Rails: Multiple application deployment strategyCapistrano deployment to a VPS failingsecuring a ruby on rails installationAllow a group to run all files under a certain directory in CentOSPermission to write using 'deploy' userCan't deploy Ruby 2, Rails 4 app to LinodeAnsible Multiple Application Role ApproachAWS EC2 DNS not responding to Rails app deployment on CentOS 6 with capistranoRunning Ruby on Rails and PHP apps side-by-side under the same (Apache) web directory structureApp Engine Ruby flex environment app.yaml is ignoring env_variables RAILS_ENVUse default `ubuntu` user to deploy an app or make separate users?

Is it logically or scientifically possible to artificially send energy to the body?

How can I deal with my CEO asking me to hire someone with a higher salary than me, a co-founder?

Am I breaking OOP practice with this architecture?

Is it inappropriate for a student to attend their mentor's dissertation defense?

What do you call someone who asks many questions?

Why can't we play rap on piano?

Plagiarism or not?

Cursor Replacement for Newbies

Mathematica command that allows it to read my intentions

Short story with a alien planet, government officials must wear exploding medallions

Why is this clock signal connected to a capacitor to gnd?

Can we compute the area of a quadrilateral with one right angle when we only know the lengths of any three sides?

CAST throwing error when run in stored procedure but not when run as raw query

How dangerous is XSS?

How to Recreate this in LaTeX? (Unsure What the Notation is Called)

iPad being using in wall mount battery swollen

All in one piece, we mend holes in your socks

Ambiguity in the definition of entropy

How badly should I try to prevent a user from XSSing themselves?

Zip/Tar file compressed to larger size?

Forgetting the musical notes while performing in concert

Arrow those variables!

How do I deal with an unproductive colleague in a small company?

Expand and Contract



Rails: Multiple application deployment strategy


Capistrano deployment to a VPS failingsecuring a ruby on rails installationAllow a group to run all files under a certain directory in CentOSPermission to write using 'deploy' userCan't deploy Ruby 2, Rails 4 app to LinodeAnsible Multiple Application Role ApproachAWS EC2 DNS not responding to Rails app deployment on CentOS 6 with capistranoRunning Ruby on Rails and PHP apps side-by-side under the same (Apache) web directory structureApp Engine Ruby flex environment app.yaml is ignoring env_variables RAILS_ENVUse default `ubuntu` user to deploy an app or make separate users?













1















At my company, we currently have one main project which is a big monolithic Rails app. Deployment is easy, we have a couple of frontend servers (setup with Puppet) which Capistrano deploys into /var/www/<hostname>/current. It then restarts Unicorn (zero downtime deploys!) and everyone is happy.



Unfortunately there is a problem. The monolithic nature of the app is starting to bite us. It now takes over 30 minutes to run all the tests, and it is slowing us down. We are looking to split it into smaller chunks and adopt a more μService architecture. However this has made me think about our deployment strategy. As it stands:



  • the Rails application and Nginx run as the www-data user

  • Any users who have access to the box can deploy (in Capistrano we chown stuff to the app user during deployment)

The security of this is rather low (everything running as the same user, everyone able to access everything). It also reminds me of how we did things at a previous company - it was a nightmare as all the apps were stuck on Ruby 1.6 as they shared the same version.



I'm thinking we can make this better by installing rbenv to allow each app to run it's own version of Ruby, and having users per app to increase security. But I haven't really seen any examples of this in practise. For example 37signals run all apps as the same user - I'm concerned that there is a good reason why the apps shouldn't be run as different users.



To summarise:



  • What is the best way to deploy multiple Rails apps to a server in a μService style architecture?

  • What is the best way to isolate each of the apps (in terms of Ruby versions and user security)?

Thanks in advance!










share|improve this question














bumped to the homepage by Community 2 days ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.



















    1















    At my company, we currently have one main project which is a big monolithic Rails app. Deployment is easy, we have a couple of frontend servers (setup with Puppet) which Capistrano deploys into /var/www/<hostname>/current. It then restarts Unicorn (zero downtime deploys!) and everyone is happy.



