Some thoughts

directly from the furnace

Hassle free secure tokens on Openshift

Openshift makes extensive use of env vars that can be used by your apps. This is really useful for creating generic repositories like Quickstarts.

You create an app, everybody who likes it pulls it into their Openshift repository and deploys it. Usually everything is ok but sometimes you need to create a secure token to have an extra layer of security.

For my Openshift Moodle Quickstart I needed a secure token to salt passwords. I didn’t want to create a config file that needs to be manually changed by the user so I thought of something else:

export OPENSHIFT_SECURE_TOKEN="$(ruby -e "
  require 'securerandom'
  if File.exist? 'token'
    token ='token').read
    token = SecureRandom.base64(64)'token', 'w') { |file| file.write(token) }
  puts token

This little script goes into one of the action_hooks that are sourced by the app.

In case of my Moodle repo I put it into .openshift/action_hooks/pre_start_php-5.3. For other apps you will have to use the appropriate cartridge name instead (i.e ruby-1.9 etc.).

What this script does it runs an inline Ruby script that checks if a token file exists in your data dir and reads it. If not, it creates one and writes a random string into it.

After that it writes the string to STDOUT when it is set to OPENSHIFT_SECURE_TOKEN. This is the env var that you can then use in your app’s config files without manually entering a string yourself.

If you need to migrate your app from somewhere else to Openshift you can still use this script and just set via SSH the string in token.