Upload
walter-liu
View
470
Download
3
Tags:
Embed Size (px)
Citation preview
Django deployment and RPM+YUMby Walter Liu
Agenda
● Apache, WSGI, Django● Django deployment/security note● Using RPM and YUM
Apache+WSGI+Django
Why use Apache?
runserver is not stable
WSGI
WebServerGatewayInterface
Apache, WSGI, Django
Apache contain multi WSGI
Example WSGI parametersTraceEnable Off
WSGIScriptAlias / /var/www/html/axx_service/wsgi.pyWSGIPythonPath /var/www/html/axx_service/
WSGISocketPrefix /var/run/wsgiWSGIProcessGroup axxaisWSGIDaemonProcess axxais processes=4 threads=16 maximum-requests=4096 display-name=%{GROUP}
# no embedded mode for WSGI. for smaller memory and log message.WSGIRestrictEmbedded on
<Directory "/var/www/html/axx_service/"><Files wsgi.py>Order deny,allowAllow from all</Files></Directory>
Questions?
Django deployment note
● DEBUG = False● TEMPLATE_DEBUG = False● 404 template● 500 template● Host static files● Error alert e-mail (ADMINS, MANAGERS)● Logging settings
Deployment note
Apache+wsgi: Host static filesAlias /robots.txt /usr/local/wsgi/static/robots.txtAlias /favicon.ico /usr/local/wsgi/static/favicon.ico
AliasMatch /([^/]*\.css) /usr/local/wsgi/static/styles/$1
Alias /media/ /usr/local/wsgi/static/media/
<Directory /usr/local/wsgi/static>Order deny,allowAllow from all</Directory>
WSGIScriptAlias / /usr/local/wsgi/scripts/myapp.wsgi
<Directory /usr/local/wsgi/scripts>Order allow,denyAllow from all</Directory>
Django Security note
● SQL Injection protection (ORM)● XSS protection● Csrf protection (middleware)● Clickjacking protection
(middleware, default off)● Possible weak points
○ Weak admin password○ DEBUG = True○ Secret Key
Questions?
Using RPM and YUM
Deployment is ?
● ssh to each host● copy files● remove files● check file integrity● [option] config file upgrade● [option] POST: restart httpd● [option] check service/security status● [option] mock test● .......
Using git?
● No remove files. (may lead to accidents)
● No other script action in update.● Config files?● Version report?
(at least not easy to read.)● Not for OPS● No package dependency● Not scalable for large deployment
Using RPM
● Ensure package version.● Add/remove/update files.● Pre/Post installation scripting.● YUM for remote and repository
How to create RPM
● Prepare *.spec file● Use rpmbuild to build rpm. (refer AIS)
RPM SPEC File
rpmbuild script
YUM server and repo RPM
Now, setup a YUM server + repo RPM, and you may● yum install pitlane● yum install pitlane-worker● yum update pitlane● #rollback versionwith● Auto-dependency
What left?
Concurrent command to hosts
omnitty vs. ssh-keygen
● omnitty● ssh-key and scripting● fabric + ssh-key
Omnitty
sshkey + scripting
Example:pitlane_web.py update-> host_list = ......-> for host in host_list:-> os.system("ssh $s yum update pitlane")
How
● generate ssh public key● copy/cat to target host .ssh/authorized_key
Fabric
Based on sshkeyMade for deployment.
Q&A