    Unfortunately there is a problem. The monolithic nature of the app is starting to bite us. It now takes over 30 minutes to run all the tests, and it is slowing us down. We are looking to split it into smaller chunks and adopt a more μService architecture. However this has made me think about our deployment strategy. As it stands:



    • the Rails application and Nginx run as the www-data user

    • Any users who have access to the box can deploy (in Capistrano we chown stuff to the app user during deployment)

    The security of this is rather low (everything running as the same user, everyone able to access everything). It also reminds me of how we did things at a previous company - it was a nightmare as all the apps were stuck on Ruby 1.6 as they shared the same version.



    I'm thinking we can make this better by installing rbenv to allow each app to run it's own version of Ruby, and having users per app to increase security. But I haven't really seen any examples of this in practise. For example 37signals run all apps as the same user - I'm concerned that there is a good reason why the apps shouldn't be run as different users.



    To summarise:



    • What is the best way to deploy multiple Rails apps to a server in a μService style architecture?

    • What is the best way to isolate each of the apps (in terms of Ruby versions and user security)?

    Thanks in advance!










    share|improve this question














    bumped to the homepage by Community 2 days ago


    This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

















      1












      1








      1


      1






      At my company, we currently have one main project which is a big monolithic Rails app. Deployment is easy, we have a couple of frontend servers (setup with Puppet) which Capistrano deploys into /var/www/<hostname>/current. It then restarts Unicorn (zero downtime deploys!) and everyone is happy.



      Unfortunately there is a problem. The monolithic nature of the app is starting to bite us. It now takes over 30 minutes to run all the tests, and it is slowing us down. We are looking to split it into smaller chunks and adopt a more μService architecture. However this has made me think about our deployment strategy. As it stands:



      • the Rails application and Nginx run as the www-data user

      • Any users who have access to the box can deploy (in Capistrano we chown stuff to the app user during deployment)

      The security of this is rather low (everything running as the same user, everyone able to access everything). It also reminds me of how we did things at a previous company - it was a nightmare as all the apps were stuck on Ruby 1.6 as they shared the same version.



      I'm thinking we can make this better by installing rbenv to allow each app to run it's own version of Ruby, and having users per app to increase security. But I haven't really seen any examples of this in practise. For example 37signals run all apps as the same user - I'm concerned that there is a good reason why the apps shouldn't be run as different users.



      To summarise:



      • What is the best way to deploy multiple Rails apps to a server in a μService style architecture?

      • What is the best way to isolate each of the apps (in terms of Ruby versions and user security)?

      Thanks in advance!










      share|improve this question














      At my company, we currently have one main project which is a big monolithic Rails app. Deployment is easy, we have a couple of frontend servers (setup with Puppet) which Capistrano deploys into /var/www/<hostname>/current. It then restarts Unicorn (zero downtime deploys!) and everyone is happy.



      Unfortunately there is a problem. The monolithic nature of the app is starting to bite us. It now takes over 30 minutes to run all the tests, and it is slowing us down. We are looking to split it into smaller chunks and adopt a more μService architecture. However this has made me think about our deployment strategy. As it stands:



      • the Rails application and Nginx run as the www-data user

      • Any users who have access to the box can deploy (in Capistrano we chown stuff to the app user during deployment)

      The security of this is rather low (everything running as the same user, everyone able to access everything). It also reminds me of how we did things at a previous company - it was a nightmare as all the apps were stuck on Ruby 1.6 as they shared the same version.



      I'm thinking we can make this better by installing rbenv to allow each app to run it's own version of Ruby, and having users per app to increase security. But I haven't really seen any examples of this in practise. For example 37signals run all apps as the same user - I'm concerned that there is a good reason why the apps shouldn't be run as different users.



      To summarise:



      • What is the best way to deploy multiple Rails apps to a server in a μService style architecture?

      • What is the best way to isolate each of the apps (in terms of Ruby versions and user security)?

