Containerless Django

Transcript

1. 1.

   DjangoCon US—San Diego Oct 2018 Deploying without Docker Containerless Django

   Peter Baumgartner
2. 2.

   Founder at Lincoln Loop—lincolnloop.com Former SysAdmin, DevOps for 8 years

   Author of High Performance Django About Me
3. 3.

   Docker is cool!

4. 4.

   @ipmb | #djangocon Docker is cool! The “pipeline” Security Isolation

   Dev/prod parity
5. 5.

   Just bundle the entire OS

6. 6.

   Some philosophy

7. 7.

   “ —Mike Perham
 https://www.mikeperham.com/2016/02/09/kill-your-dependencies/ No code runs faster than no

   code.
 No code has fewer bugs than no code.
 No code uses less memory than no code.
 No code is easier to understand than no code. “
8. 8.

   None
9. 9.

   @ipmb | #djangocon Docker Drawbacks Slow Extra abstractions More software,

   more problems
10. 10.

    None
11. 11.

    How did we get here?

12. 12.

    @ipmb | #djangocon Deployments sucked Dependencies would shift underneath you

    Build tools and dev packages needed to be installed Multiple languages, multiple builds (Python & Node)
13. 13.

    @ipmb | #djangocon The ideal deployment Download a binary Create

    a configuration file Run it
14. 14.

    @ipmb | #djangocon The ideal deployment /usr/local/bin/traefik \
 --configFile=/etc/traefik/traefik.toml /usr/local/bin/telegraf

    \
 --config=/etc/telegraf/telegraf.conf /usr/sbin/nginx -c /etc/nginx/nginx.conf
15. 15.

    @ipmb | #djangocon Python isn’t C or Go Requires a

    VM Dynamic linking Packaging isn’t straightforward
16. 16.

    None
17. 17.

    Can we do better?

18. 18.

    @ipmb | #djangocon We already are! Lock files via pipenv

    or poetry Pre-compiled wheels (Pillow, psycopg2-binary, etc.) Still lots of holes - Assembling virtualenvs - Static files - Production webserver
19. 19.

    @ipmb | #djangocon Prior art Private PyPI virtualenv-clone Platter dh-virtualenv

    Pex
20. 20.

    @ipmb | #djangocon ZIP applications? Part of Python since 2.6

    PEP-441 improves support in 3.5 Create a ZIP archive of your project. Run it with Python. …but no mechanism for handling dependencies
21. 21.

    None
22. 22.

    @ipmb | #djangocon Enter shiv! A project from LinkedIn Zipapps

    with dependencies A single artifact you can build → test → deploy ./myproject.pyz runserver
23. 23.

    Django as a zipapp

24. 24.

    Package your project with setup.py

25. 25.

    @ipmb | #djangocon Include templates & static files Create a

    MANIFEST.in
 
 graft your_project/collected_static
 graft your_project/templates
26. 26.

    @ipmb | #djangocon Production webserver gunicorn + whitenoise ⭐ https://pypi.org/project/django-pyuwsgi/

27. 27.

    @ipmb | #djangocon Build your zipapp

28. 28.

    @ipmb | #djangocon Run your zipapp ./yourproject.pyz pyuwsgi --http=:8000

29. 29.

    @ipmb | #djangocon Configuration Same zipapp, but different settings per

    environment Options: - Multiple settings files and DJANGO_SETTINGS_MODULE - Environment variables - ⭐ https://pypi.org/project/goodconf/
30. 30.

    @ipmb | #djangocon The zipapp pipeline Use CI (Travis, CircleCI,

    Bitbucket, etc.) to: - Build - Test - Push Deploy = Download and run
31. 31.

    None
32. 32.

    What about security?

33. 33.

    Systemd's got your back

34. 34.

    @ipmb | #djangocon Systemd is awesome ProtectSystem=strict
 ProtectHome=true DynamicUser=true CapabilityBoundingSet=~CAP_SYS_ADMIN

    AppArmorProfile=srv.yourproject.pyz ProtectKernelTunables=true
 ProtectControlGroups=true
 ProtectKernelModules=true
 PrivateDevices=true
 PrivateTmp=true
 SystemCallArchitectures=native
35. 35.

    What about isolation?

36. 36.

    @ipmb | #djangocon Isolation You still need Python installed globally

    Easy to install multiple Pythons on one server Docker has better isolation, but do you need it?
37. 37.

    @ipmb | #djangocon What about parity? Zipapp is the same

    from CI to all deployed environments Use Docker to mimic deployment envionrment locally (or don't)
38. 38.

    @ipmb | #djangocon Pros Simpler. No Docker on the server.

    No registry.
 ~1M fewer lines of code to depend on. Smaller artifacts Faster deployments It's just Python
39. 39.

    @ipmb | #djangocon Cons Not as isolated as true containers

    Requires Python runtime on the server Python-specific Not cross-platform compatible (if you have packages with C extensions)
40. 40.

    @ipmb | #djangocon Sweet spot for zipapps You are deploying

    primarily Python services You have outgrown PaaS (Heroku, PythonAnywhere, Divio, etc.) You have fewer than 50 services to maintain
41. 41.

    None
42. 42.

    None
43. 43.

    Thanks! Peter Baumgartner pete@lincolnloop.com @ipmb