Django deployment and RPM+YUMby Walter Liu

Agenda

● Apache, WSGI, Django● Django deployment/security note● Using RPM and YUM

Apache+WSGI+Django

Why use Apache?

runserver is not stable

WSGI

WebServerGatewayInterface

Apache, WSGI, Django

Apache contain multi WSGI

Example WSGI parametersTraceEnable Off

WSGIScriptAlias / /var/www/html/axx_service/wsgi.pyWSGIPythonPath /var/www/html/axx_service/

WSGISocketPrefix /var/run/wsgiWSGIProcessGroup axxaisWSGIDaemonProcess axxais processes=4 threads=16 maximum-requests=4096 display-name=%{GROUP}

# no embedded mode for WSGI. for smaller memory and log message.WSGIRestrictEmbedded on

<Directory "/var/www/html/axx_service/"><Files wsgi.py>Order deny,allowAllow from all</Files></Directory>

Questions?

Django deployment note

● DEBUG = False● TEMPLATE_DEBUG = False● 404 template● 500 template● Host static files● Error alert e-mail (ADMINS, MANAGERS)● Logging settings

Deployment note

Apache+wsgi: Host static filesAlias /robots.txt /usr/local/wsgi/static/robots.txtAlias /favicon.ico /usr/local/wsgi/static/favicon.ico

AliasMatch /([^/]*\.css) /usr/local/wsgi/static/styles/$1

Alias /media/ /usr/local/wsgi/static/media/

<Directory /usr/local/wsgi/static>Order deny,allowAllow from all</Directory>

WSGIScriptAlias / /usr/local/wsgi/scripts/myapp.wsgi

<Directory /usr/local/wsgi/scripts>Order allow,denyAllow from all</Directory>

Django Security note

● SQL Injection protection (ORM)● XSS protection● Csrf protection (middleware)● Clickjacking protection

(middleware, default off)● Possible weak points

○ Weak admin password○ DEBUG = True○ Secret Key

Questions?

Using RPM and YUM

Deployment is ?

● ssh to each host● copy files● remove files● check file integrity● [option] config file upgrade● [option] POST: restart httpd● [option] check service/security status● [option] mock test● .......

Using git?

● No remove files. (may lead to accidents)

● No other script action in update.● Config files?● Version report?

(at least not easy to read.)● Not for OPS● No package dependency● Not scalable for large deployment

Using RPM

● Ensure package version.● Add/remove/update files.● Pre/Post installation scripting.● YUM for remote and repository

How to create RPM

● Prepare *.spec file● Use rpmbuild to build rpm. (refer AIS)

RPM SPEC File

rpmbuild script

YUM server and repo RPM

Now, setup a YUM server + repo RPM, and you may● yum install pitlane● yum install pitlane-worker● yum update pitlane● #rollback versionwith● Auto-dependency

What left?

Concurrent command to hosts

omnitty vs. ssh-keygen

● omnitty● ssh-key and scripting● fabric + ssh-key

Omnitty

sshkey + scripting

Example:pitlane_web.py update-> host_list = ......-> for host in host_list:-> os.system("ssh $s yum update pitlane")

How

● generate ssh public key● copy/cat to target host .ssh/authorized_key

Fabric

Based on sshkeyMade for deployment.

Q&A