Without orientation, deployments of Python applications can be tiresome and even painful. This talk attempts to replace anxiety and pain through informed annoyance.
- Borat’s tweet
- Me on Twitter, GitHub and App.net.
- My generous employer Variomedia AG. Get your domains there if you speak German.
- The concept of “Simple != Easy” is excellently elaborated by Rich Hickey – the inventor of Clojure – in this InfoQ-Talk. He did a shorter version at RailsConf 2012.
- The origin of Dijkstra’s quote is EWD 498.
- If you don’t know about Vagrant, you have to look into it now. PyCharm even has direct support for this style of development.
If you’re on a Mac, you need dash. It’s all your APIs just a key press away.
You press your global hotkey and start typing. Dash searches your docsets and presents you the results:
- The mentioned requests “bug” on GitHub.
- If you don’t want to build yourself, others have already.
- Red Hat even officially unveiled a collection of up-to-date software for RHEL 6. Including Python 2.7 and 3.3.
- If you can’t install anything on your servers but don’t want to change your job, you may want to look into PyRun.
- The solution to corporate bullshit.
Before you start, add
[install] download-cache = ~/.pip/download_cache
~/.pip/pip.conf so each version gets downloaded only once. Alternatively use the
--download/--find-links combo. Since PyPI moved to a CDN, do not use the pip option
--use-mirrors/-M anymore, it’s slower.
- Your tools of trade: virtualenv, virtualenvwrapper and pip.
- I used
activateto keep my slides short, but don’t use it yourself. Just use direct paths to the Python tools inside of the virtualenv directory.
- Do run a private PyPI mirror. For example devpi. Don’t make the success of your deployments dependent on a third party.
- py.test is my favorite testing tool.
- Vincent goes into further detail, why you should pin you packages hard.
- He also wrote pip-tools to keep your virtualenv up-to-date. Recently, pip gained the
list -ooption that serves a similar purpose.
- Semantic Versioning, or SemVer is a set of promises how version numbers affect compatibility. It’s well-intentioned but nothing to rely on.
- Mozilla Services doesn’t like virtualenvs, but they still don’t use packages by their distribution, pin their dependencies and have only one Python app per server.
- My blog post on Python deployments with native packages.
- Fabric & git are awesome. But IMHO not for deployments.
- FPM makes building native packages a non-issue.
- Afterwards, use YUI Compressor to make it smaller and add cache busting tags to load it only once.
- parcel tries to come up with a generic solution based on my blog article.
- Dan Bravender disagrees politely with me.
- Some people swear by buildout – it seems like a valid alternative for building virtualenvs before packaging them. The usage in-place on production servers suffers from the usual shortcomings of too many moving parts.
- YADT is also an ambitious approach to deployments.
Pick your poison, they’re all complex and painful. You’ll have to plan ahead. And then realize you planned wrong and refactor.
- Ansible, Python-based, gaining a lot of traction lately.
- BCFG2, Python-based but XML-infested.
- Chef, config reeks of Ruby. Kate Heddleston did a talk about it in the PyCon US slot right after mine.
- Puppet, config reeks of Ruby.
- Salt, Python-based.
- Juju, Ubuntu-specific.
The current big players with broadest user base seem to be Chef and Puppet. Prepare for Ruby-smelling DSLs though.
- A 0day is something that can hit you any day. Be prepared.
- The PSF MoinMoin attack.
- authbind allows user processes to bind to privileged ports.
- There’s a plethora of worker APIs, many are light weighted. Put your privileged code into small single-purpose chunks of code: celery, RQ, zerorpc, AMP, Perspective Broker.
- Make sure your SSL is configured adequately.
- UFW makes iptables configuration more approachable. See CVE-2013-1899 why you want to be very strict about the accessibility of your ports.
- UNIX file sockets with restrictive permissions are your friends. And you can stop coming up with port numbers.
- Be as strict as possible with database permissions.
- Use fail2ban to block out brute forcers. You’ll be surprised how many that are.
screen is for suckers
- Obviously, use tmux. But not for your server processes.
