Phusion white papers Phusion overview

Docker-friendly Vagrant boxes 2014-05-11 released

By Hongli Lai on May 12th, 2014

Vagrant

We provide Vagrant base boxes that are based on Ubuntu 14.04 and 12.04, 64-bit. These boxes are specifically customized to work well with Docker. Please learn more at the website

The changes in version 2014-05-11 are:

  • The Ubuntu 12.04 boxes have been upgraded to kernel 3.13 (Trusty kernel). This is because even the updated VMWare Tools still occasionally caused kernel panics on kernel 3.8. In our tests, we’ve observed that VMWare Tools does not cause any kernel panics on kernel 3.13.
  • No changes in the Ubuntu 14.04 boxes.

Related resources: Github | Prebuilt boxes | Vagrant Cloud | Discussion forum | Twitter

Upgrade instructions for Vagrant >= 1.5 with Vagrant Cloud

Run:

vagrant box outdated

Upgrade instructions for Vagrant <= 1.4, or Vagrant >= 1.5 without Vagrant Cloud

Destroy your Vagrant VM:

vagrant destroy

Remove your existing base box:

# Vagrant >= 1.5
vagrant box remove phusion-open-ubuntu-12.04-amd64 --provider virtualbox
vagrant box remove phusion-open-ubuntu-12.04-amd64 --provider vmware_fusion

# Vagrant <= 1.4
vagrant box remove phusion-open-ubuntu-12.04-amd64 virtualbox
vagrant box remove phusion-open-ubuntu-12.04-amd64 vmware_fusion

Start your VM again. Vagrant will automatically download the latest version of the box.

vagrant up

Phusion Passenger 4.0.42 released, Ubuntu 14.04 packages available

By Hongli Lai on May 7th, 2014


Phusion Passenger is a fast and robust web server and application server for Ruby, Python, Node.js and Meteor. Passenger takes a lot of complexity out of deploying web apps, and adds powerful enterprise-grade features that are useful in production. High-profile companies such as Apple, New York Times, AirBnB, Juniper, American Express, etc are already using it, as well as over 350.000 websites.

Phusion Passenger is under constant maintenance and development. Version 4.0.42 is a bugfix release.

Phusion Passenger also has an Enterprise version which comes with a wide array of additional features. By buying Phusion Passenger Enterprise you will directly sponsor the development of the open source version.

Recent changes

  • [Nginx] Upgraded the preferred Nginx version to 1.6.0.
  • [Nginx] Fixed compatibility with Nginx 1.7.0.
  • [Standalone] The MIME type for .woff files has been changed to application/font-woff. Fixes issue #1071.
  • There are now APT packages for Ubuntu 14.04. At the same time, packages for Ubuntu 13.10 have been abandoned.
  • Introduced a new command, `passenger-config build-native-support`, for ensuring that the native_support library for the current Ruby interpreter is built. This is useful in system provisioning scripts.
  • For security reasons, friendly error pages (those black/purple pages that shows the error message, backtrace and environment variable dump when an application fails to start) are now disabled by default when the application environment is set to ‘staging’ or ‘production’. Fixes issue #1063.
  • Fixed some compilation warnings on Ubuntu 14.04.
  • Fixed some compatibility problems with Rake 10.2.0 and later. See Rake issue 274.
  • Improved error handling in Union Station support.
  • Data is now sent to Union Station on a more frequent basis, in order to make new data show up more quickly.
  • Information about the code revision is now sent to Union Station, which will be used in the upcoming deployment tracking feature in Union Station 2.

Installing or upgrading to 4.0.42

OS X OS X Debian Debian Ubuntu Ubuntu
Heroku Heroku Ruby gem Ruby gem Tarball Tarball

Final

Phusion Passenger’s core is open source. Please fork or watch us on Github. :)

If you would like to stay up to date with Phusion news, please fill in your name and email address below and sign up for our newsletter. We won’t spam you, we promise.



Docker-friendly Vagrant boxes 2014-04-30 released

By Hongli Lai on April 30th, 2014

Vagrant

We provide Vagrant base boxes that are based on Ubuntu 14.04 and 12.04, 64-bit. These boxes are specifically customized to work well with Docker. Please learn more at the website

The changes in version 2014-04-30 are:

  • The Ubuntu 12.04 VirtualBox box in release 2014-02-22 was broken: the VirtualBox guest additions weren’t correctly installed because the kernel was incorrectly installed. This has now been fixed.
  • The Ubuntu 12.04 VMWare Fusion box now loads the VMWare Tools kernel modules during startup, so that Vagrant doesn’t have to wait so long at the “Waiting for HGFS kernel module” phase.
  • No changes in the Ubuntu 14.04 boxes.

