Capistrano, Firewalls and Tunnel

Capistrano, Firewalls and Tunnel

Here's are 2 ways to accomplish it.

1st way

not sure if you've seen this thread?

• https://groups.google.com/forum/?fromgroups=#!topic/capistrano/RVwMim-qnMg

It makes use of the net-ssh-gateway library, but creates copies of the local forwarding methods but they're geared for remote access.

class Net::SSH::Gateway 
  # Opens a SSH tunnel from a port on a remote host to a given host and port 
  # on the local side 
  # (equivalent to openssh -R parameter) 
  def open_remote(port, host, remote_port, remote_host = "127.0.0.1") 
    ensure_open! 

    @session_mutex.synchronize do 
      @session.forward.remote(port, host, remote_port, remote_host) 
    end 

    if block_given? 
      begin 
        yield [remote_port, remote_host] 
      ensure 
        close_remote(remote_port, remote_host) 
      end 
    else 
      return [remote_port, remote_host] 
    end 
  rescue Errno::EADDRINUSE 
    retry 
  end 

  # Cancels port-forwarding over an open port that was previously opened via 
  # open_remote. 
  def close_remote(port, host = "127.0.0.1") 
    ensure_open! 

    @session_mutex.synchronize do 
      @session.forward.cancel_remote(port, host) 
    end 
  end 
end

2nd way

Outlined in an answer to this SO question:

• Is it possible to do have Capistrano do a checkout over a reverse SSH tunnel?

This technique is very similar to the 1st way. First you need to create 2 paths to the repository:

# deploy.rb
set :local_repository, "ssh://git@serverbehindfirewall/path/to/project.git"
set :repository,  "ssh://git@localhost:9000/path/to/project.git"

Then before you deploy you'll need to setup the remote forward:

% ssh -R 9000:serverbehindfirewall:22 deploybot@deployserver.com
# CTRL + C + A (Screen) or ⌘ + T (Terminal.app) to open new tab

Followed by your deploy:

% cap HOSTFILTER=deployserver.com deploy # HOSTFILTER reduces set to specified host. Only useful if you have multiple servers.

See this answer to that SO question for more details:

• https://stackoverflow.com/a/3953351/33204

Is it possible to do have Capistrano do a checkout over a reverse SSH tunnel?

Net::SSH implements remote forwarding. I have looked over all Capistrano's source code and couldn't see any references to it in the current release. None the less, that doesn't stop you from establishing remote forwarding before you deploy with Capistrano.

What you'll want to do is set the :local_repository and :repository paths individually. :local_repository is referenced locally to determine which commit will be used for the deployment before the connection is initiated. That leaves :repository for the remote server to pull from after the connection has been initiated. This is where you can specify the path to the repository behind the firewall.

# deploy.rb
set :local_repository, "ssh://git@serverbehindfirewall/path/to/project.git"
set :repository,  "ssh://git@localhost:9000/path/to/project.git"

Before you deploy, be sure to establish the remote forward. You'll need to repeat this for each server you deploy to.

$ ssh -R 9000:serverbehindfirewall:22 deploybot@deployserver.com
# CTRL + C + A (Screen) or ⌘ + T (Terminal.app) to open new tab
$ cap HOSTFILTER=deployserver.com deploy # HOSTFILTER reduces set to specified host. Only useful if you have multiple servers.

Using Net::SSH this could easily be turned into a task which is executed before anything else providing greater flexibility when deploying to multiple servers.

Lastly, given you've been using scp, you might want to set deploy_via, :remote_cache which keeps a copy of the repository on the remote server. This greatly decreases your deployment time reduces the chance of corruption.

Is it possible to specify a different ssh port when using rsync?

Another option, in the host you run rsync from, set the port in the ssh config file, ie:

cat ~/.ssh/config
Host host
    Port 2222

Then rsync over ssh will talk to port 2222:

rsync -rvz --progress --remove-sent-files ./dir user@host:/path

---

Related Topics