How to trigger "cap deploy" from web form?
goodieboy
I need to find a way to trigger a cap deploy from a web application/
form. I'm using PHP as the scripting language and I know I can just
issue an exec('cd /my-app; cap deploy'). But the problem is
permissions. I have a specific user setup for the project and I can't
have apache executing "cap deploy" directly. Does anyone know how to
do this correctly?
Thanks,
Matt
Jamis Buck
somewhere. Then (via cron or some other external process) you
periodically read from the queue and fire off the deploy command that
way.
It does mean you won't be able to capture the output and feed it back
to the user in real time, though.
- Jamis
goodieboy
Unfortunately I can't do that. User output is essential. I'm
experimenting with issuing the command using su. By doing something
like:
echo 'MyPassWord' | su - deployer -c 'cd project; cap deploy;'
I realize there are security issues there, but the server has only a
few users. And I'd make it so only apache could read that script
file. Also, the file is NOT in the web root. Bad idea?
Any other ideas? :-)
Matt
On Jul 26, 9:47 am, "Jamis Buck" <ja...@37signals.com> wrote:
> You could try doing it async--have the request add a record to a queue
> somewhere. Then (via cron or some other external process) you
> periodically read from the queue and fire off the deploy command that
> way.
>
> It does mean you won't be able to capture the output and feed it back
> to the user in real time, though.
>
> - Jamis
>
Jamis Buck
capistrano and invoke the tasks directly. :)
- Jamis
goodieboy
You mean, I can execute capistrano from ruby (rails) and have it
execute as the correct user?! How do you do that? Can you show me an
example, I do know Rails and I can easily get it setup on the server.
Matt
On Jul 26, 11:25 am, "Jamis Buck" <ja...@37signals.com> wrote:
> Well...you could implement your web UI in Ruby and then just require
> capistrano and invoke the tasks directly. :)
>
> - Jamis
>
Jamis Buck
require 'capistrano/configuration'
require 'stringio'
output = StringIO.new
config = Capistrano::Configuration.new
config.logger = Capistrano::Logger.new(:output => output)
config.load "/path/to/Capfile"
config.set :user, "user_to_deploy_as"
config.deploy
puts output.string
- Jamis
goodieboy
I have to admit I'm a *little*, just a little :) lost. How do I for
example call the different tasks while using the capistrano-ext/
multistage? Right now I'm just trying to do an "uptime" but getting no
output from output.string
Thank you!
Matt
On Jul 26, 12:24 pm, "Jamis Buck" <ja...@37signals.com> wrote:
> Something like this, maybe (wholly untested):
>
> require 'capistrano/configuration'
> require 'stringio'
>
> output = StringIO.new
> config = Capistrano::Configuration.new
> config.logger = Capistrano::Logger.new(:output => output)
>
> config.load "/path/to/Capfile"
> config.set :user, "user_to_deploy_as"
>
> config.deploy
> puts output.string
>
> - Jamis
>
Jamis Buck
defaults to "silent as death".
logger.level = 3
- Jamis
goodieboy
( How do I call the monitor uptime task?
Thanks,
Matt
On Jul 26, 12:58 pm, "Jamis Buck" <ja...@37signals.com> wrote:
> ah, you'll also need to set the verbosity of the logger, which
> defaults to "silent as death".
>
> logger.level = 3
>
> - Jamis
>
Jamis Buck
> ( How do I call the monitor uptime task?
Should just be:
config.uptime
I don't have any time to do more investigation on this today, but if
you are still having problems, I'll try and look into it tomorrow.
- Jamis
goodieboy
Thanks! I finally got it running a bit.I had some problems with file
paths. I got lucky though because I was only getting hangups until I
accidentally started up ssh-agent and added my key. Once I did that
(restarted rails), I was able to run some of my tasks.
My question now is about authentication. I'd really like to find a way
to either pass-in an SSH key pass-phrase directly to Capistrano OR,
completely avoid it and use ssh-agent. The problem with the former is
that I don't know how to pass the password into Capistrano when NOT on
the command line (I'm now doing this in Rails), the problem with the
latter is that ssh-agent is session based, and to run it every time
means checking to see if it's running, and then setting the correct
env variables.
