Archetypical user setup for capistrano to tomcat deployment on Linux box

Question

I'm relatively new to the CD and DevOps topics and I am trying to setup automatic deployments with capistrano, which works well on my local add hoc test environment. I wonder however how one would ideally like to setup the users on the future target environment.

E.g. the Ubuntu Tomcat installation procedure sets up a tomcat(6|7) user who owns the tomcat process. It is not possible to ssh into the box using this user, though, and for capistrano you need a user with ssh access for running all commands. How do people normally solve this problem? Of course I thought of my own solution but I'm interested in hearing if there is a best practice for this.

There will be another party setting up my target environment in the end, but I can have a say in this so I would like to know what I ideally want here.

Answer 1

There are a variety of methods for doing it, but the top one is to set up the sudo system so the SSH-enabled deployment user (which you'll need to set up) can impersonate tomcat or root as needed for doing deployments. The actual code directories may be owned by tomcat, or may be owned by the deployment user with rights set so that tomcat can use the files.

desc "Restarts the tomcast service"
task restart_tomcat do
  set :user, "deployuser"
  run "sudo service tomcat restart", :roles => :tomcat_servers
end 

Or suchlike. If sudo requires a password, capistrano is smart enough to prompt you for it.

Answer 2

Check the package's official recommendation on how to set it up. Look at how your choosen distribution manages the issue in their package. There might be some HOWTO for the distribution or the package, look for those. But be careful when reading on how this was solved in some other version, it often happens that configuration and capabilities change radically from one version to the next (and other supporting packages might also have changed).