Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Capify-EC2 is used to generate Capistrano namespaces and tasks from Amazon EC2 instance tags, dynamically building the list of servers to be deployed to.
Note: Capistrano 3 is completely incompatible with Capistrano 2, and therefore Capify-EC2 will not function with Capistrano 3. If you are using Capistrano 3, you can use Cap-EC2, however note that the configuration (config/ec2.yml
) is not compatible between Capify-EC2 and Cap-EC2.
gem install capify-ec2
or add the gem to your project's Gemfile.
You will need to create a YML configuration file at config/ec2.yml
that looks like the following:
:aws_access_key_id: "YOUR ACCESS KEY"
:aws_secret_access_key: "YOUR SECRET"
:aws_params:
:region: 'eu-west-1'
:load_balanced: true
:project_tag: "YOUR APP NAME"
Finally, add the gem to your deploy.rb
:
require "capify-ec2/capistrano"
Note: :aws_access_key_id
and :aws_secret_access_key
are required, unless you provide them via the two alternative methods detailed below under 'AWS Credentials' or have the :use_iam_profile
option set to use IAM roles. :region
is also required. Other settings are optional.
:project_tag
If this is defined, Capify-EC2 will only create namespaces and tasks for the EC2 instances that include a matching project in a comma separated list 'Project' tag. By default, all instances available to the specified AWS access key will be used.
It is possible to include multiple projects simultaneously by using the :project_tags parameter, like so:
:project_tags:
- "YOUR APP NAME"
- "YOUR OTHER APP NAME"
:aws_project_tag
Use this option to change which EC2 instance tag Capify-EC2 uses to determine instance project. Defaults to 'Project' if omitted.
:aws_roles_tag
Use this option to change which EC2 instance tag Capify-EC2 uses to determine instance roles. Defaults to 'Roles' if omitted.
:aws_options_tag
Use this option to change which EC2 instance tag Capify-EC2 uses to determine instance options. Defaults to 'Options' if omitted.
:aws_stages_tag
Use this option to change which EC2 instance tag Capify-EC2 uses to determine which instances belong to a stage. Should be used in conjunction with the Capistrano Multistage Extension. Defaults to 'Stages' if omitted.
:load_balanced
When ':load_balanced' is set to 'true', Capify-EC2 uses pre and post-deploy hooks to deregister the instance from an associated Elastic Load Balancer, perform the actual deploy, then finally reregister with the ELB and validated the instance health.
Note: This options only applies to deployments made to an individual instance, using the command cap INSTANCE_NAME_HERE deploy
- it doesn't apply to roles.
:use_iam_profile
Use this option to use IAM roles for authentication, rather than an access key id and secret access key.
:aws_session_token
If you are an IAM user that only has access to temporary credentials, you can provide your session token here to authenticate.
By default, Capify-EC2 will attempt to use the credentials found in your ec2.yml
configuration as detailed above.
If you wish, you can have Capify-EC2 use the AWS credentials found in your Fog configuration, instead of instead of specifying :aws_access_key_id
and :aws_secret_access_key
in the YML configuration file. Optionally, if you requires session tokens or federated users, you can set :aws_session_token
. Refer to the Fog documentation for details on specifying AWS credentials.
If you wish, you can define AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as environment variables, instead of specifying :aws_access_key_id
and :aws_secret_access_key
in the YML configuration file. Optionally, if you requires session tokens or federated users, you can set the environment variable AWS_SESSION_TOKEN.
If you have IAM roles set up on your box to allow querying EC2 information you tell Fog to use IAM roles and you will not need to provide any credentials at runtime. For more information on IAM roles read Amazon's IAM documentation.
If you are an IAM user that only has access to temporary credentials, you can use :aws_session_token: "YOUR TOKEN HERE"
to authenticate.
Capify-EC2 will attempt to load your AWS credentials first from the ec2.yml
configuration file, then from your Fog configuration file, and finally from environment variables. It will display an error if no credentials are found by any of these methods.
You will need to create instance tags using the AWS Management Console or API, to further configure Capify-EC2. The following tags are used:
Tag 'Project'
Used with the :project_tag
option in config/ec2.yml
to limit Capify-EC2's functionality to a subset of your instances. This can also be a comma separated list of projects involving this machine.
Tag 'Roles'
A comma seperated list of roles that will be converted into Capistrano namespaces, for example 'app,workers', 'app,varnish,workers', 'db' and so on.
Tag 'Options'
A comma seperated list of options which will be defined as 'true' for that instance. See the 'Options' section below for more information on their use.
