I’ve finished getting my first production Rails server up and running at RimuHosting . I kept reasonably careful notes along the way, and now I’m going to brain-dump them here, in part because I might need them again in the future, and in part because they might help someone else. Of course, there are so many variables that your setup very likely will not be a precise match for my setup, so use with appropriate caution.
We started with a MiroVPS3 (224MB) host with Debian Etch, the Webmin control panel, and RimuHosting’s own basic Rails stack preinstalled. That’s probably overkill for this little app, but the client wanted to be sure of plenty of breathing room. I’m targeting Apache + Mongrel for serving pages because that’s what I’ve been using in development and staging; production is not the time to experiment with a new-to-me server.
- ssh root@nn.nn.nn.nn
- adduser mike
- logout
- ssh mike@nn.nn.nn.nn
- started mysql via Webmin control panel
- changed mysql root user password to DBPassword via Webmin control panel
- set up mike as a full admin using sudo by using visudo
- sudo adduser appuser
- mysql -u root -p
- CREATE DATABASE appproduction;
- GRANT ALL PRIVILEGES ON appproduction.* TO ‘appuser’@’localhost’ IDENTIFIED BY ‘apppassword’ WITH GRANT OPTION;
- quit; get out of mysql
- used Webmin to set mysql to listen on any
- sudo apt-get install libopenssl-ruby1.8 Without this step, recent Rails won’t run properly on Ubuntu or Debian
- mkdir /Library
- cd /Library
- sudo mkdir Rails -p -m 777 I like to keep my Rails apps in /Library/Rails. Your mileage may vary.
- changed server info in deploy.rb to point to the production server
- (on development machine) cap setup
- sudo gem install—include-dependencies mongrel_cluster
- (on development machine) cap deploy
- cd /Library/Rails/app/current
- rake db:migrate RAILS_ENV=production
- cd /etc/apache2/sites-enabled
- sudo nano 000-default edited this to basically match my staging version
- sudo a2enmod proxy_balancer
- sudo a2enmod proxy_http
- sudo a2enmod rewrite
- sudo /etc/init.d/apache2 force-reload
- sudo /etc/init.d/apache2 restart
- used Webmin control panel to set mysql to start at boot
- sudo ln -s /usr/lib/ruby/gems/1.8/gems/mongrel_cluster-0.2.1/resources/mongrel_cluster /etc/init.d/mongrel_cluster
- sudo chmod +x /etc/init.d/mongrel_cluster
- sudo mkdir /etc/mongrel_cluster
- sudo ln -s /Libray/Rails/app/current/config/mongrel_cluster.yml /etc/mongrel_cluster/nrafh.yml
- used Webmin to set mongrel_cluster to start at boot time
I’m a Python developer, so maybe Rails has some unusual requirements, but in general you should never set the mode 777 on a folder (step 17).
You’ve made your Rails app world writable which means any comprised service/account on your system (except those stuck in a chroot) are able to steal/destroy your Rails app.
Mode 750 (group readable) is ideal, but then you have to make sure the group is set to the group mongrel_cluster assumes.
Mode 755 or 775 is probably the most common for web applications to avoid lots of annoying permissions tweaking, but files with sensitive data (like database passwords) should not be world readable if possible.
Like I said: I might be missing something key… in which case please delete this comment to save me the embarrassment. ;)
One other quick note: webmin is a wonderful tool, but I would highly recommend trying to do things like steps 6, 13, and 36 manually.
Each of them is a 1 or 2 step process and a google search away. If once you’ve learned them you still like webmin, by all means use it! But in general using SSH is a much quicker way to accomplish those tasks once you’re comfortable with it.
Also, step 31 is setup automatically by Debian if you used their MySQL package (which I highly recommend). It should refuse to start twice, so nothing should break, but its a bit redundant.
Thanks for the great blog!
Thanks for the comments, Michael.
As far as unix permissions go, I’m weak. Rails doesn’t actually keep anything in that directory, but in directories beneath it, and Capistrano sets the permissions on those directories, so I think I’m safe. But you’re right, I can tighten that step up some. That was one of those “hm, this isn’t working and I can’t afford to be stuck any longer” fixes.
On the Webmin steps, it’s mostly a matter of trying to learn everything at once :)
Debian may set MySQL to start by default, but as far as I could tell RimuHosting’s Rails stack had it off by default. Which seems odd, but it was definitely not running when I moved into the box, and as far as I could see was not marked to start at boot.
You should get in the habit of using “useradd” instead of “adduser” as it is available across all Linux and UNIX flavors.