The idea behind piku is that it provides the simplest possible way to deploy web apps or services. Simplicity comes at the expense of features, of course, and this document tries to capture the trade-offs.
Using uWSGI in emperor mode gives us the following features for free:
- Painless Python WSGI and
virtualenvintegration - Process monitoring, restarting, basic resource limiting, etc.
- Basic security scaffolding, beginning with the ability to define
uid/gidon a per-app basis (if necessary)
An app is simply a git repository with some additional files on the top level, the most important of which is the Procfile.
piku recognizes three kinds of process declarations in the Procfile:
wsgiworkers, in the formatdotted.module:entry_point(Python-only)webworkers, which can be anything that honors thePORTenvironment variableworkerprcesses, which are standalone workers
So a Python application could have a Procfile like such:
wsgi: module.submodule:app
worker: python long_running_script.py ...whereas a generic app would be:
web: embedded_server --port $PORT
worker: background_workerAny worker will be automatically respawned upon failure (uWSGI will automatically shun/throttle crashy workers).
Since piku is targeted at 12 Factor apps, it allows you to set environment variables in a number of ways, the simplest of which is by adding an ENV file to your repository:
SETTING1=foo
# piku supports comments and variable expansion
SETTING2=${SETTING1}/bar
# if this isn't defined, piku will assign a random TCP port
PORT=9080Environment variables can be changed after deployment using config:set.
piku follows a very simple set of rules to determine what kind of runtime is required:
- If there's a
requirements.txtfile at the top level, then the app is assumed to require Python. - TODO: Go
- TODO: Node
- TODO: Java
- For all the rest, a
Procfileis required to determine the application entry points.
Application isolation can be tackled at several levels, the most relevant of which being:
- OS/process isolation
- Runtime/library isolation
For 1.0, all applications run under the same uid, under separate branches of the same filesystem, and without any resource limiting.
Ways to improve upon that (short of full containerisation) typically entail the use of a chroot jail environment (which is available under most POSIX systems in one form or another) or Linux kernel namespaces - both of which are supported by uWSGI (which can also handle resource limiting to a degree).
As to runtime isolation, piku only provides virtualenv support until 1.0, and all Python apps will use the default interpreter (Go, Node and Java support will share these limitations in each major version).
Supporting multiple Python versions can be done by deploying piku again under a different Python or using pyenv when building app environments, which makes it a little harder to manage using the same uWSGI setup (but not impossible).
piku uses two git repositories for each app: a bare repository for client push, and a clone for deployment (which is efficient in terms of storage since git tries to use hardlinks on local clones whenever possible).
This separation makes it easier to cope with long/large deployments and restore apps to a pristine condition, since the app will only go live after the deployment clone is reset (via git checkout -f).