Rails: Multiple application deployment strategyCapistrano deployment to a VPS failingsecuring a ruby on rails installationAllow a group to run all files under a certain directory in CentOSPermission to write using 'deploy' userCan't deploy Ruby 2, Rails 4 app to LinodeAnsible Multiple Application Role ApproachAWS EC2 DNS not responding to Rails app deployment on CentOS 6 with capistranoRunning Ruby on Rails and PHP apps side-by-side under the same (Apache) web directory structureApp Engine Ruby flex environment app.yaml is ignoring env_variables RAILS_ENVUse default `ubuntu` user to deploy an app or make separate users?
Is it logically or scientifically possible to artificially send energy to the body?
How can I deal with my CEO asking me to hire someone with a higher salary than me, a co-founder?
Am I breaking OOP practice with this architecture?
Is it inappropriate for a student to attend their mentor's dissertation defense?
What do you call someone who asks many questions?
Why can't we play rap on piano?
Plagiarism or not?
Cursor Replacement for Newbies
Mathematica command that allows it to read my intentions
Short story with a alien planet, government officials must wear exploding medallions
Why is this clock signal connected to a capacitor to gnd?
Can we compute the area of a quadrilateral with one right angle when we only know the lengths of any three sides?
CAST throwing error when run in stored procedure but not when run as raw query
How dangerous is XSS?
How to Recreate this in LaTeX? (Unsure What the Notation is Called)
iPad being using in wall mount battery swollen
All in one piece, we mend holes in your socks
Ambiguity in the definition of entropy
How badly should I try to prevent a user from XSSing themselves?
Zip/Tar file compressed to larger size?
Forgetting the musical notes while performing in concert
Arrow those variables!
How do I deal with an unproductive colleague in a small company?
Expand and Contract
Rails: Multiple application deployment strategy
Capistrano deployment to a VPS failingsecuring a ruby on rails installationAllow a group to run all files under a certain directory in CentOSPermission to write using 'deploy' userCan't deploy Ruby 2, Rails 4 app to LinodeAnsible Multiple Application Role ApproachAWS EC2 DNS not responding to Rails app deployment on CentOS 6 with capistranoRunning Ruby on Rails and PHP apps side-by-side under the same (Apache) web directory structureApp Engine Ruby flex environment app.yaml is ignoring env_variables RAILS_ENVUse default `ubuntu` user to deploy an app or make separate users?
At my company, we currently have one main project which is a big monolithic Rails app. Deployment is easy, we have a couple of frontend servers (setup with Puppet) which Capistrano deploys into /var/www/<hostname>/current. It then restarts Unicorn (zero downtime deploys!) and everyone is happy.
Unfortunately there is a problem. The monolithic nature of the app is starting to bite us. It now takes over 30 minutes to run all the tests, and it is slowing us down. We are looking to split it into smaller chunks and adopt a more μService architecture. However this has made me think about our deployment strategy. As it stands:
- the Rails application and Nginx run as the
www-datauser - Any users who have access to the box can deploy (in Capistrano we
chownstuff to the app user during deployment)
The security of this is rather low (everything running as the same user, everyone able to access everything). It also reminds me of how we did things at a previous company - it was a nightmare as all the apps were stuck on Ruby 1.6 as they shared the same version.
I'm thinking we can make this better by installing rbenv to allow each app to run it's own version of Ruby, and having users per app to increase security. But I haven't really seen any examples of this in practise. For example 37signals run all apps as the same user - I'm concerned that there is a good reason why the apps shouldn't be run as different users.
To summarise:
- What is the best way to deploy multiple Rails apps to a server in a μService style architecture?
- What is the best way to isolate each of the apps (in terms of Ruby versions and user security)?
Thanks in advance!
ruby-on-rails deployment capistrano
asked Apr 10 '13 at 12:47
Luca SpillerLuca Spiller
565
bumped to the homepage by Community♦ 2 days ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
At my company, we currently have one main project which is a big monolithic Rails app. Deployment is easy, we have a couple of frontend servers (setup with Puppet) which Capistrano deploys into /var/www/<hostname>/current. It then restarts Unicorn (zero downtime deploys!) and everyone is happy.
Unfortunately there is a problem. The monolithic nature of the app is starting to bite us. It now takes over 30 minutes to run all the tests, and it is slowing us down. We are looking to split it into smaller chunks and adopt a more μService architecture. However this has made me think about our deployment strategy. As it stands:
- the Rails application and Nginx run as the
www-datauser - Any users who have access to the box can deploy (in Capistrano we
chownstuff to the app user during deployment)
The security of this is rather low (everything running as the same user, everyone able to access everything). It also reminds me of how we did things at a previous company - it was a nightmare as all the apps were stuck on Ruby 1.6 as they shared the same version.
I'm thinking we can make this better by installing rbenv to allow each app to run it's own version of Ruby, and having users per app to increase security. But I haven't really seen any examples of this in practise. For example 37signals run all apps as the same user - I'm concerned that there is a good reason why the apps shouldn't be run as different users.
