New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rails assets:precompile in production failed due to missing master key #32947
Comments
This is intentional behavior. |
Even when I set |
Same for me. Can't precompile on build stage. |
@bjacobso is this the error you're seeing?
I don't think we're looking to maintain a list of commands to skip the certain aspects of production.rb with though. |
Using workaround |
Clever! 😋 |
@kaspth I understand the resistance to having some commands not load the whole environment and some load the whole environment, but |
@yarmiganosca I'm not against addressing it (and I never said it was a niche concern), I'd like Rails to do so! I'm just saying that (my own interpretation here)
is a no go for us. Likewise,
looks wrong too. Perhaps we could defer
We've been doing work to not connect to a database during boot. It could be a problem in your app. 😊 |
@kaspth Workaround in Dockerfile
|
Have there been any decisions made for this issue? We're running into this issue while upgrading to Rails 5.2 on our CI builds. Without the secret key base builds cannot pass. We're cautious about adding a junk key into the CI stage when it's otherwise unnecessary. Running the following command will fail ( locally and on CI ) unless we provide a SECRET_KEY_BASE:
The error message
cc: @kaspth |
I've run into this problem as well. A solution I've seen in other forums is to pass a dummy value for secret_key_base |
^ Ran into this problem also in build environment - really needs to be looked at especially because currently giving an actual secret to a DockerFile is quite a pain see: https://docs.docker.com/develop/develop-images/build_enhancements/ |
Is there a proper solution for this problem, except injecting dummy 🤔 |
^ @y-yagi Could you possibly look at this again considering the additional information around problems? |
Currently, I'm running into an issue when trying to run Currently, I'm setting up |
This really needs an official solution and shouldn't be a closed issue. It boggles my mind why it works this way and why I need to load my credentials to compile assets. My issue is that a This worked but several gems then complained about empty strings for the values that should have been set from the credentials. As a workaround, I'm now building assets in my Dockerfile by running I wasn't able to deploy my app for a week until I got this issue taken care of using a hack. This needs more attention. |
I still don't know how to deal with this in Rails 6, Docker build using credentials |
* This version of Rails requires SECRET_KEY_BASE set. We can just set it to 'dummy' to allow it to run * rails/rails#32947
@alphabt - Have you found a real solution here? I implemented what you suggested above and it worked - thank you! Would love to have something that's not a workaround though. |
For me using docker build args solved this issue My Dockerfile:
I can build it with |
After going at this for a few hours, this was the workaround that finally worked for me. Thank you @top4ek 🙌 System Configuration:
Environment:
Excerpt from my
|
As @Oldharlem notes, it is doable to inject the needed variables into a containerized precompile. I've been doing this all along, and it's not a terrible inconvenience when accessing ENV variables is straightforward. But there are plenty of situations where such access is less than straightforward. For instance, I'm designing a AMI for backup deployment in the case that the local deployment server we use goes down. So anything I need in my ENV I have to get there--securely. In this context, it is rather disappointing to have to manage the definition of variables that aren't even necessary to the task I'm trying to accomplish. It's a clear violation of basic best practice to need a workaround in this case. Put another way, even if declaring dummy variables works, I'm not going to be happy about it. We can do better. |
When building a docker image we precompile assets. Recent changes require SECRET_KEY_BASE to be defined for asset compilation (?) See: rails/rails#32947 This inserts a dummy SECRET_KEY_BASE for this compilation pass, and should have no adverse effect.
For anyone using GitLab Auto DevOps and facing this problem, here is how I got it working using an Auto DevOps customisation that leverages Docker BuildKit secrets:
Here is my Dockerfile in full:
My previous attempts for others who land here: I'm using GitLab Auto DevOps. I attempted two of the workarounds above with the following outcomes:
|
Suggested workaround earlier in the issue of Error: Setting |
Wow... It's been so long that I can't even remember how I solved this!
hahahaha! :)
But if you just scroll through the issue and find my name you'll see what
my solution was. It's still what my server uses to this day... So I guess
it worked!
…On Fri, Aug 6, 2021 at 5:39 PM aphel ***@***.***> wrote:
Suggested workaround earlier in the issue of SECRET_KEY_BASE=bundle exec
rake secret RAILS_ENV=production bundle exec rake assets:precompile does
not work for me.
Error: Missing encryption key to decrypt file with. Ask your team for
your master key and write it to /config/master.key or put it in the
ENV['RAILS_MASTER_KEY'].