Related resources: Github | Prebuilt boxes | Vagrant Cloud | Discussion forum | Twitter

Upgrade instructions for Vagrant >= 1.5 with Vagrant Cloud

Run:

vagrant box outdated

Upgrade instructions for Vagrant <= 1.4, or Vagrant >= 1.5 without Vagrant Cloud

Destroy your Vagrant VM:

vagrant destroy

Remove your existing base box:

# Vagrant >= 1.5
vagrant box remove phusion-open-ubuntu-12.04-amd64 --provider virtualbox
vagrant box remove phusion-open-ubuntu-12.04-amd64 --provider vmware_fusion

# Vagrant <= 1.4
vagrant box remove phusion-open-ubuntu-12.04-amd64 virtualbox
vagrant box remove phusion-open-ubuntu-12.04-amd64 vmware_fusion

Start your VM again. Vagrant will automatically download the latest version of the box.

vagrant up

Docker-friendly Vagrant boxes 2014-04-22 released, supports Ubuntu 14.04

By Hongli Lai on April 23rd, 2014

Vagrant

We provide Vagrant base boxes that are based on Ubuntu 14.04 and 12.04, 64-bit. These boxes are specifically customized to work well with Docker. Please learn more at the website

We are proud to release version 2014-02-22 of our Docker-friendly Vagrant base boxes. This release contains major changes:

  • There are now base boxes available based on Ubuntu 14.04. See the README for details.
  • Upgraded VMWare Tools to 9.6.2-1688356 (from VMWare Fusion 6.0.3). This is a major improvement over the VMWare Tools included in the last release (9.6.0-1294478, from VMWare Fusion 6.0.1):
    • Fixes the file corruption bug in VMWare Tools 9.6.1-1378637 (from VMWare Fusion 6.0.2).
    • Fixes compatibility with kernel 3.13.
    • Fixes a number of bugs that could cause the kernel to crash.

    If you experienced any crashing/freezing problems with our VMWare Fusion boxes before, then this upgrade will probably help.

Related resources: Github | Prebuilt boxes | Vagrant Cloud | Discussion forum | Twitter

Upgrade instructions

Destroy your Vagrant VM:

vagrant destroy

Remove your existing base box:

# Vagrant >= 1.5
vagrant box remove phusion-open-ubuntu-12.04-amd64 --provider virtualbox
vagrant box remove phusion-open-ubuntu-12.04-amd64 --provider vmware_fusion

# Vagrant <= 1.4
vagrant box remove phusion-open-ubuntu-12.04-amd64 virtualbox
vagrant box remove phusion-open-ubuntu-12.04-amd64 vmware_fusion

Start your VM again. Vagrant will automatically download the latest version of the box.

vagrant up

Phusion Passenger 4.0.41 released, OpenSSL Heartbleed security update

By Hongli Lai on April 8th, 2014


Phusion Passenger is a fast and robust web server and application server for Ruby, Python, Node.js and Meteor. Passenger takes a lot of complexity out of deploying web apps, and adds powerful enterprise-grade features that are useful in production. High-profile companies such as Apple, New York Times, AirBnB, Juniper, American Express, etc are already using it, as well as over 350.000 websites.

Phusion Passenger 4.0.41 has been released ahead of time in order to address the OpenSSL heartbleed security issue (CVE-2014-0160). This is an extremely serious vulnerability in OpenSSL which can completely negate the security that it provides. Users are advised to upgrade as soon as possible.

Phusion Passenger’s relationship with the OpenSSL heartbleed vulnerability is as follows.

We provide precompiled binaries for Passenger Standalone. These binaries are statically linked to OpenSSL in order to make them useable on a wide range of operating systems. With 4.0.41, the binaries have been upgraded to link against OpenSSL 1.0.1g, which fixes the heartbleed vulnerability.

You are vulnerable if:

  • You are using Passenger Standalone, with SSL enabled inside Passenger Standalone (that is, passenger start --ssl).

You are not vulnerable (to the Passenger Standalone static linking issue) if:

  • You are not using Passenger Standalone (e.g. if you’re using Phusion Passenger through the Apache or Nginx integration mode).
  • You are using Passenger Standalone, but without SSL.
  • Your Passenger Standalone is behind another SSL-enabled reverse proxy.

Update: Please note that the only thing this Phusion Passenger update fixes, is any potential vulnerabilities in the Passenger Standalone binaries that we provide. Your system as a whole may still be vulnerable because you’re running a vulnerable OpenSSL version. Please check with your vendor for system updates.

There aren’t many other changes in this release:

  • Fixed some issues with printing UTF-8 log files on Heroku.
  • Added a new flag --ignore-app-not-running to passenger-config restart-app.
    When this flag is given, passenger-config restart-app will exit successfully
    when the specified application is not running, instead of exiting with
    an error.