To summarise:
- What is the best way to deploy multiple Rails apps to a server in a μService style architecture?
- What is the best way to isolate each of the apps (in terms of Ruby versions and user security)?
Thanks in advance!
ruby-on-rails deployment capistrano
asked Apr 10 '13 at 12:47
Luca SpillerLuca Spiller
565
bumped to the homepage by Community♦ 2 days ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
At my company, we currently have one main project which is a big monolithic Rails app. Deployment is easy, we have a couple of frontend servers (setup with Puppet) which Capistrano deploys into /var/www/<hostname>/current. It then restarts Unicorn (zero downtime deploys!) and everyone is happy.
Unfortunately there is a problem. The monolithic nature of the app is starting to bite us. It now takes over 30 minutes to run all the tests, and it is slowing us down. We are looking to split it into smaller chunks and adopt a more μService architecture. However this has made me think about our deployment strategy. As it stands:
- the Rails application and Nginx run as the
www-datauser - Any users who have access to the box can deploy (in Capistrano we
chownstuff to the app user during deployment)
The security of this is rather low (everything running as the same user, everyone able to access everything). It also reminds me of how we did things at a previous company - it was a nightmare as all the apps were stuck on Ruby 1.6 as they shared the same version.
I'm thinking we can make this better by installing rbenv to allow each app to run it's own version of Ruby, and having users per app to increase security. But I haven't really seen any examples of this in practise. For example 37signals run all apps as the same user - I'm concerned that there is a good reason why the apps shouldn't be run as different users.
To summarise:
- What is the best way to deploy multiple Rails apps to a server in a μService style architecture?
- What is the best way to isolate each of the apps (in terms of Ruby versions and user security)?
Thanks in advance!
ruby-on-rails deployment capistrano
asked Apr 10 '13 at 12:47
Luca SpillerLuca Spiller
565
At my company, we currently have one main project which is a big monolithic Rails app. Deployment is easy, we have a couple of frontend servers (setup with Puppet) which Capistrano deploys into /var/www/<hostname>/current. It then restarts Unicorn (zero downtime deploys!) and everyone is happy.
Unfortunately there is a problem. The monolithic nature of the app is starting to bite us. It now takes over 30 minutes to run all the tests, and it is slowing us down. We are looking to split it into smaller chunks and adopt a more μService architecture. However this has made me think about our deployment strategy. As it stands:
- the Rails application and Nginx run as the
www-datauser - Any users who have access to the box can deploy (in Capistrano we
chownstuff to the app user during deployment)
The security of this is rather low (everything running as the same user, everyone able to access everything). It also reminds me of how we did things at a previous company - it was a nightmare as all the apps were stuck on Ruby 1.6 as they shared the same version.
I'm thinking we can make this better by installing rbenv to allow each app to run it's own version of Ruby, and having users per app to increase security. But I haven't really seen any examples of this in practise. For example 37signals run all apps as the same user - I'm concerned that there is a good reason why the apps shouldn't be run as different users.
To summarise:
- What is the best way to deploy multiple Rails apps to a server in a μService style architecture?
- What is the best way to isolate each of the apps (in terms of Ruby versions and user security)?
Thanks in advance!
ruby-on-rails deployment capistrano
ruby-on-rails deployment capistrano
asked Apr 10 '13 at 12:47
Luca SpillerLuca Spiller
565
asked Apr 10 '13 at 12:47
Luca SpillerLuca Spiller
565
asked Apr 10 '13 at 12:47
Luca SpillerLuca Spiller
565
asked Apr 10 '13 at 12:47
Luca SpillerLuca Spiller
565
asked Apr 10 '13 at 12:47
Luca SpillerLuca Spiller
565
565
bumped to the homepage by Community♦ 2 days ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 2 days ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
We have a similar configuration (although we're working with Tomcat and Grails instead of nginx and RoR). We've set up individual userids for each instance of Tomcat. We set the home directories for Java, Grails and any other dependent libraries in the .profile for the user as environment variables, so each Tomcat can run with any version that we've got installed.
The userid user by our automated deployment software (Atlassian Bamboo) is a member of the group assigned to each of the Tomcat directories.
answered May 2 '13 at 16:07
msinatlmsinatl
261
add a comment |
For multiple Ruby instances I would definitly reccomend RVM (Ruby enVironemnt Manager). I found it more solid than rbenv for production environments.
Nginx can bind on privilged ports (<= 1024) only if launched as a privileged user. So, a reverse proxy configuration may be needed to meet your need of launching each Unicorn instance as a separate process by the allowed user.
