I'm switching my production sever to use virtualenv, and I want to understand the best practices for setting up virtualenv in a production environment. The following questions are ones I've run into today while trying to figure this out:
- what user should I use to create the virtualenv?
- where should that user put the virtualenv?
- how do I activate the virtualenv with the permissions of that user?
Virtualenv is going to be used almost exclusively by Apache, so I'm thinking the correct user is www-data, and the location of the virtualenv could be /var/www/.virtualenvs.
That seems OK, but the next problem is that www-data doesn't actually have a login shell and can't write to its own home directory (/var/www/), so when I try to activate the virtualenv, it doesn't work, and when I try to install things using pip, I get errors like:
The directory '/var/www/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
(even if I use -H I get this error.)
So, I could create a login shell for www-data, but that feels like a security anti-pattern.
And I could give www-data access to its home directory (/var/www/), but that's obviously a security anti-pattern.
Is there a norm around this? I've burned WAY too many cycles trying to figure this out, and it feels like it should be much simpler.
Best Answer
Running in a virtualenv is no different that any other application. You use a user that has the least amount of privileges necessary to do what the application needs to do.
It would not be advisable to run it as yourself.