mongrel unicorn - Jun 2012 - File creation mode in Rails + Unicorn

Hi,

I''m currently giving Nginx + Unicorn a try, to eventually replace
Apache + Passenger. So far so good.

I have a Rails 3.2.5 app behind Unicorn, itself behind Nginx.
In this Rails app, I have set page caching for some resources. They are created
in Rails.root/public/ to be directly available to Nginx.

When I first hit such a page, the static cache file is not present, so the Rails
app is reached and the file is created.
The next hit is a 403 error.
The file is created with the right user/group but in 0600 mode instead of 0660
or 0640, that''s why I have this error.

If I start my app with Webrick instead of Unicorn, the file is created the mode
is alright.


To start Unicorn, my init script (executed by root) does something like this
(let''s say that the user/group is deploy/deploy) :

    sudo -u deploy unicorn -E production -c RAILS_ROOT/config/unicorn.rb -D

Then in the unicorn.rb config script I have set this :

   user ''deploy'', ''deploy''


I''ve tried to use unicorn in socket or TCP mode, but I get the same
result.

Thanks for any help and for making Unicorn such an awesome tool.

J?r?my Lecour
http://twitter.com/jlecour

J?r?my Lecour <jeremy at autrementlemail.fr>
wrote:
> When I first hit such a page, the static cache file is not present, so
> the Rails app is reached and the file is created.
> The next hit is a 403 error.
> 
> The file is created with the right user/group but in 0600 mode instead
> of 0660 or 0640, that''s why I have this error.
> 
> If I start my app with Webrick instead of Unicorn, the file is created
> the mode is alright.
> To start Unicorn, my init script (executed by root) does something
> like this (let''s say that the user/group is deploy/deploy) :
> 
>     sudo -u deploy unicorn -E production -c RAILS_ROOT/config/unicorn.rb -D
Did you also use sudo to start webrick?
> Then in the unicorn.rb config script I have set this :
> 
>    user ''deploy'', ''deploy''
You only need one or or the other (sudo or the "user" directive), not
both, but I don''t think that''s the issue...

Calling File.umask in your unicorn config file should work around the
issue for you:

  File.umask(027) # to get 0640 perms
  File.umask(007) # to get 0660 perms

You can use:   printf("0%o", File.umask)   to show the current umask,
too.


I''m not sure why the "deploy" user defaults to such a
restrictive umask
on your system, though.  There are _many_ things that could change/set
umask before unicorn gets started, including sudo.  Your system
administrator might know :)
> I''ve tried to use unicorn in socket or TCP mode, but I get the
same result.
That shouldn''t make a difference.  Unicorn only flips the umask
momentarily when creating a unix socket and flips it back to
the original value.
> Thanks for any help and for making Unicorn such an awesome tool.
No problem!

Le 8 juin 2012 ? 11:20, Eric Wong a ?crit :
> J?r?my Lecour <jeremy at autrementlemail.fr> wrote:
>> When I first hit such a page, the static cache file is not present, so
>> the Rails app is reached and the file is created.
>> The next hit is a 403 error.
>> 
>> The file is created with the right user/group but in 0600 mode instead
>> of 0660 or 0640, that''s why I have this error.
>> 
>> If I start my app with Webrick instead of Unicorn, the file is created
>> the mode is alright.
> 
>> To start Unicorn, my init script (executed by root) does something
>> like this (let''s say that the user/group is deploy/deploy) :
>> 
>>    sudo -u deploy unicorn -E production -c RAILS_ROOT/config/unicorn.rb
-D
> 
> Did you also use sudo to start webrick?
I didn''t, and that seems to make the difference.
> You can use:   printf("0%o", File.umask)   to show the current
umask, too.
root # sudo -u deploy irb
irb> printf("0%o", File.umask)
077

deploy # irb
irb> printf("0%o", File.umask)
027


Thanks for your help, you nailed it.


J?r?my Lecour
Conception et d?veloppement d''applications web
06 22 43 88 94 - http://jeremy.wordpress.com - http://twitter.com/jlecour