In our examples, imagine that you have three servers on EC2 named and tagged as follows:
'Name' Tag | 'Roles' Tag | 'Options' Tag |
server-1 | web | cron,resque |
server-2 | db | |
server-3 | web,db,app |
You need to add a call to ec2_roles
in your deploy.rb
, like so:
ec2_roles :name => :web
This will generate the following tasks:
task :server-1 do
role :web, SERVER-1_EC2_PUBLIC_DNS_HERE, :cron=>true, :resque=>true
end
task :server-3 do
role :web, SERVER-3_EC2_PUBLIC_DNS_HERE
end
task :web do
role :web, SERVER-1_EC2_PUBLIC_DNS_HERE, :cron=>true, :resque=>true
role :web, SERVER-3_EC2_PUBLIC_DNS_HERE
end
Note that there are no tasks created for 'server-2', as it does not have the role 'web'. If we were to change the ec2_roles
definition in your deploy.rb
to the following:
ec2_roles :name => :db
Then we will instead see the following tasks generated:
task :server-2 do
role :db, SERVER-2_EC2_PUBLIC_DNS_HERE
end
task :server-3 do
role :db, SERVER-3_EC2_PUBLIC_DNS_HERE
end
task :db do
role :db, SERVER-2_EC2_PUBLIC_DNS_HERE
role :db, SERVER-3_EC2_PUBLIC_DNS_HERE
end
If you want to create tasks for servers using multiple roles, you can call ec2_roles
multiple times in your deploy.rb
as follows:
ec2_roles :web
ec2_roles :db
Which would generate the following tasks:
task :server-1 do
role :web, SERVER-1_EC2_PUBLIC_DNS_HERE, :cron=>true, :resque=>true
end
task :server-2 do
role :db, SERVER-2_EC2_PUBLIC_DNS_HERE
end
task :server-3 do
role :web, SERVER-3_EC2_PUBLIC_DNS_HERE
role :db, SERVER-3_EC2_PUBLIC_DNS_HERE
end
task :web do
role :web, SERVER-1_EC2_PUBLIC_DNS_HERE
role :web, SERVER-3_EC2_PUBLIC_DNS_HERE
end
task :db do
role :db, SERVER-2_EC2_PUBLIC_DNS_HERE, :cron=>true, :resque=>true
role :db, SERVER-3_EC2_PUBLIC_DNS_HERE
end
You can define custom variables which will be set as standard Capistrano variables within the scope of the role you define them one, for example:
ec2_roles :name=>"web", :variables => {:rails_env => 'staging'}
In this case, instances that that are tagged with the 'web' role will have the custom variable 'rails_env' available to them in any tasks they use. The following tasks would be generated:
task :server-1 do
role :web, SERVER-1_EC2_PUBLIC_DNS_HERE, :cron=>true, :resque=>true, :rails_env=>'staging'
end
task :server-3 do
role :web, SERVER-3_EC2_PUBLIC_DNS_HERE
end
task :web do
role :web, SERVER-1_EC2_PUBLIC_DNS_HERE, :cron=>true, :resque=>true, :rails_env=>'staging'
role :web, SERVER-3_EC2_PUBLIC_DNS_HERE, :rails_env=>'staging'
end
If you are defining a role with no options or variables, you can define it using the following shorthand:
ec2_roles :web
As mentioned in the 'EC2 Tags' section, creating an 'Options' tag on your EC2 instances will define those options as 'true' for the associated instance. This allows you to refine your capistrano tasks. For example, if we had the following group of instances in EC2:
'Name' Tag | 'Roles' Tag | 'Options' Tag |
server-A | web | |
server-B | web | |
server-C | web | worker |
You could then create a task in your deploy.rb
that will only be executed on the worker machine, like so:
task :reload_workers, :only=>{:worker=>true} do
# Do something to a specific server with the 'worker' option in it's EC2 tags.
end
task :reload_workers, :roles => :app, :only=>{:worker=>true} do
# Do something to a specific 'app' server with the 'worker' option in it's EC2 tags.
end
As well as defining Options at an instance level via EC2 tags, you can define an Option in your deploy.rb
at the same time as defining the role, as follows:
ec2_roles :name=>"web", :options=>{:worker=>"server-C"}
In this case, you set the value of :worker
equal to the instance name you want to be a worker. The task definition remains the same:
task :reload_workers => :web, :only=>{:worker=>true} do
# Do something to a specific server whose instance name is equal to the 'worker' option in the role definition.
end
Once you have defined the various roles used by your application, you can deploy to it as you normally would a namespace, for example if you define the following in your deploy.rb
:
ec2_roles :web
ec2_roles :app
You can deploy to just the 'web' instances like so:
cap web deploy
If you've defined multiple roles, you can deploy to them all by chaining the tasks, like so:
cap web app deploy
You can also deploy to individual instances by specifying their 'Name' tag, for example, with the sample servers above:
cap server-1 deploy
would deploy only to the instance named 'server-1'.
