One of the benefits of Rails development is being able to do easy deployments using tools like Capistrano. It can, however, be a slight pain when with most setups you have to repeatedly enter different passwords, usually for different purposes:
- Subversion checkout – yes, you your code should be password protected!
- SSH login to the server
- User password to restart the mongrel process
While you can avoid the last one by using a root account, “standard” security practices recommend using a non-root account for daily tasks (and disallowing the root user from logging in via SSH!), so we’re looking at three logins.
So lets get rid of those pesky prompts.
The first task is the code repository (e.g. subversion) checkout. Using an awesome project management tool like Unfuddle makes this a synch, just create a new user (e.g. “deploy”) and give it read-only access to the code and no other permissions. If your repository is managed by Apache or Subversion itself, check with the Subversion book for full instructions. Once you have the login password ready to go just store that in your code:
set :svn_user, "deploy"
set :svn_pass, "w1dg3t"
set :repository, "--username #{svn_user} --password #{svn_pass} https://myproject.unfuddle.com/svn/myproject/tags/deploy"
Simply replace “deploy” with your read-only username for the repository and “w1dg3t” with the password.”
The second task is the SSH login. Thankfully there’s a standard way of doing this with SSH – simply create your very own security key and paste the public file into a file called “.ssh/authorized_keys” in the home directory for the server’s deployment user (e.g. “~rails/.ssh/authorized_keys”). If you don’t follow that please use a more detailed guide (Kimmo Suominen wrote an excellent ssh guide for OSX, Linux et al, while the PuTTY manual explains key generation for Windows users), and note that for true password-free deployments use a blank passphrase.
The third and final step is to allow the deployment user on the server run the mongrel tasks without having to enter the password. This is done using the “sudo” system which allows a regular user run a command as the root user, i.e. nifty stuff but you need to be careful to not leave your system too open. There’s one small adjustment needed to make this work on the server without any passwords, you need to add a line to the /etc/sudoers file telling the server that it’s OK to allow your user to do this. So, here is the one line you need to add:
rails ALL = NOPASSWD: /usr/bin/mongrel_rails *
Just to explain that:
- the “rails” word is the user to run the deployment as,
- the “ALL” keyword allows you to run the command regardless of where you’re logged in from,
- the “NOPASSWORD” keyword tells the system to not prompt for your password (as is the default),
- then you tell it exactly where to find the mongrel_rails command (use the command “which mongrel_rails” if you don’t know off-hand),
- lastly the star symbol allows for any arguments to be passed to the mongrel_rails command.
And that’s it. Just three quick steps and you’ll never have to enter those three passwords again.
Other Posts That Might Interest You
