Application Deployment - State of the Onion

Noah Kantrowitz

Platform

• Configuration
• Database, App Code, Web Server
• Orchestration

Application Code

• How do we put code where we need it?
• tar...
• rsync...
• git...
  • single source of truth
• packages (apt, rpm, etc.)
  • build and install a package
  • omnibus: tool to build packages, no moving parts

Configuration

• flat files
  • versioned
  • readable
  • inflexible
• chef
  • ruby-based
  • declarative-ish
  • big ecosystem
• SaltStack
  • YAML + Jinja
  • second wave
  • growing
• ansible
  • YAML + Jinja
  • Very new
  • agent-less

Orchestration

• ssh in a for-loop
• fabric
  • python
  • task-based
  • parallel
• ansible
  • ad-hoc shell
  • dynamic nodes
  • accelerated
• SaltStack
  • ZeroMQ
  • Minions only (not in master-less mode)
  • modules
• MCollective
  • comes with puppet
  • AMQP bus
  • limited ad-hoc
  • live discovery
• Rundeck
  • service you run on a machine and call out to, like Jenkins
  • API-driven
  • centralized
  • Workflows
• Chatops
  • Hubot
  • visibility
  • emerging trend

Database

• Postgres
  • ACID compliant
• MySQL
  • Mostly ACID compliant (no transactional DDL)
  • Many forks
• Redis
  • key/value store
  • in-memory
  • limited HA (high-availability)
• Cassandra
  • distributed
  • big table
  • CQL
• Riak
  • distributed
  • map-reduce
  • CRDTs (data merging of simultaneous commits)
• MongoDB, CounchDB, Interns
• ZooKeeper
  • meant for relatively static info
  • Very consisent, Slow, Paxos family of algorithms

Web Servers

• Apache
  • battle tested
  • typically has bad defaults
  • flexible MPMs
  • mod_wsgi
• Nginx
  • concurrent
  • simple config
  • proxy
  • may be faster than Apache, but probably doesn't matter to me
• Gunicorn
  • pure pythong
  • simple
  • fast
  • only run behind Apache/nginx!
• uWSGI
• Twisted
  • really fast
  • mix w/async
  • complex
• CDNs
  • Fastly, CloudFront, Varnish

Server Provisioning

• manual
  • knife ec2, novaclient, Web UI
  • probably fine for just a few servers
• AWS ASGs
  • Vendor lock-in
  • limited triggers
  • easy
• CloudFormation
  • declarative model for your whole infrastructure
  • fragile state
• Heat
  • OpenStack's CloudFormation, essentially
• RightScale
  • Expensive
  • Cross-cloud
• Asgard
  • Netflix stack
  • AWS ASGs
  • deployments

Secrets Management

• Config
  • existing tools
  • versioned
  • insecure!!!
• Encryption
  • encrypted bags
  • ansible vault
  • ...unwise
• S3+IAM
  • private S3 bucket with EC2 IAM server roles
  • vendor lock-in
  • moving pieces
  • relatively safe
• Barbican
  • developed for OpenStack
  • very new
  • promising
• Red October
  • N-of-M access
  • cold storage; things that aren't often accessed
  • GPG-based

Metrics

• Statsd
• Collectd
• graphite

Logs

• logstash
• kibana
• sentry

PaaS

• Heroku
  • Easy
  • Free (for small stuff)
  • inflexible and gets expensvie
  • not too much vendor lock-in
• Google App Engine
  • mild lock-in
  • scalable
  • few users
• OpenShift
  • no lock-in
  • open-source
  • difficult to deploy yourself, however
• Deis/Flynn
  • docker-based
  • very young
  • promising