You can set a role as the default so that it will be included when you run cap deploy
without specifying any roles, for example in your deploy.rb
:
ec2_roles :name=>"web", :options => {:default=>true}
Then run:
cap deploy
You can set multiple roles as defaults, so they are all included when you run cap deploy
, like so:
ec2_roles :name=>"web", :options => {:default=>true}
ec2_roles :name=>"db", :options => {:default=>true}
This feature allows you to deploy your code to instances one at a time, rather than simultaneously. This becomes useful for more complex applications that may take longer to startup after a deployment. Capistrano will perform a full deploy (including any custom hooks) against a single instance, optionally perform a HTTP healthcheck against the instance, then proceed to the next instance if deployment was successful.
After deployment a status report is displayed, indicating on which instances deployment succeeded, failed or did not begin. With some failures, further action may need to be taken manually; for example if an instance is removed from an ELB (see the 'Usage with Elastic Load Balancers' section below) and the deployment fails, the instance will not be reregistered with the ELB, for safety reasons.
To use the rolling deployment feature without a healthcheck, simple run your deployments with the following command:
cap rolling_deploy
You can restrict the scope of the rolling deploy by targetting one or more roles like so:
cap web rolling_deploy
cap web db rolling_deploy
When defining a role with the ec2_role
call, if you configure a healthcheck for that role as follows, it will automatically be used during the rolling deployment:
ec2_roles :name => "web",
:variables => {
:healthcheck => {
:path => '/status',
:port => 80,
:result => 'OK'
}
}
In this example, the following URL would be generated:
http://EC2_INSTANCE_PUBLIC_DNS_HERE:80/status
And the contents of the page at that URL must match 'OK' exactly for the healthcheck to pass. If unsuccessful, the healthcheck is repeated every second, until a timeout of 60 seconds is reached, at which point the rolling deployment is aborted, and a progress summary displayed.
The result can also be specified as a regular expression, which gives more flexibility. For example:
ec2_roles :name => "web",
:variables => {
:healthcheck => {
:path => '/status',
:port => 80,
:result => /^(OK|Success)$/
}
}
The result can also be specified as an array (of strings and/or regular expressions), in which case the result of the health check is successful if the response matches any of the items in the array. For example:
ec2_roles :name => "web",
:variables => {
:healthcheck => {
:path => '/status',
:port => 80,
:result => ['OK', /^\s*Success/]
}
}
The default timeout of 60 seconds can be overridden by setting :timeout
to a custom value in seconds. The protocol used defaults to 'http://', however you can switch to 'https://' by setting :https
equal to 'true'. For example:
ec2_roles :name => "web",
:variables => {
:healthcheck => {
:path => '/status',
:port => 80,
:result => 'OK'
:https => true,
:timeout => 10
}
}
Sets a 10 second timeout, and performs the health check over HTTPS. Note: When performing the health check over HTTPS, SSL peer verification is turned off, as the EC2 instance public DNS will not match the SSL certificate, causing the health check to fail.
You can run multiple different healthchecks for a role by specifying the healthcheck as an array instead:
ec2_roles :name => "web",
:variables => {
:healthcheck => [{
:path => '/status',
:port => 80,
:result => 'OK'
}, {
:path => '/other_status',
:port => 81,
:result => 'OK'
}]
}
By default, healthchecks are made using GET requests, but you make can use POST instead by specifying :via
as either :post
or 'POST'
and adding ':data' attributes, as follows:
ec2_roles :name => "web",
:variables => {
:healthcheck => {
:path => '/status',
:port => 80,
:result => '{ json_response: as_string }'
:https => true,
:timeout => 10,
:via => :post,
:data => '{ json_request: as_string }'
}
}
You can have Capify-EC2 automatically deregister and reregister an instance from whichever ELB it is associated with, before and after the deployment, by setting :load_balanced
to 'true' in the role definition, for example:
ec2_roles :name => "web",
:variables => {
:load_balanced => true
}
In this example, when an instance with the role 'web' is deployed to, Capify-EC2 will attempt to find which ELB the instance is currently registered with and deregister it. The deploy will then proceed as usual. When it is complete, the instance will be reregistered with the same ELB, and the status verified as 'InService' before the deployment is deemed successful. Note: You can only use this feature with instances that are registered with a single ELB, if you have instances registered with multiple ELBs, you are advised not to use this feature.
You can also combine this feature with a Healthcheck like so:
ec2_roles :name => "web",
:variables => {
:healthcheck => {
:path => '/status',
:port => 80,
:result => 'OK'
}
:load_balanced => true
}
In this example, the instance will be deregistered from the ELB it is associated with and then deployed to. A healthcheck will then be performed, and providing this passes, the instance will be reregistered with the ELB and verified.