      Thanks in advance!







      ruby-on-rails deployment capistrano






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Apr 10 '13 at 12:47









      Luca SpillerLuca Spiller

      565




      565





      bumped to the homepage by Community 2 days ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







      bumped to the homepage by Community 2 days ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.






















          2 Answers
          2






          active

          oldest

          votes


















          0














          We have a similar configuration (although we're working with Tomcat and Grails instead of nginx and RoR). We've set up individual userids for each instance of Tomcat. We set the home directories for Java, Grails and any other dependent libraries in the .profile for the user as environment variables, so each Tomcat can run with any version that we've got installed.



          The userid user by our automated deployment software (Atlassian Bamboo) is a member of the group assigned to each of the Tomcat directories.






          share|improve this answer






























            0














            For multiple Ruby instances I would definitly reccomend RVM (Ruby enVironemnt Manager). I found it more solid than rbenv for production environments.



            Nginx can bind on privilged ports (<= 1024) only if launched as a privileged user. So, a reverse proxy configuration may be needed to meet your need of launching each Unicorn instance as a separate process by the allowed user.



            If your evaluation of running each on a separate VM is definitive, a way to isolate each app on GNU/Linux is SELinux. SELinux is rather complex, but provides facility that allow you to separate safely processes and context.






            share|improve this answer























              Your Answer








              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "2"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader:
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              ,
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













              draft saved

              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f498016%2frails-multiple-application-deployment-strategy%23new-answer', 'question_page');

              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              0














              We have a similar configuration (although we're working with Tomcat and Grails instead of nginx and RoR). We've set up individual userids for each instance of Tomcat. We set the home directories for Java, Grails and any other dependent libraries in the .profile for the user as environment variables, so each Tomcat can run with any version that we've got installed.



              The userid user by our automated deployment software (Atlassian Bamboo) is a member of the group assigned to each of the Tomcat directories.






              share|improve this answer



























                0














                We have a similar configuration (although we're working with Tomcat and Grails instead of nginx and RoR). We've set up individual userids for each instance of Tomcat. We set the home directories for Java, Grails and any other dependent libraries in the .profile for the user as environment variables, so each Tomcat can run with any version that we've got installed.



                The userid user by our automated deployment software (Atlassian Bamboo) is a member of the group assigned to each of the Tomcat directories.






                share|improve this answer

























                  0












                  0








                  0







                  We have a similar configuration (although we're working with Tomcat and Grails instead of nginx and RoR). We've set up individual userids for each instance of Tomcat. We set the home directories for Java, Grails and any other dependent libraries in the .profile for the user as environment variables, so each Tomcat can run with any version that we've got installed.



                  The userid user by our automated deployment software (Atlassian Bamboo) is a member of the group assigned to each of the Tomcat directories.






                  share|improve this answer













                  We have a similar configuration (although we're working with Tomcat and Grails instead of nginx and RoR). We've set up individual userids for each instance of Tomcat. We set the home directories for Java, Grails and any other dependent libraries in the .profile for the user as environment variables, so each Tomcat can run with any version that we've got installed.



                  The userid user by our automated deployment software (Atlassian Bamboo) is a member of the group assigned to each of the Tomcat directories.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered May 2 '13 at 16:07









                  msinatlmsinatl

                  261




                  261























                      0














                      For multiple Ruby instances I would definitly reccomend RVM (Ruby enVironemnt Manager). I found it more solid than rbenv for production environments.



                      Nginx can bind on privilged ports (<= 1024) only if launched as a privileged user. So, a reverse proxy configuration may be needed to meet your need of launching each Unicorn instance as a separate process by the allowed user.



                      If your evaluation of running each on a separate VM is definitive, a way to isolate each app on GNU/Linux is SELinux. SELinux is rather complex, but provides facility that allow you to separate safely processes and context.






                      share|improve this answer



























                        0














                        For multiple Ruby instances I would definitly reccomend RVM (Ruby enVironemnt Manager). I found it more solid than rbenv for production environments.