If your evaluation of running each on a separate VM is definitive, a way to isolate each app on GNU/Linux is SELinux. SELinux is rather complex, but provides facility that allow you to separate safely processes and context.
answered Jun 12 '13 at 14:32
fsoppelsafsoppelsa
4321612
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f498016%2frails-multiple-application-deployment-strategy%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
We have a similar configuration (although we're working with Tomcat and Grails instead of nginx and RoR). We've set up individual userids for each instance of Tomcat. We set the home directories for Java, Grails and any other dependent libraries in the .profile for the user as environment variables, so each Tomcat can run with any version that we've got installed.
The userid user by our automated deployment software (Atlassian Bamboo) is a member of the group assigned to each of the Tomcat directories.
answered May 2 '13 at 16:07
msinatlmsinatl
261
add a comment |
We have a similar configuration (although we're working with Tomcat and Grails instead of nginx and RoR). We've set up individual userids for each instance of Tomcat. We set the home directories for Java, Grails and any other dependent libraries in the .profile for the user as environment variables, so each Tomcat can run with any version that we've got installed.
The userid user by our automated deployment software (Atlassian Bamboo) is a member of the group assigned to each of the Tomcat directories.
answered May 2 '13 at 16:07
msinatlmsinatl
261
add a comment |
We have a similar configuration (although we're working with Tomcat and Grails instead of nginx and RoR). We've set up individual userids for each instance of Tomcat. We set the home directories for Java, Grails and any other dependent libraries in the .profile for the user as environment variables, so each Tomcat can run with any version that we've got installed.
The userid user by our automated deployment software (Atlassian Bamboo) is a member of the group assigned to each of the Tomcat directories.
answered May 2 '13 at 16:07
msinatlmsinatl
261
We have a similar configuration (although we're working with Tomcat and Grails instead of nginx and RoR). We've set up individual userids for each instance of Tomcat. We set the home directories for Java, Grails and any other dependent libraries in the .profile for the user as environment variables, so each Tomcat can run with any version that we've got installed.
The userid user by our automated deployment software (Atlassian Bamboo) is a member of the group assigned to each of the Tomcat directories.
answered May 2 '13 at 16:07
msinatlmsinatl
261
answered May 2 '13 at 16:07
msinatlmsinatl
261
answered May 2 '13 at 16:07
msinatlmsinatl
261
answered May 2 '13 at 16:07
msinatlmsinatl
261
261
add a comment |
add a comment |
For multiple Ruby instances I would definitly reccomend RVM (Ruby enVironemnt Manager). I found it more solid than rbenv for production environments.
Nginx can bind on privilged ports (<= 1024) only if launched as a privileged user. So, a reverse proxy configuration may be needed to meet your need of launching each Unicorn instance as a separate process by the allowed user.
If your evaluation of running each on a separate VM is definitive, a way to isolate each app on GNU/Linux is SELinux. SELinux is rather complex, but provides facility that allow you to separate safely processes and context.
answered Jun 12 '13 at 14:32
fsoppelsafsoppelsa
4321612
add a comment |
For multiple Ruby instances I would definitly reccomend RVM (Ruby enVironemnt Manager). I found it more solid than rbenv for production environments.
Nginx can bind on privilged ports (<= 1024) only if launched as a privileged user. So, a reverse proxy configuration may be needed to meet your need of launching each Unicorn instance as a separate process by the allowed user.
If your evaluation of running each on a separate VM is definitive, a way to isolate each app on GNU/Linux is SELinux. SELinux is rather complex, but provides facility that allow you to separate safely processes and context.
answered Jun 12 '13 at 14:32
fsoppelsafsoppelsa
4321612
add a comment |
For multiple Ruby instances I would definitly reccomend RVM (Ruby enVironemnt Manager). I found it more solid than rbenv for production environments.
Nginx can bind on privilged ports (<= 1024) only if launched as a privileged user. So, a reverse proxy configuration may be needed to meet your need of launching each Unicorn instance as a separate process by the allowed user.
If your evaluation of running each on a separate VM is definitive, a way to isolate each app on GNU/Linux is SELinux. SELinux is rather complex, but provides facility that allow you to separate safely processes and context.
answered Jun 12 '13 at 14:32
fsoppelsafsoppelsa
4321612
For multiple Ruby instances I would definitly reccomend RVM (Ruby enVironemnt Manager). I found it more solid than rbenv for production environments.
Nginx can bind on privilged ports (<= 1024) only if launched as a privileged user. So, a reverse proxy configuration may be needed to meet your need of launching each Unicorn instance as a separate process by the allowed user.
If your evaluation of running each on a separate VM is definitive, a way to isolate each app on GNU/Linux is SELinux. SELinux is rather complex, but provides facility that allow you to separate safely processes and context.
answered Jun 12 '13 at 14:32
fsoppelsafsoppelsa
4321612
answered Jun 12 '13 at 14:32
fsoppelsafsoppelsa
4321612
answered Jun 12 '13 at 14:32
fsoppelsafsoppelsa
4321612
answered Jun 12 '13 at 14:32
fsoppelsafsoppelsa
4321612
4321612
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f498016%2frails-multiple-application-deployment-strategy%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
