0

I look for good practices for deploying with capistrano.

I would like to start out with a short description how I used to do deployment.

capistrano is installed locally on a developer's computer. I deploy thought gateway with capistrano option :gateway. Firstly, I thought that with :gateway option I need to have ssh connection only to gateway host, but it turns out that I need ssh connection (public key) to all hosts where I want to deploy to.

I would like to find a convenient and secure way to deploy application.

For example, in case when new developer starts working, is much more convinient to put his public_key only on gateway server and not on all applications servers. On the other hand I don't want him to have any connection to servers in particular ssh to gateway, just because he is developer, he needs to do only deployments.

If you are aware of good practices for deploying with capistrano, please, let us know.

com
  • 261
  • 2
  • 14

1 Answers1

1

Capistrano is designed from the bits out on the assumption that ssh is the basis for all management. The machine used as a gateway has to both accept and issue ssh connections. There is no away around that. Your developers will get ssh access to the gateway.

You have some requirements:

  • Ease of adding new developers to the authorized-keys list of your deployment targets
  • Do not want to give developers a full terminal on the gateway box

You need to decide how you're going to handle keying on your deployment targets. You have two major options here:

  1. Use a generic key, everyone gets one and that's baked into the image/targets.
  2. Use specific keys, everyone gets their own and you manage the authorized_keys list through something like or .

The second option is the most secure, but works best if you have a configuration management system in place. You really should use one, and it can even supply the authorized_keys file for the gateway server.

You have some options for restricting what developers can do once they ssh into your system.

Depending on how Capistrano actually works with a gateway, some of these may prevent it from working so testing is in order. It may be that a full shell is required for it to function.

Community
  • 1
sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • Thank you very much for the great answer, as I understood I need to maintain all users public keys only on gateway or on all app hosts (If I maintain keys on gateway do I need alter somehow ssh setting)? What's preferable to do among to following options: doing deployment locally from the host of every developer or I can ask them to ssh to gateway and doing deployment from the gateway. – com Oct 20 '12 at 05:53
  • Going the gateway route allows you to firewall off your production environment from everything but the gateway; safer overall that way. The most recommended key-management strategy is to have all the dev keys on both gateway and prod boxes, and rely on `ssh-agent` forwarding. Their priv-keys are kept on their own boxes, but ssh-agent on their own box and the gateway forwards the keys to the prod boxes. – sysadmin1138 Oct 20 '12 at 12:52