- We run Ubuntu and thus Upstart serves us well. RHEL 6 and its clones ship it too. If you’re on Fedora for some weird reason, you should look into systemd which will also be part of RHEL 7.
- supervisord is a pure Python solution that works mostly fine. Useful in heterogenous environments.
- Mozilla’s/Tarek’s Circus is a new take on process management with additional features like socket sharing.
- A comprehensive comparison of various process/daemon managers. They even mention screen/tmux!
- Log to stderr, let your WSGI container/twistd take care of sending it to syslog with your program name, filter using syslog, rotate using logrotate. Consider centralized logging. I wrote more about it on my blog.
You May Not Need an Attack Helicopter
- nginx will probably solve all your web server needs. And:
- gunicorn or uwsgi give you great lightweight WSGI serving.
- If you go for gunicorn, you may want to look into Unicorn Herder too.
- nginx has some ghetto load balancing built in. But if you’re serious about load balancing, you’ll want to look into HAProxy.
- uwsgi is what we use and it Emperor Mode is awesome. It allows app reloading without losing requests.
If you want to use Apache for good reasons, Graham did a great talk on the topic.
- There is a whole meme about monitoring’s sucking. Suck it up.
- Pingdom is your hosted entry-drug into monitoring. It’s also great later on to monitor the reachability of your network.
- nagios is the open source goto-solutions of monitoring. It is flexible and pretty terrible to configure. You will need something that runs in your network though on the long run to monitor your private services.
- Icinga is a shiny fork of nagios, the differences are summed up in this video.
- Riemann is a monitoring solution that’s also intended to collect metrics.
- etsy’s measuring manifesto and a talk by their “Director of engineering, Infrastructure” Mike Brittain.
- Coda Hale on “Metrics, Metrics, Everywhere”.
Easier to set up, but pricey on the long run if you collect a lot of metrics – which you should.
- Librato Metrics are a hosted and easy to use and their graphs look delightful.
- StatHat is similar but not as shiny.
- We like to collect server stats with collectd and put them into Graphite.
- scales makes it easy to add metrics to any Python app. Later you can introspect them using a web interface or forward them to Graphite.
- etsy’s statsd can be used to aggregate your stats before sending them to Graphite.
- tasseo helps you to create dashboards with Graphite.
- I have written a simple shell script to package Graphite using fpm.
- If you wrangle clusters and grids, you should look into Ganglia.
- A lot of the talk is based on two of my blog posts: the aforementioned one on native packages and a second one on Python Deployment Anti-Patterns which made it even to Hacker Monthly. Yeah, I’m proud.
- I really like the book Release It by Michael T. Nygard which talks about solid systems in general.
- Jacob Kaplan-Moss who brought us Django and an accomplished gentleman of awesomeness in general did a Django deployment workshop on PyCon 2010 which is full of valuable information.
- He also did a comprehensive talk called “How I Learned To Stop Worrying and Love Deployment” at Django LA. It is similar to mine in some parts and can be found on YouTube in 6 parts: 1, 2, 3, 4, 5 and 6.
- Prolific as he is, he also did an excellent introductionary talk on web security at PyCon AU 2013 called “Building secure web apps: Python vs the OWASP Top 10”. I sort of disagree in only one point: I don’t think it’s ಠ_ಠ-worthy that there’s nothing like flask-sslify for Pyramid: that kind of logic belongs into the frontend proxy and Pyramid just tends to force one to follow best practices.
- Another esteemed gentleman of great wisdom is Glyph Lefkowitz of Twisted fame and he did a DjangoCon US keynote in 2011 which disagrees with some of my points but offers a really interesting perspective.
- A lot of things I say go along with The Twelve-Factor App.
- The fonts are Edmondsans, Mission Script and Source Code Pro. The EuroPython slides use a different, super secret font. ;)
- Many of the colors are from the Giant Goldfish palette.
- Icons are from Symbolicons.
- The awesome Apache is by zcool. The source is this rather shady page.
- The Challenger photos are by NASA and thus public domain.