Installing or upgrading to 4.0.41

OS X OS X Debian Debian Ubuntu Ubuntu
Heroku Heroku Ruby gem Ruby gem Tarball Tarball

Final

Phusion Passenger’s core is open source. Please fork or watch us on Github. :)

The Phusion founders’ PGP keys have been updated

By Hongli Lai on March 25th, 2014

Phusion takes security very seriously. This is why we strongly believe in protecting the authenticity and integrity of our communications and our software, and why we employ the use of PGP digital signatures. Using our PGP keys, you can verify the authenticity and integrity of all emails and files that we publish to you or to the world. All software releases that we make are signed with one of our PGP keys.

The founders’ keys have changed

As Phusion’s founders, we – Hongli Lai and Ninh Bui – have our own personal PGP keys as well, which we use to encrypt or sign some of our emails and git commits. We’ve recently run a security audit and noticed that our PGP keys are no longer deemed as secure as they should be. The keys that we’ve been using until today were made back in 2009, but the recommended algorithms and key sizes in 2014 are quite different from what they were 5 years ago. For this reason, we’ve decided to revoke our old keys and to create new ones, with stronger security settings.

Nothing has been compromised. We are simply renewing our keys as a precaution.

Effective immediately, our new PGP keys are as follows:

  • Hongli Lai (hongli@phusion.nl)
    Short key ID: 8C59158F
    Long key ID: CD70085E8C59158F
    Fingerprint: 218A 7255 83D0 2ECE F3A9 C2A7 CD70 085E 8C59 158F
  • Ninh Bui (ninh@phusion.nl)
    Short key ID: 69481265
    Long key ID: AE405F7869481265
    Fingerprint: A77C 9CEF 766D 0E7D A95B 8778 AE40 5F78 6948 1265

If you had our old keys in your keyring, please update them so that you see the revocations:

gpg --refresh-keys --keyserver pool.sks-servers.net
# -OR-
gpg --refresh-keys --keyserver keyserver.ubuntu.com

No effect on the signatures of our file releases

Please note that Phusion’s software releases and Ruby gems are not signed with our personal keys. Instead, they’re signed with the Phusion Software Signing key, which is still considered strong enough.

Our git commits, though, are often signed with our personal keys.

If you’re using Phusion Passenger, we strongly recommend you to cryptographically verify every release. The Phusion Passenger documentation contains comprehensive instructions that explains how you can verify our tarballs, Ruby gems, Git commits and more.

Onward and upwards!

With kind regards,
Hongli Lai
Ninh Bui

Phusion Passenger 4.0.40 released, Nginx 1.4.7 with buffer overflow fix

By Hongli Lai on March 19th, 2014

Phusion Passenger 4.0.40 has been released. The only change in this version is that the preferred Nginx version has been bumped to 1.4.7, because of a buffer overflow exploit in Nginx (CVE-2014-0133). Nginx users are strongly encouraged to upgrade.

Phusion Passenger 4.0.39 released

By Hongli Lai on March 18th, 2014


Phusion Passenger is a fast and robust web server and application server for Ruby, Python, Node.js and Meteor. Passenger takes a lot of complexity out of deploying web apps, and adds powerful enterprise-grade features that are useful in production. High-profile companies such as Apple, New York Times, AirBnB, Juniper, American Express, etc are already using it, as well as over 350.000 websites.

Phusion Passenger is under constant maintenance and development. Version 4.0.39 is a bugfix release.

Phusion Passenger also has an Enterprise version which comes with a wide array of additional features. By buying Phusion Passenger Enterprise you will directly sponsor the development of the open source version.

Recent changes

  • Fixed a crash that could happen if the client disconnects while a chunked response is being sent. Fixes issue #1062.
  • In Phusion Passenger Standalone, it is now possible to customize the Nginx configuration file on Heroku. It is now also possible to permanently apply changes to the Nginx configuration file, surviving upgrades. Please refer to the "Advanced configuration" section of the Phusion Passenger Standalone manual for more information.
  • The programming language selection menu in passenger-install-apache2-module and passenger-install-nginx-module only works on terminals that support UTF-8 and that have a UTF-8 capable font. To cater to users who cannot meet these requirements (e.g. PuTTY users using any of the default Windows fonts), it is now possible to switch the menu to a plain text mode by pressing ‘!’. Fixes issue #1066.
  • Fixed printing UTF-8 characters in log files in Phusion Passenger Standalone.
  • It is now possible to dump live backtraces of Python apps through the ‘SIGABRT’ signal.
  • Fixed closing of file descriptors on OS X 10.9.
  • Fixed compilation of native_support on Rubinius.

Installing or upgrading to 4.0.39

OS X OS X Debian Debian Ubuntu Ubuntu
Heroku Heroku Ruby gem Ruby gem Tarball Tarball

Final

Phusion Passenger’s core is open source. Please fork or watch us on Github. :)

If you would like to stay up to date with Phusion news, please fill in your name and email address below and sign up for our newsletter. We won’t spam you, we promise.