If an instance has been tagged with multiple roles, this behaviour will apply if :load_balanced
is set to 'true' in at least one of those roles.
If an instance is not associated with any ELBs, then the behaviour will be skipped silently, even if :load_balanced
is set to 'true'.
The following command will generate a listing of all instances that match your configuration (projects and roles), along with their associated details:
cap ec2:status
The following command will generate an enhanced listing of all instances that match your configuration (projects and roles) as with ec2:status
, with the addition of CPU utilisation graphs powered by CloudWatch. You will need to ensure your IAM permissions allow this.
cap ec2:graph
The following command will generate a listing of all ELBs with instances that match your configuration (projects):
cap ec2:elbs
Note: if no project
tag is specified in your ec2.yml
configuration, then all ELBs and their associated instances are shown when using this command.
You can use the following commands to deregister and reregister instances in an Elastic Load Balancer.
cap SERVER_NAME_HERE ec2:deregister_instance
cap SERVER_NAME_HERE ec2:register_instance -s loadbalancer=ELB_NAME_HERE
You need to specify the ELB when reregistering an instance, but not when deregistering. This can also be done automatically using the :load_balanced
setting (see the 'Configuration' section above).
Using the cap ec2:ssh
command, you can quickly connect to a specific instance, by checking the listing from ec2:status
and using the instance number as a parameter, for example:
cap ec2:ssh 1
will attempt to connect to instance number 1 (as shown in ec2:status
), using the public DNS address provided by AWS and the first SSH key listed in ssh_options[:keys]
.
Running the following command:
cap ec2:date
Will execute the 'date' command on all instances that match your configuration (projects and roles). You can limit this further by using a role, for example:
cap web ec2:date
Will restrict the 'date' command so it is only run on instances that are tagged with the 'web' role. You can chain many roles together to increase the scope of the command:
cap web db ec2:date
You can use the 'Name' tag of an EC2 instance to limit the scope of the command to an individual instance:
cap server-1 ec2:date
You can use the standard Capistrano invoke
task to run an arbitrary command on your instances, for example:
cap COMMAND='uptime' invoke
Will run the 'uptime' command on all instances that match your configuration (projects and roles). As with the ec2:date
command, you can further limit this by using a role, like so:
cap web COMMAND='uptime' invoke
You can also chain many roles together to increase the scope of the command:
cap web db COMMAND='uptime' invoke
As with ec2:date, you can use the 'Name' tag of an EC2 instance to limit the scope of the command to an individual instance:
cap server-1 COMMAND='uptime' invoke
You can use the standard Capistrano shell
task to open an interactive terminal session with your instances, for example:
cap shell
Will open an interactive terminal on all instances that match your configuration (projects and roles). You can of course limit the scope of the shell to a certain role or roles like so:
cap web shell
cap web db shell
You can use the Capistrano Multistage Extension to manage deployments to multiple environments.
You can set the tag name that Capify-EC2 will use to filter your server list by using the :aws_stages_tag
. It defaults to 'Stages'.
In our examples, imagine that you have three servers on EC2 named and tagged as follows:
'Name' Tag | 'Roles' Tag | 'Options' Tag | 'Stages' Tag |
server-1 | web | cron,resque | production |
server-2 | db | production | |
server-3 | web,db | staging |
And you have the following 2 stages setup using Capistrano Multistage.
production.rb
ec2_roles name: :web
ec2_roles name: :db
staging.rb
ec2_roles name: :web
ec2_roles name: :db
This will generate the following for production
namespace :production do
task :server-1 do
role :web, SERVER-1_EC2_PUBLIC_DNS_HERE, :cron=>true, :resque=>true
end
task :server-2 do
role :db, SERVER-2_EC2_PUBLIC_DNS_HERE
end
task :web do
role :web, SERVER-1_EC2_PUBLIC_DNS_HERE, :cron=>true, :resque=>true
end
task :db do
role :db, SERVER-2_EC2_PUBLIC_DNS_HERE
end
end
namespace :staging do
task :server-3 do
role :web, SERVER-3_EC2_PUBLIC_DNS_HERE
role :db, SERVER-3_EC2_PUBLIC_DNS_HERE
end
task :web do
role :web, SERVER-3_EC2_PUBLIC_DNS_HERE
end
task :db do
role :db, SERVER-3_EC2_PUBLIC_DNS_HERE
end
end
With the above config you can deploy to production using cap production deploy
.
You will also need to add the environment when running other ec2 commands like ec2:status
, for example: cap production ec2:status
Source hosted at GitHub. Report Issues/Feature requests on GitHub Issues.
Copyright (c) 2011, 2012, 2013, 2014 Forward. See LICENSE for details.
FAQs
Unknown package
We found that capify-ec2 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.