                        Nginx can bind on privilged ports (<= 1024) only if launched as a privileged user. So, a reverse proxy configuration may be needed to meet your need of launching each Unicorn instance as a separate process by the allowed user.



                        If your evaluation of running each on a separate VM is definitive, a way to isolate each app on GNU/Linux is SELinux. SELinux is rather complex, but provides facility that allow you to separate safely processes and context.






                        share|improve this answer

























                          0












                          0








                          0







                          For multiple Ruby instances I would definitly reccomend RVM (Ruby enVironemnt Manager). I found it more solid than rbenv for production environments.



                          Nginx can bind on privilged ports (<= 1024) only if launched as a privileged user. So, a reverse proxy configuration may be needed to meet your need of launching each Unicorn instance as a separate process by the allowed user.



                          If your evaluation of running each on a separate VM is definitive, a way to isolate each app on GNU/Linux is SELinux. SELinux is rather complex, but provides facility that allow you to separate safely processes and context.






                          share|improve this answer













                          For multiple Ruby instances I would definitly reccomend RVM (Ruby enVironemnt Manager). I found it more solid than rbenv for production environments.



                          Nginx can bind on privilged ports (<= 1024) only if launched as a privileged user. So, a reverse proxy configuration may be needed to meet your need of launching each Unicorn instance as a separate process by the allowed user.



                          If your evaluation of running each on a separate VM is definitive, a way to isolate each app on GNU/Linux is SELinux. SELinux is rather complex, but provides facility that allow you to separate safely processes and context.







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered Jun 12 '13 at 14:32









                          fsoppelsafsoppelsa

                          4321612




                          4321612



























                              draft saved

                              draft discarded
















































                              Thanks for contributing an answer to Server Fault!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid


                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.

                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f498016%2frails-multiple-application-deployment-strategy%23new-answer', 'question_page');

                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com

                              Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O / 43.24775, -8.60070

                              Cegueira Índice Epidemioloxía | Deficiencia visual | Tipos de cegueira | Principais causas de cegueira | Tratamento | Técnicas de adaptación e axudas | Vida dos cegos | Primeiros auxilios | Crenzas respecto das persoas cegas | Crenzas das persoas cegas | O neno deficiente visual | Aspectos psicolóxicos da cegueira | Notas | Véxase tamén | Menú de navegación54.054.154.436928256blindnessDicionario da Real Academia GalegaPortal das Palabras"International Standards: Visual Standards — Aspects and Ranges of Vision Loss with Emphasis on Population Surveys.""Visual impairment and blindness""Presentan un plan para previr a cegueira"o orixinalACCDV Associació Catalana de Cecs i Disminuïts Visuals - PMFTrachoma"Effect of gene therapy on visual function in Leber's congenital amaurosis"1844137110.1056/NEJMoa0802268Cans guía - os mellores amigos dos cegosArquivadoEscola de cans guía para cegos en Mortágua, PortugalArquivado"Tecnología para ciegos y deficientes visuales. Recopilación de recursos gratuitos en la Red""Colorino""‘COL.diesis’, escuchar los sonidos del color""COL.diesis: Transforming Colour into Melody and Implementing the Result in a Colour Sensor Device"o orixinal"Sistema de desarrollo de sinestesia color-sonido para invidentes utilizando un protocolo de audio""Enseñanza táctil - geometría y color. Juegos didácticos para niños ciegos y videntes""Sistema Constanz"L'ocupació laboral dels cecs a l'Estat espanyol està pràcticament equiparada a la de les persones amb visió, entrevista amb Pedro ZuritaONCE (Organización Nacional de Cegos de España)Prevención da cegueiraDescrición de deficiencias visuais (Disc@pnet)Braillín, un boneco atractivo para calquera neno, con ou sen discapacidade, que permite familiarizarse co sistema de escritura e lectura brailleAxudas Técnicas36838ID00897494007150-90057129528256DOID:1432HP:0000618D001766C10.597.751.941.162C97109C0155020