Keep Ops Happy: Designing For Production

KEEP OPS HAPPY! Designing for Production Collective Idea Jason Roelofs
@jasonroelofs

DOCUMENT ALL THE THINGS

Documentation What does it do? Three questions all documentation should
answer How do I get it running on my machine? What does it need?

DEPLOY EARLY DEPLOY OFTEN

CONFIGURATION

class RedisService HOST = "redis.host" USERNAME = "user" PASSWORD =
"Password1!" end Conﬁguration class RedisService USERNAME = "user" if Rails.env.production? HOST = "..." PASSWORD = “Password1!" elsif Rails.env.staging? HOST = "..." PASSWORD = "Password2!" else ... end end

Conﬁguration config = YAML.load_file( Rails.root.join("config", "redis.yml") )[Rails.env] config["host"] # 1.2.3.4
# config/redis.yml production: host: 1.2.3.4 username: user password: Password1!

ENV["REDIS_URL"] Figaro.env.redis_url Figaro https://github.com/laserlemon/ﬁgaro Conﬁguration # config/application.yml production: REDIS_HOST: 1.2.3.4
REDIS_HOST: username REDIS_HOST: Password!3

RAILS.ENV

def domain if Rails.env.development? "site.dev" elsif Rails.env.staging? "staging.site.com" elsif Rails.env.qa?
"qa.site.com" elsif Rails.env.production? "site.com" end end Rails.env def domain Figaro.env.site_domain # ENV[‘SITE_DOMAIN’] end

if %w(development test).include?(Rails.env) # Do some stuff in dev else
# Do something else in production end Rails.env I test my code in production!

THREAD SAFETY

Thread Safety Share Nothing!

before_filter :set_context def set_context if logged_in? Thread.current[:user_id] = current_user.id end
end Thread Safety: Thread.current around_filter :set_context def set_context if logged_in? Thread.current[:user_id] = current_user.id end yield Thread.current[:user_id] = nil end

Thread Safety: Thread.current before_filter :set_context def set_context # Always clear
at the beginning of a request Thread.current[:user_id] = nil if logged_in? Thread.current[:user_id] = current_user.id end end

SECURITY

Security: Attributes class User < ActiveRecord::Base attr_accessible :name, :login, :email
end class UserController < ActionController::Base def create @user = User.create(params[:user]) end end This approach considered deprecated.

Security: Attributes class UserController < ActionController::Base def create @user =
User.create(user_params) end def user_params params. require(:user). permit(:name, :login, :email) end end Strong Parameters https://github.com/rails/strong_parameters

Security: Passwords MD5, SHA, SHA256, SHA512 1 GPU* MD5 SHA
SHA256 SHA512 426 million / s 85 million / s 65 million / s 13 million / s GPU cluster MD5 SHA SHA256 SHA512 BILLIONS PER SECOND * http://www.insidepro.com/eng/egb.shtml

Security: Passwords USE BCRYPT! (or scrypt) Generating 100 hashes at
increasing costs: Rehearsal ------------------------------------------------------- Cost of 5 0.250000 0.000000 0.250000 ( 0.249723) Cost of 10 7.740000 0.010000 7.750000 ( 7.879849) Cost of 15 247.510000 0.460000 247.970000 (255.346897) -------------------------------------------- total: 255.970000sec user system total real Cost of 5 0.250000 0.000000 0.250000 ( 0.272549) Cost of 10 7.750000 0.030000 7.780000 ( 8.442511) Cost of 15 247.530000 0.480000 248.010000 (254.815985) http://yorickpeterse.com/articles/use-bcrypt-fool/

Security: Serialization Don’t! My ﬁrst rule of serialization: Only use
base types of the language

session[:current_car] = current_car Security: Serialization Coupling data with implementation class
Car < AR::Base end class Vehicle < AR::Base end Class gets renamed

class User < ActiveRecord::Base has_many :followers end Background.enqueue(DoStuffJob, @user) Overﬂowed
a MySQL text ﬁeld. Instead, send the minimum required information. Security: Serialization Background.enqueue(DoStuffJob, @user.id) Death by Eager Loading Recursion

Security: Other Situations Cross Site Scripting (XSS) IFrame Click Jacking
Cross-Site Request Forgery (CSRF) Path Traversal Attacks IP Spooﬁng Session / Cookie Hijacking Grey Hat Security Researchers

Security: Other Situations

# config.ru use Rack::Protection run RailsApplication Rack-Protection https://github.com/rkh/rack-protection Security: Other
Situations

Security: Automated Scripts Added a Harmony Security Page in light
of Rails issues. We’ve been DoS’d repeatedly since then.

Rack-Attack https://github.com/kickstarter/rack-attack Security: Automated Scripts Rack::Attack.throttle( "post-spam", :limit => 20,
:period => 60.seconds ) do |request| if request.post? && request.path =~ %r{^/comments} request.env["action_dispatch.remote_ip"] end end ActiveSupport::Notifications.subscribe("rack.attack") do |*args| Stats.increment("request.throttled") end config.middleware.insert_after( ActionDispatch::RemoteIp, Rack::Attack )

Security: Automated Scripts Now happily throttling over-eager scripts!

Security: Automated Scripts Honey Pots for fail-fast <input type='text' name='color_of_sky'
style='display: none; visiblity: hidden'/> if params[:color_of_sky].present? # out out damn bot! end

QUICK TIPS

Quick Tips: File Storage Use Amazon’s S3, Rackspace Cloud, etc
Don’t store content on the ﬁle system. It’s constantly getting cheaper and they scale very well.

Quick Tips: Scheduling Jobs Don’t schedule jobs between 1:00 am
and 3:00 am Cause these times either don’t exist, or happen twice! DST Starts 1:59:59 am 3:00:00 am DST Ends 1:59:59 am 1:00:00 am

Quick Tips: Billing Use Stripe, Braintree, Spreedly, etc Don’t write
your own billing engine! Money is by far the worst thing I’ve had to deal with.

SERVICES

•Pingdom - Uptime Monitoring •NewRelic - Performance Monitoring •Instrumental -
Stats Gathering and Graphing •Loggly - Centralized Logging Aggregation •Papertrail - Centralized Logging Aggregation Services

Services Dead Man’s Snitch rake some_daily_task && curl https://nosnch.in/abcd1234

Jason Roelofs collectiveidea.com jasonroelofs.com github.com/jasonroelofs @jasonroelofs

Keep Ops Happy: Designing For Production

Keep Ops Happy: Designing For Production

More Decks by Jason Roelofs

Other Decks in Programming

Featured

Transcript