Capistrano Tip: Giving the Password First 4

Posted Monday, February 19, 2007 20:54

Capistrano is a wonderful tool for deploying Ruby on Rails (and other) applications. But having to enter your password over and over again for each step in a deployment gets old quickly.

In a previous article, I described how to set up SSH keys so you don’t have to enter your password for most operations. However, after the Capistrano deploy process does most of its work, it uses a sudo command to restart the application, and this requires you to type in your password. As a result, “cap deploy” is not a true “type the command and walk away” deployment process, even with SSH keys set up. You have to wait until the process is nearly done, so you can enter the password to restart the server.

A simple improvement is to enter:

cap deploy -p -

The “-p” option tells Capistrano you want to provide a password, and the following hyphen tells it to prompt you for the password (which is more secure than entering the password on the command line). This way you can enter the password right at the start of the deployment process, and then it will complete without intervention.

Comments

Leave a response

  1. AnĂ­bal RojasFebruary 20, 2007 @ 01:20 PM
    Not sure why do you say it is a more secure approach, but it is a nice trick. Do you have the termios gem installed (it prevents password of being displayed) Off Topic: Please feel free to register at RubyCorner.com, a directory for blogs related to the Ruby Programming Language or any of the related technologies and projects.
  2. Michael SlaterFebruary 21, 2007 @ 09:42 PM
    Anibal, if you type the password on the command line, then it is displayed in clear text. Having Capistrano prompt you for it keeps it from being displayed. I don't think termios would change this, but I'm not sure as it doesn't seem to install on Windows. (I know, I know...)
  3. Martin SmithFebruary 28, 2007 @ 01:11 PM
    I've included a pointer to this from my freshly-minted Rails Deployment web site - thanks for the tip.
  4. DavidJanuary 24, 2008 @ 09:45 PM

    “which is more secure than entering the password on the command line”

    “Not sure why do you say it is a more secure approach”

    Anibal, another very important reason is that if someone else on your server is simply watching process named with ps, they will see your password. This seems a minor problem, because it should be a quick process, but if your deployment involves copying files or waiting for slow hosts .. you might have your password visible to anyone on the host for minutes and minutes.

    (sorry for dragging up an old post, but thought someone should mention it)

Comment



If you're reading this message, your browser is not interpreting the CSS file properly, and your comment may not be posted.