tags:

views:

100

answers:

3
+1  Q: 

vlad the deployer - deploying with different users?

We're using vlad the deployer for deploying rails apps to production and test servers. All our servers are Ubuntu servers.

We have a problem related with linux permissions.

Vlad uses ssh to put files on any server, be it production or test. My company has several people, and each one has a different account on each server.

On the other hand, the way our Apache server is configured, it uses the "owner" of a website directory for reading files on that directory.

As a result, the user that makes the first deployment becomes the "owner" of the site; other users can't make deployments - Apache will not be able to read the modified files, since the owner has changed.

Normally this isn't much of an issue, but now holidays are approaching and we'd like to solve this as cleanly as possible - for example, we'd like to avoid sharing passwords/ssh keys.

Ideally I would need one vlad task that does something to the permissions of the deployed files so they could be completely modified by other users. I don't know enough about unix commands in order to do this.

+1  A: 

Why don't you make all the files publicly readable? In the ~/.bashrc of each user put the line

umask o=r

http://en.wikipedia.org/wiki/Umask

BTW I have never heard of such an Apache option; are you saying when Apache reads a file from /home/USER it runs with the UID of USER, instead of "nobody" or "apache"? That sounds wonky.

Modern Hacker  2010-08-18 01:26:45
For several reasons Apache needs to not only read, but to "own" the files: writing logs, temp files, etc only work if that's the case. So you either make a chown every time you publish the files or you share a common user among all updaters.
egarcia  2010-08-18 06:29:57
It would be more accurate to say Apache needs to "write" the files, not "own" the. There is absolutely no reason Apache would need to own a file or directory to do any of those things: write logs, temp files, etc. It only needs write permission, which you can accomplish withumask g=wThen edit /etc/group to create a group including apache and all your users, and then make this group the default group for them in /etc/passwd. Or if you are really lazy/cavalier, forget groups and doumask o=w
Modern Hacker  2010-08-18 20:05:17
You are right. There's something that fails, though - vlad:update begins making an svn update - that is actually the order that fails. SVN gets confused - "john made this svn repository and now peter is trying to update it? >> fail".
egarcia  2010-08-19 10:16:50
Perhaps you can fix this with option "svn --username john" providing the appropriate credentials (password and/or SSH key). Or configure the svn server to give write permission to all your users.
Modern Hacker  2010-08-19 20:26:53
A: 

I've been fighting with it for a couple months now and I've only found a couple ways to do it:

  • Use a single shared account for all the users deploying to the server (boo!)
  • Use different accounts, but make a chown to a common user account (www-data, rails, or similar) before performing account-dependant tasks (such as the svn update). This might work, but I haven't tested it.
  • Use access control lists. Someone has hinted at me that this might be the right solution. However, I don't have the knowledge or time to make this work properly.

For now, we are just continuing using one single user per project, and chowning everything manually when needed. It's a bit of a pain, but it works.

egarcia  2010-08-18 14:22:57
+2  A: 

I would do it with group permissions.

have the web root be /var/www/your-app/current

/var/www/your-app/ should be group writable by the group that all persons doing deploys belong to.

set up the deploy scripts so that they write to a directory called /var/www/your-app/>timestamp< where timestamp is the current timestamp.

/var/www/your-app/current is a symlink, and when you have sucessfully copied all files to the new directory you update the target of the symlink, so that it points to the directory you created.

This way everyone can deploy, and you can see who deployed what version.

This also makes the deploy atomic, so nothing will break if you lose your network connection in the middle of the deploy.

Since you won't delete the old catalogs, you can easy do a rollback to a "last good" state, if you manage to introduce some bug.

Alexander Kjäll  2010-08-19 09:42:13

related questions

grep a file, but show several surrounding lines?
VMWare Server Under Linux Secondary NIC connection
Should I move from C++ to Python? ... Or another language?
Globus Toolkit virtual machine
How to avoid redefining VERSION, PACKAGE, etc.
How do I setup Public-Key Authentication?
showing a message box from a bash script in linux
Best Linux Distro for Computer Repair
Mapping my custom keys in Debian
Any IcedTea war stories?
How do you find the age of a long-running Linux process?
Personal Linux web server
Programmatically talking to a Serial Port in OS X or Linux
what's in your .bashrc ?
Linux - files and scripts that execute on boot
Text Editor For Linux (Besides Vi)?
Lightweight IDE for Linux
Shell scripting input redirection oddities
XML Editing/Viewing Software
What should a longtime Windows user know when starting to use Linux?
Gtk SSH client for Linux?
Getting root permissions on a file inside of vi?
Is it possible to drag windows between workspaces when using Compiz?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?