyoursaas.pub to the instance user's ~/.ssh/authorized_keys file.
Corrected the permissions on the .ssh directory and authorized_keys file.
After performing these manual steps, the backup for that specific instance worked perfectly.
Proposed Solution:
The action_deploy_undeploy.sh script needs to be modified to include this SSH key setup dynamically. The most secure way to grant the necessary read access for the admin user would be to use Access Control Lists (ACLs).
The script could be fixed by adding the following logic block inside the deployall section, after the instance user's home directory is confirmed to exist:
-- Suggested Fix using ACL ---
echo "INFO: Setting up ACL for admin access on instance $osusername"
setfacl -R -m u:admin:r-x /home/jail/home/$osusername
setfacl -R -d -m u:admin:r-x /home/jail/home/$osusername
Alternatively, a block to copy the public key would also work. This seems to be a bug or omission in the current version of the script.
Thank you for your work on this great module. I hope this detailed report helps.