Phusion Passenger 4.0.38 released

By Hongli Lai on March 10th, 2014


Phusion Passenger is a fast and robust web server and application server for Ruby, Python, Node.js and Meteor. Passenger takes a lot of complexity out of deploying web apps, and adds powerful enterprise-grade features that are useful in production. High-profile companies such as Apple, New York Times, AirBnB, Juniper, American Express, etc are already using it, as well as over 350.000 websites.

Phusion Passenger is under constant maintenance and development. Version 4.0.38 is a bugfix release.

Phusion Passenger also has an Enterprise version which comes with a wide array of additional features. By buying Phusion Passenger Enterprise you will directly sponsor the development of the open source version.

Recent changes

  • Fixed a symlink-related security vulnerability.

    Urgency: low
    Scope: local exploit
    Summary: writing files to arbitrary directory by hijacking temp directories
    Affected versions: 4.0.37
    Fixed versions: 4.0.38
    CVE-2014-1832

    Description: This issue is related to CVE-2014-1831 (the security issue as mentioned in the 4.0.37 release notes). The previous fix was incomplete, and still has a (albeit smaller) small attack time window in between two filesystem checks. This attack window is now gone.

  • Added support for the new Ruby 2.1.0 out-of-band garbage collector. This can much improve garbage collection performance, and drastically reduce request times.
  • Passenger Standalone is now compatible with IPv6.
  • Fixed some compilation problems on Solaris. See issue #1047.
  • passenger-install-apache2-module and passenger-install-nginx-module now automatically run in `–auto` mode if stdin is not a TTY. Fixes issue #1030.
  • Fixed an issue with non-bundled Meteor apps not correctly running in production mode.
  • The `PassengerPreStart` option is now compatible with IPv6 server sockets.
  • When running Python WSGI apps, `wsgi.run_once` is now set to False. This should improve the performance of certain apps and frameworks.
  • When handling HTTP requests with chunked transfer encoding, the ‘Transfer-Encoding’ header is no longer passed to the application. This is because the web server already buffers and dechunks the request body.
  • Fixed a possible hang in Phusion Passenger for Nginx when Nginx is instructed to reload or reopen log files. Thanks to Feng Gu, pull request #97.
  • The preferred Nginx version has been upgraded to 1.4.6.
  • Fixed a problem with running passenger-install-apache2-module and passenger-install-nginx-module on JRuby. They were not able to accept any terminal input after displaying the programming language menu.

Installing or upgrading to 4.0.38

OS X OS X Debian Debian Ubuntu Ubuntu
Heroku Heroku Ruby gem Ruby gem Tarball Tarball

Final

Phusion Passenger’s core is open source. Please fork or watch us on Github. :)

If you would like to stay up to date with Phusion news, please fill in your name and email address below and sign up for our newsletter. We won’t spam you, we promise.



Farewell, Jim.

By Ninh Bui on February 20th, 2014

Today, the sad news has reached us that Jim Weirich has passed away. We’re incredibly sad about this
as Jim was one of the nicest people we’ve got to know in the Ruby/Rails community when we first started Phusion.
In keeping his memory alive, I’d like to reflect on a particular anecdote that made Jim especially awesome to us
and most likely to you as well. I’m sure many of you who were fortunate enough to get to know him can relate to his
kindness.

Back in 2008 when Hongli, Tinco and I set out to go to RailsConf to give our very first talk abroad, we
met Jim in the lobby of the conference space. We had just attended a talk of his where he had gone through
a myriad of valuable do’s and don’ts one should be aware of when giving a talk. These tips proved to be
incredibly valuable to us in years to come, and we hope Jim knows how grateful we are for this.

Our talk was scheduled to be held the day after, and seeing Jim’s do’s and don’ts, we were suddenly confronted
with how many embarassing “don’ts” we had in our slides. As Jim told the audience that it’s generally a good idea to avoid
cliches such as having bulletpoint hell, stock images of “the world” and “business people shaking hands”, we felt
more and more uncomfortable. Not only did we have a lot of bulletpoints, we even had an image of “business people
shaking hands”… in front of “the world”. We basically tripped over every possible cliche in the book!

But hey, we still had 24 hours, surely we’d be able to fix this right? Luckily, Jim had the demeanor of a big
kind cuddly bear, so we felt compelled to walk up to him after his talk to ask for some help with our slides.
Instead of brushing us off, Jim graciously sat down with us for about 2 hours in pointing out the things that
could use improvement in the delivery of our talk. And understandibly laughed out loud at our slide with the business people
shaking hands in front of the world. ;)

The next day, after giving our talk, we had people walking up to us saying that we killed it. In reality, it was
Jim’s tips and kindness in sharing these tips that “killed it”.

We will miss you buddy.

Your friends,
Tinco, Hongli and Ninh.