database.yml best practices

20 views
Skip to first unread message

Josh

unread,
Aug 14, 2009, 2:04:36 PM8/14/09
to Moonshine
For security reasons it's a bad idea to check the database.yml file
into SCM.

Does moonshine have support for creating the database.yml from some
external source?

I'd be totally up for creating a patch for this, if it doesn't exist
yet. If that's the case a few pointers to get me started would be
very welcomed :)

I was thinking of implementing a solution like this:

http://www.simonecarletti.com/blog/2009/06/capistrano-and-database-yml/

I *think* it builds out the database.yml file from a template and then
prompts mid-deploy for a database password which it directly inserts
into the file. That way, the only place the password is stored is in
my running apps config/database.yml, and my brain.

Andrew Roth

unread,
Aug 14, 2009, 2:09:17 PM8/14/09
to railsmachin...@googlegroups.com
I'm also interested in a solution like this.  I was going to use erb to parse a database.yml.erb then have a <%= puts "enter db password: "; gets.chomp; %> block.  I'd be interested to see what you come up with.

Josh

unread,
Aug 14, 2009, 2:14:27 PM8/14/09
to Moonshine
I personally would rather stick the database.yml file somewhere on the
server and have the deploy script ln -s to it. That way you dont
interrupt your deploy with a password prompt. That said, I'm
absolutely no security expert...

Andrew Roth

unread,
Aug 14, 2009, 2:18:07 PM8/14/09
to railsmachin...@googlegroups.com
Instead of entering a password, you'd then be doing more work to get it on the server, it's just trading keystrokes (and probably more of them), no?

Alternatively if there is a way to access a secure file system, a password for that could be given at the start then any sensitive files are copied from there?

Jesse Newland

unread,
Aug 14, 2009, 3:38:28 PM8/14/09
to railsmachin...@googlegroups.com
Hey Guys -

Check out the local_config stuff documented at the bottom of the page here:


Does that look like what you're looking for?

Regards -

Andrew Roth

unread,
Aug 14, 2009, 3:40:35 PM8/14/09
to railsmachin...@googlegroups.com
Sort of.  We still need a way to get it on our local computer.  I suppose I could set up a shell script which downloads things from a secure site somewhere (like a passworded svn / git).  Maybe this can be done with a ruby library.

Josh

unread,
Aug 15, 2009, 8:00:08 PM8/15/09
to Moonshine
Yep, that's exactly it. Thanks again.

On Aug 14, 3:40 pm, Andrew Roth <andrewr...@gmail.com> wrote:
> Sort of.  We still need a way to get it on our local computer.  I suppose I
> could set up a shell script which downloads things from a secure site
> somewhere (like a passworded svn / git).  Maybe this can be done with a ruby
> library.
>
> On Fri, Aug 14, 2009 at 3:38 PM, Jesse Newland <je...@railsmachine.com>wrote:
>
>
>
> > Hey Guys -
>
> > Check out the local_config stuff documented at the bottom of the page here:
>
> >http://railsmachine.github.com/moonshine/
>
> > Does that look like what you're looking for?
>
> > Regards -
>
> > Jesse Newland
> > ---
> > je...@railsmachine.com
> > 404.216.1093
>
> > On Aug 14, 2009, at 2:18 PM, Andrew Roth wrote:
>
> > Instead of entering a password, you'd then be doing more work to get it on
> > the server, it's just trading keystrokes (and probably more of them), no?
>
> > Alternatively if there is a way to access a secure file system, a password
> > for that could be given at the start then any sensitive files are copied
> > from there?
>

Josh

unread,
Aug 15, 2009, 10:09:30 PM8/15/09
to Moonshine
Okay, something's going wrong here:

It seems that when I:

mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD
('MYNEWPASSWORD');

and then add that password to database.yml (locally), commit/push/
deply

I get the following:

** [out :: app1]
** [out :: app1] notice: /ApplicationManifest#20337900/Exec
[rails_gems]/returns: executed successfully
** [out :: app1]
** [out :: app1] err: /ApplicationManifest#20337900/Exec
[mysql_database]/returns: change from notrun to 0 failed: /usr/bin/
mysql -u root -p -e "create database veloracing_production;" returned
1 instead of 0
** [out :: app1] notice: /ApplicationManifest#20337900/Exec
[mysql_user]: Dependency exec[/usr/bin/mysql -u root -p -e "create
database veloracing_production;"] has 1 failures

The mysql command isn't using -pMYNEWPASSWORD like I would expect it
to, and thus hell breaks loose

What'd I do wrong?

If I had set up this local_config with a password in my config/
database.yml before the database was initially created would moonshine
have handled setting the root password correctly?

Thanks
Reply all
Reply to author
Forward
0 new messages