What Is A Good Way Of Hiding Mysql2 Password When Deploying With Capistrano

So, here is my capistrano file

load 'deploy/assets'
require "bundler/capistrano" 
set :application, "XXXXXX"
set :repository,  "XXXXXX"

set :scm, :git # You can set :scm explicitly or Capistrano will make an intelligent guess based on known version control directory names
# Or: `accurev`, `bzr`, `cvs`, `darcs`, `git`, `mercurial`, `perforce`, `subversion` or `none`
set :repository , "XXXXXX"

role :web, "XXXXXX"                          # Your HTTP server, Apache/etc
role :app, "XXXXXX"                          # This may be the same as your `Web` server
role :db,  "XXXXXX", :primary => true # This is where Rails migrations will run
#role :db,  "your slave db-server here"

set :user, 'root'
set :use_sudo, false
set :deploy_to, "/var/www/#{application}"
set :deploy_via, :remote_cache
set :normalize_asset_timestamps, false

# if you want to clean up old releases on each deploy uncomment this:
# after "deploy:restart", "deploy:cleanup"

# if you're still using the script/reaper helper you will need
# these

# If you are using Passenger mod_rails uncomment this:
namespace :deploy do

  task :start do ; end
  task :stop do ; end
  task :restart, :roles => :app, :except => { :no_release => true } do
    run "touch #{File.join(current_path,'tmp','restart.txt')}"

Now when i run cap deploy i get an error

Access denied for user 'root'@'localhost' (using password: NO)

I am assuming thats because my database.yml file is

  adapter: sqlite3
  database: db/development.sqlite3
  pool: 5
  timeout: 5000

# Warning: The database defined as "test" will be erased and
# re-generated from your development database when you run "rake".
# Do not set this db to the same as development or production.
  adapter: sqlite3
  database: db/test.sqlite3
  pool: 5
  timeout: 5000

    adapter: mysql2
    encoding: utf8
    database: XXXXX
    username: root
    socket: /tmp/mysql.sock

Now since i have a public github account. I dont want to pass in my password and publish it to a github. And if I dont pass in the password i am unable to deploy the app.

What is a good way to handle this problem?




I would recommend the following:

  1. Move config/database.yml to config/database.yml.sample in your repo
  2. Remove any sensitive information in config/database.yml.sample, such as passwords, and
    commit the "sample" config file to your repo.
  3. Add config/database.yml to your .gitignore file, so it cannot be committed to the repo
  4. On your server, manually copy config/database.yml.sample to config/database.yml in your shared/ directory that Capistrano creates for you. This should be done after you run the cap deploy:setup command, which creates the top-level shared and releases directories. This should just be done once, manually, when setting up your application.
  5. In shared/config/database.yml on the server, fill in the actual DB details, including passwords. chmod the file so it isn't readable by those who should not have access.
  6. Add the following to your deploy script:

    namespace(:customs) do
       task :symlink_db, :roles => :app do
        run <<-CMD
          ln -nfs #{shared_path}/config/database.yml #{release_path}/config/database.yml
    after "deploy:update_code", "customs:symlink_db"