Setting up secret_key_base on deploy with Capistra

2020-07-18 10:36发布

问题:

So I'm deploying to a Ubuntu droplet hosted on DigitalOcean a Rails 4 application running on Apache and Phusion Passenger. After deployment I've been getting 500s as a result of Rails production not finding the secret_key_base token for production. However, if I run an echo $SECRET_KEY_BASE it returns the rake secret generated by my deploy.rb.

The deploy.rb task to set that up is:

namespace :deploy do
  task :start do ; end
  task :stop do ; end

  desc "Setup ENV variables"
  task :env_vars do
    on "root@xxx.xxx.xxx.xx" do
      execute "export SECRET_KEY_BASE=#{`bundle exec rake secret`}"
    end
  end
end

before "deploy", "deploy:env_vars"

However, Rails is still not picking it up. I even ssh'd into my server and in rails console checked and ENV["SECRET_KEY_BASE"] returns the correct secret token.

I thought using Capistrano's :default_env would work, but that only seems to set up environmental variables for the deploy task, but not actually on the server. Is there any easy way to solve this solution? My fallback is to just place the secret within secrets.yml since the repo is private, but I rather not do that.

回答1:

There is a gem for exactly this task: https://github.com/capistrano-plugins/capistrano-secrets-yml

Install

Add this to Gemfile:

group :development do
  gem 'capistrano', '~> 3.2.1'
  gem 'capistrano-secrets-yml', '~> 1.0.0'
end

And then:

$ bundle install

Setup and usage

make sure your local config/secrets.yml is not git tracked. It should be on the disk, but gitignored.

populate production secrets in local config/secrets.yml:

production:
  secret_key_base: d6ced...

add to Capfile:

require 'capistrano/secrets_yml'

create secrets.yml file on the remote server by executing this task:

$ bundle exec cap production setup

You can now proceed with other deployment tasks.



回答2:

You can create a file in your server called application.yml in shared/config.

Choose any one of solution from bellow

Following code in deploy.rb will automatically symlink your application.yml

set :linked_files, %w{config/application.yml}

Or

Then symlink this application.yml with your current/config/application.yml with a simple capistrano task.



回答3:

Rather than exporting env variables in deploy.rb, use dotenv to load environment variables from .env[.<staging>] into ENV when rails booting.

Follow these steps:

Add this line to the top of your Gemfile:

gem 'dotenv-rails'

Put .env.production file into the linked_file in deploy/production.rb:

set :linked_files, fetch(:linked_files, []).push('.env.production')

On the remote host, add the .env.production file in shared folder which contains this line:

SECRET_KEY_BASE=<Your secret>


回答4:

Give up on environment vars and just simply read a file. Do this in secrets.yml.

production:
  secret_key_base: <%= File.read('/home/me/SECRET_KEY_BASE').strip %>

Then make the secret file.

$ rake secret > ~/SECRET_KEY_BASE

Before settling on this solution I tried exporting the secret from my .bash_profile, .profile, and .bashrc (top and bottom). I also tried PermitUserEnvironment and .ssh/environment. I have no idea how an environment variable gets from "the environment" into a capistrano deployment. I ran ssh example.com printenv and saw my vars. I logged in and saw my vars. But puma started with capistrano... it always has it's own environment.