Can’t edit files in Amazon Lightsail

amazon-lightsailamazon-web-services

I'm trying to modify a child theme installed on a WordPress site on Amazon Lightsail. I'm using Panic's Transmit to access the server, but whenever I try to perform any write operations (edit, upload, new folder, new file, paste, move, etc.) I get an error that tells me it couldn't do what I asked it to do, "Make sure you have permission to modify this file."

Any ideas? I'm a junior developer and not super server savvy (brand new to Lightsail), so if you think I'm missing something basic I probably am. 🙂

Best Answer

It's most likely file permissions. I assume you're logging in as ec2-user with a certificate. That user won't have permission to write files to where you're trying.

You can add ec-2 user to the group that has permission to write to those folders and files, or you can create a new user that has appropriate permissions.

The way I did it was I create a new user (eg bob), then added bob to the www-data group. I made sure files and folders were owned by the www-data group

I've got an article on this here. They key parts are below, see the link for a bit more explanation.

sudo su
sudo useradd fred
passwd fred

su fred
ssh-keygen -f fred-t rsa

mkdir .ssh

touch .ssh/authorized_keys
chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

cat fred.pub >> /home/fred/.ssh/authorized_keys

vi /etc/ssh/sshd_config
PasswordAuthentication no
AllowUsers ec2-user fred

You'll need to give fred access to those files

groupadd www-data
chown -R fred:www-data /var/www

# Change webroot permissions
find /var/www -type d -exec chmod 755 {} \;
find /var/www -type f -exec chmod 644 {} \;
# Wordpress specific
find /var/www/wp-content/uploads -type f -exec chmod 664 {} \;
find /var/www/wp-content/plugins -type f -exec chmod 664 {} \;
find /var/www/wp-content/themes -type f -exec chmod 644 {} \;
chmod 440 /var/www/wp-config.php
chmod -R g+s /var/www/

In either case, now you know what the problem is, you can Google things like permissions, adding users to groups, creating groups, etc. I didn't know anything about this stuff 18 months ago, I had a developer background, I learned by doing, reading tutorials, and experimenting. Keep backups.

Related Solutions

Amazon S3 – How to Get the Size of an Amazon S3 Bucket

The AWS CLI now supports the --query parameter which takes a JMESPath expressions.

This means you can sum the size values given by list-objects using sum(Contents[].Size) and count like length(Contents[]).

This can be be run using the official AWS CLI as below and was introduced in Feb 2014

 aws s3api list-objects --bucket BUCKETNAME --output json --query "[sum(Contents[].Size), length(Contents[])]"

Can’t establish VPC peering connection from Amazon Lightsail

Apparently, you don't actually get to choose which VPC Lightsail will try to peer with -- it wants to peer with your Default VPC.

Once VPC peering is enabled, you can address other AWS resources in your default AWS VPC by using their private IPs.

https://amazonlightsail.com/docs/#faq

I don't know if I overlooked this originally, or if it was subsequently added to the documentation. It's the last sentence of a paragraph and I may have simply overlooked it. In regions where I do have a default VPC, I don't use it, preferring to "roll my own" from scratch.

Default VPC is not simply a VPC you've selected as "the default," but rather refers to a specific VPC in each region that is initially created by the VPC infrastructure, pre-provisioned.

The problem is, you may not have one of these in every region... and you'll encounter exactly the problem described here, if you don't have a Default VPC in the Lightsail region in question (when this was originally written, LightSail was only available in us-east-1; it has subsequently been launched in many of the other AWS regions). If that describes your situation, you may be able to remedy it yourself, or you may need to contact support. Either way, the Default VPC appears to be the only VPC that Lightsail will peer with.

Not having a Default VPC shouldn't be an issue with a relatively new AWS account:

If you created your AWS account after 2013-12-04, it supports only EC2-VPC. In this case, you'll have a default VPC in each AWS region.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/default-vpc.html

Both of the accounts I initially tested with a quite a bit older than that.

I created a new AWS account today, and, not surprisingly, Lightsail VPC peering worked on the first attempt.

After selecting the appropriate region, if your "EC2 Dashboard" page in the AWS console, at the top right of the screen, says...

Supported Platforms

EC2

VPC

...and there's no mention of a Default VPC there, then that's what you're missing. You might (as of 2017-07-27) be able to create a Default VPC yourself. Failing that, you may need to contact AWS support to request that they reconfigure your account so that you have a Default VPC, which was the standard process that was required before the ability to create your own was made available. Once you have a Default VPC in the region, all should be well.

But there's a bit of a catch, so you'll need to take additional steps to prepare your account, before trying to create a Default VPC or contacting support.

Q. I really want a default VPC for my existing EC2 account. Is that possible?

Yes, however, we can only enable an existing account for a default VPC if you have no EC2-Classic resources for that account in that region. Additionally, you must terminate all non-VPC provisioned Elastic Load Balancers, Amazon RDS, Amazon ElastiCache, and Amazon Redshift resources in that region. After your account has been configured for a default VPC, all future resource launches, including instances launched via Auto Scaling, will be placed in your default VPC. To request your existing account be setup with a default VPC, contact AWS Support. We will review your request and your existing AWS services and EC2-Classic presence to determine if you are eligible for a default VPC.

https://aws.amazon.com/vpc/faqs/#Default_VPCs

That's the catch -- you permanently lose access to EC2-Classic -- but if you ask me, that isn't really much of a sacrifice.

So if your account still has "EC2 Classic" access and the default VPC is conspicuously absent, then the solution is to migrate away from, and terminate, any old EC2 Classic (non-VPC) instances, along with any services that are running on top of EC2 Classic (such as RDS running outside of VPC), and it would probably not be a bad idea to remove supporting entities like non-VPC Elastic IPs, Security Groups, etc. Then you can contact AWS and have your account reconfigured to "EC2-VPC"-only in the region, and your peering connection from Lightsail should succeed.

~~I say "should succeed" because I am still waiting for AWS Support to "approve" my requested account change. That last note on the ticket says my request is "still open" and this process is...~~

~~usually pretty quick but on some occasions it can take 24 - 48 hours for our Service Team to review and approve this type of request~~

Success. After a couple of days, AWS support reconfigured my account. I now have a default VPC in the us-east-1 region, and clicking the box next to "Enable VPC Peering" now works as expected. In the VPC console, I can now see that my default VPC is peered with the "stealth" VPC allocated for Lightsail.

Note that you don't need a paid support plan in order to request that AWS update your account as I've described above. You aren't actually asking for technical support. You can submit this as an account support request.

If you want to access resources in other VPCs in the region other than the Default VPC, that's not natively supported, at least at the moment. This would be more complicated for AWS to offer as a managed service, since they control the basic provisioning of your Default VPC and Lightsail VPC, but not any others.

VPC Peering connections do not support transit traffic, so it's not just a matter of peering the other VPCs to your Default VPC and connecting that way. For now, you'd need to deploy TCP or HTTP proxy servers (e.g. HAProxy, similar to this configuration, but pointing to services or a similar proxy in the target VPC as backends) or instances providing private-to-private source and destination network address translation (NAT) in the Default VPC in order to bridge the gap and cross over into any other VPC through an additonal peering connection. Performance should be excellent, but be sure to familiarize yourself with the pricing for peered VPC traffic. The Lightsail docs and EC2 docs seem inconsistent with each other, with regard to bandwidth costs for peering traffic.

Best Answer

Related Solutions

Amazon S3 – How to Get the Size of an Amazon S3 Bucket

Can’t establish VPC peering connection from Amazon Lightsail

Related Topic