All geek questions in one place

What is a good way to hide mysql2 password when deploying using capistrano

So here is my capistrano file

load 'deploy/assets' require "bundler/capistrano" set :application, "XXXXXX" set :repository, "XXXXXX" set :scm, :git # You can set :scm explicitly or Capistrano will make an intelligent guess based on known version control directory names # Or: `accurev`, `bzr`, `cvs`, `darcs`, `git`, `mercurial`, `perforce`, `subversion` or `none` set :repository , "XXXXXX" role :web, "XXXXXX" # Your HTTP server, Apache/etc role :app, "XXXXXX" # This may be the same as your `Web` server role :db, "XXXXXX", :primary => true # This is where Rails migrations will run #role :db, "your slave db-server here" set :user, 'root' set :use_sudo, false set :deploy_to, "/var/www/#{application}" set :deploy_via, :remote_cache set :normalize_asset_timestamps, false # if you want to clean up old releases on each deploy uncomment this: # after "deploy:restart", "deploy:cleanup" # if you're still using the script/reaper helper you will need # these http://github.com/rails/irs_process_scripts # If you are using Passenger mod_rails uncomment this: namespace :deploy do task :start do ; end task :stop do ; end task :restart, :roles => :app, :except => { :no_release => true } do run "touch #{File.join(current_path,'tmp','restart.txt')}" end end

Now when I run cap deploy , I get an error

 Access denied for user 'root'@'localhost' (using password: NO)

I assume this is because my database.yml file

 development: adapter: sqlite3 database: db/development.sqlite3 pool: 5 timeout: 5000 # Warning: The database defined as "test" will be erased and # re-generated from your development database when you run "rake". # Do not set this db to the same as development or production. test: adapter: sqlite3 database: db/test.sqlite3 pool: 5 timeout: 5000 production: adapter: mysql2 encoding: utf8 database: XXXXX username: root password: socket: /tmp/mysql.sock

Now that I have a public github account. I do not want to transfer my password and publish it on github. And if I don’t pass the password, I can’t deploy the application.

What is a good way to deal with this problem?

thanks

+4
source share
2 answers

I would recommend the following:

  • Move config/database.yml to config/database.yml.sample in your repo
  • Remove any sensitive information in config/database.yml.sample , such as passwords, and
    copy the sample configuration file to your repo.
  • Add config/database.yml to your .gitignore file .gitignore that it cannot be attached to the repo
  • On your server, manually copy config/database.yml.sample in config/database.yml to the shared/ directory that Capistrano creates for you. This should be done after you run the cap deploy:setup command, which creates the shared and releases top-level directories. This needs to be done once, manually, when setting up your application.
  • In shared/config/database.yml on the server, fill in the details of the actual , including passwords. chmod file so that it is not readable by those who did not have access.

  • Add the following to your deployment script:

     namespace(:customs) do task :symlink_db, :roles => :app do run <<-CMD ln -nfs #{shared_path}/config/database.yml #{release_path}/config/database.yml CMD end end after "deploy:update_code", "customs:symlink_db"
+1
source

You will also want to make sure your SSH system is well protected so that people are not logged in as the Capistrano boss. I would suggest restricting access to password-protected key pairs.

Encrypting the .yml file on the server is useless, since you must give the bot the key to be saved. On the same server. Encrypting it on your computer is probably a good idea. Capistrano can decrypt it before shipping.

or

The way I solved this is to put the database password in a file with read permissions only for the user by whom I run my application. Then in database.yml I use ERB to read the file:

 production: adapter: mysql database: my_db username: db_user password: <%= begin IO.read("/home/my_deploy_user/.db") rescue "" end %>
+5
source

Source: https://habr.com/ru/post/1468897/

More articles:


All Articles