views:

100

answers:

3

We're using vlad the deployer for deploying rails apps to production and test servers. All our servers are Ubuntu servers.

We have a problem related with linux permissions.

Vlad uses ssh to put files on any server, be it production or test. My company has several people, and each one has a different account on each server.

On the other hand, the way our Apache server is configured, it uses the "owner" of a website directory for reading files on that directory.

As a result, the user that makes the first deployment becomes the "owner" of the site; other users can't make deployments - Apache will not be able to read the modified files, since the owner has changed.

Normally this isn't much of an issue, but now holidays are approaching and we'd like to solve this as cleanly as possible - for example, we'd like to avoid sharing passwords/ssh keys.

Ideally I would need one vlad task that does something to the permissions of the deployed files so they could be completely modified by other users. I don't know enough about unix commands in order to do this.

+1  A: 

Why don't you make all the files publicly readable? In the ~/.bashrc of each user put the line

umask o=r

http://en.wikipedia.org/wiki/Umask

BTW I have never heard of such an Apache option; are you saying when Apache reads a file from /home/USER it runs with the UID of USER, instead of "nobody" or "apache"? That sounds wonky.

Modern Hacker
For several reasons Apache needs to not only read, but to "own" the files: writing logs, temp files, etc only work if that's the case. So you either make a chown every time you publish the files or you share a common user among all updaters.
egarcia
It would be more accurate to say Apache needs to "write" the files, not "own" the. There is absolutely no reason Apache would need to own a file or directory to do any of those things: write logs, temp files, etc. It only needs write permission, which you can accomplish withumask g=wThen edit /etc/group to create a group including apache and all your users, and then make this group the default group for them in /etc/passwd. Or if you are really lazy/cavalier, forget groups and doumask o=w
Modern Hacker
You are right. There's something that fails, though - vlad:update begins making an svn update - that is actually the order that fails. SVN gets confused - "john made this svn repository and now peter is trying to update it? >> fail".
egarcia
Perhaps you can fix this with option "svn --username john" providing the appropriate credentials (password and/or SSH key). Or configure the svn server to give write permission to all your users.
Modern Hacker
A: 

I've been fighting with it for a couple months now and I've only found a couple ways to do it:

  • Use a single shared account for all the users deploying to the server (boo!)
  • Use different accounts, but make a chown to a common user account (www-data, rails, or similar) before performing account-dependant tasks (such as the svn update). This might work, but I haven't tested it.
  • Use access control lists. Someone has hinted at me that this might be the right solution. However, I don't have the knowledge or time to make this work properly.

For now, we are just continuing using one single user per project, and chowning everything manually when needed. It's a bit of a pain, but it works.

egarcia
+2  A: 

I would do it with group permissions.

have the web root be /var/www/your-app/current

/var/www/your-app/ should be group writable by the group that all persons doing deploys belong to.

set up the deploy scripts so that they write to a directory called /var/www/your-app/>timestamp< where timestamp is the current timestamp.

/var/www/your-app/current is a symlink, and when you have sucessfully copied all files to the new directory you update the target of the symlink, so that it points to the directory you created.

This way everyone can deploy, and you can see who deployed what version.

This also makes the deploy atomic, so nothing will break if you lose your network connection in the middle of the deploy.

Since you won't delete the old catalogs, you can easy do a rollback to a "last good" state, if you manage to introduce some bug.

Alexander Kjäll