Setting RAILS_MASTER_KEY manually in env gives errors of improper format.
I'll probably see how Rails is generating it behind the scenes and
duplicate that. Must say, it's really weird this issue is a wontfix.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#32947 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA2KI54X6JLIDXMGS32HAUTT3P64RANCNFSM4FA4GXPQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email>
.
|
This appears to be the best solution for now from @aghalarp 👏
This works well with a Github Action to publish an image to a container registry. # publish_image.yml
# ...
# https://github.com/docker/build-push-action
- name: Build and push Docker image
uses: docker/build-push-action@v2
with:
context: .
push: true
# ...
secrets: |
"master_key=${{ secrets.RAILS_MASTER_KEY }}" |
This is really irritating that the new asset system assumes the full environment along with the master key is available just to invoke webpack... My solution is just to add a env var to skip the config in production.rb during asset compilation. production.rb
Dockerfile
It would be nice to instead just create a standalone script to invoke Webpack(er) without needing to mess with this. |
For anyone who encountered this issue using Capistrano when deploying to an environment, check the position of the environment variable in your .bashrc file. We put the environment variable at the end of the .bashrc and didn't realize there is a block of code at the top that kicks non-interactive shells out of .bashrc without parsing it. By moving the environment variable (RAILS_MASTER_KEY in our case) to the top, it was made available to the environment and then our assets precompiled without error. |
Rails 5.2 fails not only the web server but also other tasks when secret_key_base is not present. Adding a dummy value here to workaround that. See rails/rails#32947
Working on solving this properly here: #46760 |
Ran into exactly the same issue. We can just use the same dummy key approach as with development and test. Apologies for the (very, very) long delay on such a simple, but annoying issue. |
If you'd like to use the SECRET_KEY_BASE_DUMMY approach, but you're not going to run against edge Rails, you can reopen the Rails::Application in your config/environment.rb file and add: class Rails::Application
def secret_key_base
if Rails.env.development? || Rails.env.test? || ENV["SECRET_KEY_BASE_DUMMY"]
secrets.secret_key_base ||= generate_development_secret
else
validate_secret_key_base(
ENV["SECRET_KEY_BASE"] || credentials.secret_key_base || secrets.secret_key_base
)
end
end
end Above the |
DHH's solution doesn't solve the problem for me. I have two requirements:
My solution is: config.require_master_key = true if Rake.application.top_level_tasks.exclude?('assets:precompile')
# or even if you need to run `assets:clean` without a key
config.require_master_key = true if Rake.application.top_level_tasks.none? { |task| task.start_with?('assets:') } |
At Fly.io, there's a lot of support issues and confusion related to this requirement. Eliminating the need to pass a "dummy" key into the precompile command would make more deploys successful. I'd be interested in putting a patch together if I could get some guidance on knowing whether or not this was attempted the past. I recall a time when there was an |
Asset compilation now requires a `SECRET_KEY_BASE` which is currently set to a dummy value in `docker-compose.production.yml` More info on this annoying rails quirk here: rails/rails#32947
Asset compilation now requires a `SECRET_KEY_BASE` which is currently set to a dummy value in `docker-compose.production.yml` More info on this annoying rails quirk here: rails/rails#32947
Asset compilation now requires a `SECRET_KEY_BASE` which is currently set to a dummy value in `docker-compose.production.yml` More info on this annoying rails quirk here: rails/rails#32947
Asset compilation now requires a `SECRET_KEY_BASE` which is currently set to a dummy value in `docker-compose.production.yml` More info on this annoying rails quirk here: rails/rails#32947
Here is an approach that could simplify things... and provide options in all sorts of build/deployment/execution scenarios.
Could another ENV var be added -- One could then set the If viable, I'd be happy to post a PR. |
@bradgessler @martinstreicher I'm not advocating either of you invest time and effort into this, but generally I'd expect you to get better feedback on feature requests to discuss, or in the form of a PR. 🙏 |
Steps to reproduce
I dockerize my Rails app and run
rails assets:precompile
withRAILS_ENV=production
and let GitLab CI build the image, but it failed because master.key is not in the repo for security and I can't injectRAILS_MASTER_KEY
during CI's build phase.Do we really need to check for the existence of master key during
assets:precompile
?Expected behavior
rails assets:precompile
doesn't depend on the existence of master key even whenconfig.require_master_key = true
Actual behavior
rails assets:precompile
failed withSystem configuration
Rails 5.2.0
Ruby 2.5.1
The text was updated successfully, but these errors were encountered: