 Test does that work great. Can you guys hear me, too? All right So I was told to give the AV guys a thumbs up and apparently I did that and I was the first guy that managed to do that today So I'm really happy about that Unfortunately, this is the second-last talk for today. So do enjoy it and welcome Lee With me who is a software engineer and open source enthusiast and I think he certainly won the prize for the most comprehensive bio there But he's going to talk about Python as a service or platform as a service in Python. So Please welcome Lee. So hi, I'm Lee. I do not work for Mozilla I'll just start with that because you'll see why later But I've been in Python for a few years now and I've been doing Django websites in my own time for various people as well as myself and I sort of was looking at what I could do and How I would host them because Like everybody I probably started with well like there like a lot of people I started with that ModPython Do not use today So I'll just go over what I'm going to be talking about today. So I'm going to talk about what is a platform as a service My approach and a few alternatives that are out there and what I think might be important in the future So what is platform as a service? Initialized as PAAS it's where You're provided a runtime environment and You operate within that environment only This is different from say what you might call cloud computing Which is often referred to as infrastructure as a service where you get a virtual machine and then you can set up your own runtime environment within that Almost all of the particularly commercial ones are built on infrastructure as a service because it gives them a great way to scale out and It really is about providing the Facilities that are needed by your app and not having to worry about managing the operating system or The database server or something like that And as this diagram nicely points out it's very much used as a way of delivering software as a service applications Just because it's allows the people focusing on selling that not to have to worry about the levels below So you concentrate on the bit that you do well So in a Python context What does this look like well most of the time it is a wsgi service. It's a whiskey the web service gateway interface In some environments, you're really just given an htdb socket that you connect to and then you run your own wsgi server on that Mainly because there's kind of a few different ones out there. So the most common Whiskey interface is mod whiskey and Apache. Who runs that? Few people. All right, who runs Great new unicorn People who runs you whiskey Slightly more interesting Who runs something that's really unusual and not one of those? Okay me The service also tends to provide a variety of services that are just injected straight in that are available straight away without configuration and generally they're injected through some sort of configuration or environment variables Or something like that and databases is the key one among those So you don't have to go set up a database Access and things like that and generally just provided it You can also get other services like caching services caching servers Mail server mail relay, etc And almost always they're inside some sort of virtual environment and be a virtual mpm And that allows that multiple Customers on the same platform often. There's some sort of containerization or some sort of isolation So there's no You're not fixed to the libraries that are provided you can choose your own Yeah, so my approach and don't worry. I'll come back to the slide Is to bring together a few open source pieces and put them together So I use engine X as the sort of front-end web server and that just does static media and then proxies on to Circus D which provides process management and socket management and you'll see that's my WSGI server Get version control fabric and cuisine and Django environment For retrieving the configuration So I use it to host a variety of sites, of course my own Rec file check, which I hope which I'll be talking about in the lightning talks tomorrow a Not exactly secret project a failed start-up a Civic hackathon website a Gov hack project from this year And all on one virtual machine with one gig of RAM and one CPU for less than 30 dollars a month so By having using your resources efficiently you can get a lot into a single small virtual machine And that's one of the advantages of doing it this way. There's a single only a single web server and it's relatively lightweight It's not quite as complicated as sorry not as quite as heavyweight as Apache's WSGI mod WSGI Damon workers And there's lots of optimizations. I could make which I haven't done yet So just going back to the approach. I'm now going to go quickly through some of these and I Talk about how they fit together so Most of the sites I well all the sites I host are Django web applications So they have a separation of static files and media Media is files that get uploaded by the user and static are provided by the application itself Since they're not changing once they're uploaded. They're provided out through engine X That means there's no overhead of Python being involved in delivering those files And engine X just everything else. That's not one of those two directories has just forwarded on to a Socket on circus day So it has this sort of architecture for How are they connected together and? circus Manages sockets and workers what it calls modern No words gone, sorry So you can have a circus basically means you Define some open sockets and it listens on them and it will pass The socket when it receives a connection onto a web worker when it's when it makes a request when a When a connection is made on it And then you there's a variety it can monitors the workers and if You can say increase the number of workers and it will Spin up another one and if one crashes it'll restart it And so it does sort of that process monitor management like Supervised D The web workers I use a tool set it's sorry once they're back circus and tool set are both projects of Mozilla They I believe they use it for their own some of their own services that they've developed Jocette which apparently is French for sock which makes sense with sockets. It's designed for Basically running WSGI apps. It doesn't need to be Django. It can be bottle or whatever and it specifically is designed to pack up the sockets that are provided by circus and Run HD very simple HTTP server on it that then sends the request on to the WSGI app that it's running So it's very very small footprint for that particular server. It's very very simple Has some neat options, which I haven't used around using different back-end so it supports things like waitress and Some of the other ones which I can't remember off the top of my head, haha But I'll just quickly run over the circus config sort of sounds a bit odd at this stage But hopefully this makes it a little bit more concrete. So The first thing we've done here is to find a socket for BD web So it's listening on local host There's no point talking to the internet on a particular port 8080 in this case And watcher. That's the name I was looking for We've also defined a watcher and this is one of the processes that circus will manage and if if it crashes it'll be restarted and You can also change the number of processes So you can see here. I'm running a Virtual M called M Come on mouse ah So we run to set out on the virtual M that we're running on we pass in this the file descriptor for that socket And so it's listening on that and then it runs my WSGI application So very simple Set up for that server use sockets basically says replace this with the actual socket ID that's used Because you can also use it use a set up a watcher. That's just watching an application That's not passing any sockets to it So you could run your readers under that if it crashes, it'll be restarted Or your salary workers or whatever We define number of processes So this is set to one because I'm not many people look at my website unfortunately But you can this is where it initiates of the the number it'll start to You can then use commands like circus control incora BD web and it will start another one. So it'll be two We define the user to run as and this is pretty one of the key parts of the my setup is that I have each Each application I host I have on its own user and this provides some isolation between the different Applications and if one's compromised, hopefully it limits the the scope of the any problems And I also separate the user that runs the application from the user that owns the code and deploys it And we also provide a couple of an environment variable For the Python path, which just happens to point to the directory and it just makes all the includes and imports a bit easier Yeah, so it's that so deployment I keep on my code and get and The deployment user but I mentioned I generate an SSH key for it without a partner without a password Yeah, it doesn't have a passphrase so that when I do my Scripting of the deployment it can use that SSH key to retrieve the code from get And the way that I automate that Script automate that deployment as I use a fabric and cuisine. So fabric is a fairly low-level Run shell commands on a remote system It uses the param eco SSH library internally It's written in Python the code your the actual script is in Python and you should be able to see that on the next slide When I give you an example Cuisine is a plugin that goes on that extends that and it provides much higher level interfaces So it hands things like write this file read this file add this add a user install this package Install this Python package if into the system Python and So it ultimately for me when I did go to deploy my big digital website I just type this command here very very simple just one time to enter goes fetches it for this is the update command updates from From get and runs a few more commands just to set up all the environment. So Here's my fabric script or some fact similarly of it so we define a task and this is those the tasks that's on the command line and We define the host the so the set of hosts that runs on Fabric provides this and it has a variety of ways of doing this including setting up things like server roles Sets of hosts and things like that. So there's quite a variety of ways of defining which host is you can also define it on the command line and then my Python method that it actually calls and in this case, you know the update up CD changes into a directory runs get pull Rights the dot environment which I'll come back to in a bit and runs the post-upgrade steps at the bottom Now the method as function at the bottom Which basically just runs a whole lot of stuff checks if a file exists or run run run run So it runs all the managed check managed migrate managed by a click static And then at the end it does a circus reload BD web and it does this in a really neat way So if I have say two runners are two two processors set up on in circus for my BD web It will start a new one Tell terminate the oldest one start up another new one and then terminate the next oldest one So it'll without Interruption and keeping at least two running at any one time. It will basically provide continuous service So zero downtime updates If the update actually works in that way and the old version works when when the migration migrations have been applied little trick to learn to Yeah Yeah, let's not do that This is sort of the deployment side so you can see we've got a few more A different commands that are coming out of cuisine Do ensure make sure a directory exists and you can provide a a an owner You can see that it sets up a set of media Owned by different users so the run user has to own media because it has to write into it Okay We do our Get clone to actually download the code right then we run the same post update steps And we write the configuration and more configuration more configuration keeps going and going and eventually reloads everything and it starts running So it's a fabric is a really neat way of remotely executing commands and Cuisine makes it a lot easier to define at high level, you know crack this user create this directory write this file so the the last of Sort of the key components in my environment is Django environment So this isn't actually specific to Django despite its name But the key thing is do not store secret key or DB passwords or AWS keys In your settings file that you then commit to public SVM or get or anything like that That's a really bad idea. You will have a bad day one eventually So Django environment allows us to separate those Key settings, and this is I find it quite useful for separating out when we run on say different hosts that the host specific settings go into and Either come from the environment or from a particular file that we write The dot-in file that I mentioned before And it has a whole lot of path details as well. So Reading from So, okay quick question who here has read the 12-factor apps manifesto Few people okay for those that don't know There is this thing called the 12-factor app And it's basically a way of deploying scalable a set of suggestions for how to deploy scalable Web applications think originally coming from out of the Ruby community. I think So we might be able to correct me on that but basically it suggests that all the changeable configuration should come in environment variables and and Haruku is a good example where that actually happens so they provide your Your database configuration is provided to your app through an environment variable. I Was particularly when I was first setting this up I was writing commands on the on the remote command line by hand Having to remember to put in environment variables kind of hard So being able to read it from file is really really handy So this is what the top of my settings.py file looks like and a lot of my Django applications so report environment and Root here is Set up as the root directory of the project that I'm deploying so the file It's too up from the way that file is so one up would be the directory that files in the settings.py file is in And once the one above that which is where hopefully my managed or pi script is for example and environment is set up to be the Read the environment variables and we also set up a Casting and and default value for debug default to off for debug And then we read it from read the rest of the settings from file And so you can see how further down the bug we just loaded up from in because there's a default set It'll always work But secret key here. I haven't said there's no default set there or anything so If it's not provided either from the environment or from file It'll actually throw a improperly configured exception Which is very handy particularly for secret key because you want that to be you know there And you also don't want it to be committed in code It also has a variety of other helpers Django environment also has a lot a few other useful helpers Django Db, sorry is one of those which takes by default looks for a environment variable or a variable from your file called database URL and it parses the URL into the Various dictionary of settings that are required by Django And here I've set the default here so that in development. I don't have to set it to something useful so it just defaults to An SQL like database in the root of my Of my checkup Which makes it very handy So you can also see how you could use root root plus say templates in your template directories or root dot static const or static or whatever you want to call it in your static directories and Mf can be used for anything a default gives you back a string, but you can get Bulls floats Integers a few others There's also a couple other helpers like I think there's cash. There's one of the newer ones that are in there and very much that's very very much based on DJ DB URL, I think the package was called and there's a variety of other ones that are very similar So they sort of brought them all together in one place Which I think is a really really neat tool So here's an example of an infile dot infile. So debug to false. Yeah, debug to false And know that it definitely is not my secret key, but you can sort of see how the database URL is set there passing through the database user the password the host name and the schema And sports a bunch of things including the Geo Django databases and everything like that You don't have to have a dot infile. You could set them as environment variables say you could do that in your In your circus config So I set the Python path there because I really needed to But you could do that but Haruku does it this passes it through environment variables So it actually provides quite a lot of flexibility using Django environment So one last look at the approach Yes So it's quite it's not sort of a single thing that I've when I have it sort of a collection of tools that work very very well together So some alternatives Yeah, I mentioned Haruku a couple of times Google App Engine gondor OpenShift they're all sort of ones you can go out and buy hosting with Couple you can run yourself Honsho Honsho is written in Python and it is basically a How to describe it it is a Python re-implementation of a Ruby tool called foreman and Foreman is pretty much what Haruku provides So roundabout But it is kind of a neat way I think it's kind of neat in one sense that you can run in pretty much the same environment that you deploy in and you're testing All your development Whereas I tend to run slightly different environments, but I have a explicit testing environment Separate and there are a couple other sort of Platforms as a service out there OpenShift is in both columns because I believe you can get it hosted from Red Hat, but it's open source so You can Run it yourself Cloud Foundry is another one that's open source. I'm sure there's others. Does anybody want to yell out a suggestion? No, I think it's most of them So very quickly the future can't mention the future without mentioning Docker or containerization, which is Similar sort of things, but basically stronger separation, but not complete separation But better control of the environment Hmm Maybe one day I'll do that, but it wasn't really around when I set up my environment and system D provides a lot of this sort of Process control and socket activation like circus does so I Haven't yet had a chance to have a decent look at it But it may well have the sort of Pieces of the puzzle that would mean that we wouldn't need circus Probably still need sure see it because we need something that actually translate HTTP into something sensible and you probably still need You know what maybe not and it was still wasn't around when I set this up. So There's some links and is there any questions? Gonna run around with the microphone. Yes, I will so Is it on I hope so I can't hear myself here up here. That's really bad So first of all, let's thank Lee for his talk please and then if there are any questions We have about five minutes Am I going to build a docker? container for my setup Not in the near future because I haven't managed to get it running yet Docker that is I'm much too busy in my day job Any other questions? I was just curious if you tried reducing the size of the VM you're using and What stage it might just not work for you So, I was sort of wondering just how far you could go Yeah, so Part of the limitation is just how many apps I'm running and and how they use that memory That's a gov hack one actually was crashing out out of memory When somebody did the wrong thing quite often It's not actually running just a very second, but normally it would run. Okay. I have been down as low as about 300 meg and and Honestly, the hosting I provide is the great people but still not that much cheaper so It very much just depends on how much memory your process ends up using Circus is very small to say it is extremely small couple hundred K most Sorry, I just thought I should say this as well as you were talking about alternative providers NZ parks website is sponsored by gondor.io which is They provide the hosting kindly and they provide a similar issue of is to harrick They do you something up there mentioned get tags. Yes, I probably should be using that but it's just me that pushes So I just run off master head I'm just wondering how you would manage your environment files Would you keep them in a separate get repo or and how do you how do you handle the difference between the environments if you have? They have this production. How do you do that? That's a good question and something that on occasion I struggle with So there's been a variety of different ways That I've done it sometimes I've The top of my favorite file has the passwords and stuff to find in it Which is committed into a separate get repository The not the greatest solution The most common one is that I don't actually write rewrite it every time I Do an update. I only write it on the first one and I transiently create passwords and Set up the database set up the hosting set up everything and It's just written into the dot-m file and that's the only place it exists after once that call once that script is finished and that works okay as well and Eventually, you don't want to put it in a database that I can secure somewhere off site so Ultimately, it's one of those things that just about every tool struggles with I know that you know people starting out with say puppet or something like that often end up hard coding passwords in it because it's the easiest way to do it when they're just learning and Yeah, it becomes tricky and You learn as you move forward So it's probably the one weakness about the way that I have my fabric script set up We got time for about one more question and if there are no questions, please think