Is there a way to create a before-all hook that passes in the pass-
phrase manually to STDIN?
To be more clear on what I'm trying to do... I'm building a web-based
deployment tool for a group of websites. All of my tasks/recipes work
great. It's this darned authentication thing that's hold me up! :)
Again, thanks for all of your great, amazing work and help,
Matt
Jamis Buck
certainly no less secure than hardcoding the passphrase in your
application.
To answer your question, though, there is not really a way to specify
the passphrase directly to use to Capistrano. There is a
scm_passphrase variable, but that is only used when the passphrase is
being prompted for by subversion, not when you are trying to connect
to your hosts.
- Jamis
goodieboy
I'm gong to go with the password-less passphrase. For that to work
though, does the machine that Capistrano is being executed from need
ssh-agent running?
Thanks
Matt
On Jul 26, 4:02 pm, "Jamis Buck" <ja...@37signals.com> wrote:
> I'd actually recommend using a passphrase-less key, in that case. It's
> certainlynoless secure than hardcoding the passphrase in your
> application.
>
> To answer your question, though, there is not really a way to specify
> the passphrase directly to use to Capistrano. There is a
> scm_passphrase variable, but that is only used when the passphrase is
> being prompted for by subversion, not when you are trying to connect
> to your hosts.
>
> - Jamis
>
> On 7/26/07, goodieboy <goodie...@gmail.com> wrote:
>
>
>
> > Hi Jamis,
>
> > Thanks! I finally got it running a bit.I had some problems with file
> > paths. I got lucky though because I was only getting hangups until I
> > accidentally started up ssh-agent and added my key. Once I did that
> > (restarted rails), I was able to run some of my tasks.
>
> > My question now is about authentication. I'd really like to find a way
> > to either pass-in an SSH key pass-phrase directly to Capistrano OR,
> > completely avoid it and use ssh-agent. The problem with the former is
> > that I don't know how to pass thepasswordinto Capistrano when NOT on
goodieboy
phrase doesn't require ssh-agent to be running! :)
Matt
Jeff
> OK answered this myself. This is perfect, using a password-less pass-
> phrase doesn't require ssh-agent to be running! :)
Any chance you could post the code that finally worked for you?
Thanks!
Jeff
goodieboy
the public one on the server and then put this in my recipe file:
set :user, 'my-user'
ssh_options[:username] = my-user'
ssh_options[:host_key] = 'ssh-dss'
ssh_options[:paranoid] = false
Hope that helps!
Matt
goodieboy
Security
The process starts by the page being submitted by the apache/www user.
How do I securely transfer "power" over to the deployer user? I've
been hard-coding the password in to do an su like:
# whoami
apache
# echo 'PassWord' | su - deployer-user -c "COMMAND HERE"
But that means the password is in a file on the system, which bugs me.
How can I allow apache/www to execute these scripts in a secure way?
There must be a better way?
Matt
James Downs
On Aug 13, 2007, at 11:33 AM, goodieboy wrote:
> How do I securely transfer "power" over to the deployer user? I've
> been hard-coding the password in to do an su like:
What if you use sudo with the NOPASSWD option, like this:
" deployer ALL=(ALL) NOPASSWD: /usr/bin/mongrel_rails"
-j
goodieboy
capistrano does all sorts of things (creating directories, moving
things, occasionally restarting apache). How do I know what I have to
list in the sudoers file?
Thanks!
matt
James Downs
On Aug 13, 2007, at 12:56 PM, goodieboy wrote:
> Hmm, OK. So my deployer user calls capistrano, and from there
> capistrano does all sorts of things (creating directories, moving
> things, occasionally restarting apache). How do I know what I have to
> list in the sudoers file?
The only commands that have to be in the sudoers file are the
privileged commands. If the deploy user owns the directories, or is
in a group that has permissions on the directories, then you'll need
to put in commands for just restarting apache, or mongrel, or that
sort of thing. Everything else should be done as the user doing the
deploy (probably).
Cheers,
-j