19 November 2014

HOWTO Setup gunicorn on OpenBSD 5.6

As part of a silly web project of mine, I'm having fun getting reacquainted with OpenBSD.

Today I wanted to set up Gunicorn, a powerful webserver that will eventually run my Django application. It was not a straightforward process, so I decided to document it for my fellow geeks.

Preamble

This procedure assumes that you've already set up the following:
  • installed Python 3 (I tested with 3.4.1)
  • created a custom myuser account and logged on as such
  • created a virtualenv with pyvenv /home/myuser
  • installed Django in the above-mentioned virtualenv
  • created a Django project at /home/myuser/myproject

Let's go!

  1. activate the virtualenv: source bin/activate
  2. install Gunicorn: pip install gunicorn
  3. create /home/myuser/gunicorn_config.py with the following contents:
    command = '/home/myuser/bin/gunicorn'
    pythonpath = '/home/myuser/myproject'
    chdir = '/home/myuser'
    pidfile = '/home/myuser/.gunicorn_myproject.pid'
    user = 'nobody'
    worker_tmp_dir = '/tmp'
    errorlog = '/var/log/gunicorn_myproject'
    # tweak the following lines to suit your setup
    bind = 'localhost:8001'
    workers = 4
    You can add any further option as necessary, but it's important you keep pidfile and user.
  4. sudo to root (I'd recommend to do that from another account, i.e. don't add myuser to wheel) and create /etc/rc.d/gunicorn_myproject with the following contents:
    #!/bin/sh
    daemon="/home/myuser/bin/python"
    daemon_flags="/home/myuser/bin/gunicorn -c /home/myuser/gunicorn_config.py -D myproject.wsgi"
    
    rc_stop() {
        kill `cat /home/myuser/.gunicorn_myproject.pid`
    }
    
    . /etc/rc.d/rc.subr
    
    rc_cmd $1
    Note how we are specifying daemon to be the python executable. This is the only way I've found to keep the rest of the machinery in rc.subr working smoothly.
  5. chmod 555 /etc/rc.d/gunicorn_myproject
  6. now you can start and stop Gunicorn with standard OpenBSD 5.x commands: /etc/rc.d/gunicorn_myproject start
  7. Typically, you'd then set nginx to proxy and cache requests, and firewall gunicorn from the outside.
Note how gunicorn starts as root and then spawns processes as nobody; if I were to start it as myuser, it would not work. This is because gunicorn tries to change ownership of files and processes after startup, and OpenBSD doesn't seem to like it. This looks suboptimal to me, but I couldn't find a workaround.

Note also how we're writing the main process PID to file, and then using it to stop that same main process. Standard rc.subr machinery would expect me to specify a regex in the pexp variable, which would then be passed to pgrep to find the process; but this doesn't work with gunicorn because pgrep simply cannot distinguish between master and worker processes, since they appear to have the exact same command line.

If you know anything else I should do to further secure this setup, please let me know in comments!

07 November 2014

If you are interested in Oracle EPM infrastructure...

... then you might want to pop in at UKOUG Apps 14 in Liverpool, on 10 December, to hear me describe the sad state of security in our little niche and how we can improve it.

I promise that I won't bamboozle you with security nerdspeak; it will mostly be an overview of "things EPM customers should ask for but somehow never do". Remember to pack your tinfoil hat!


02 November 2014

What to do if Apple Mail becomes invisible in OSX 10.10

Apple Mail is a solid application, but occasionally it can be infuriating.

Today, all of a sudden, when I opened it, the main viewer window would not appear. The program seemed to work fine in the background: I received notification of new emails, the unread count on the icon would get updated, but there was no window. Trying to use Exposé, "Bring all to Front", "Arrange all to front" wouldn't bring any improvement. Right-clicking on the icon and selecting "Show all windows" would show transparent squares with actual window titles, but trying to click on them would make no difference. File -> New Viewer Window seemed to produce new "transparent" windows, so the list under the Window menu would get longer but I still wouldn't see anything. Using Applescript to resize and reposition a window gave very strange results, with the window appearing half-broken (no Preview column, no Mailbox list, missing toolbars etc) and eventually disappearing again.

Out of desperation, I quit Mail and started digging in the filesystem. I eventually managed to fix the problem by doing the following:

cd /Users/your-user/Library/Containers/com.apple.mail/Data/Library
# 'tar' is just for safety, delete the gz file if fix works
tar -czvf ~/Desktop/Preferences.tar.gz Preferences
rm -rf Preferences


When I then launched Mail, the Viewer window finally appeared and worked correctly. It had lost my original layout, so I had to set a couple of preferences again, but apart from that it seemed to work well and it didn't lose any mail or account information.