On the second day of Elastic{ON}, I woke up to an email from my VPS provider saying that my server was participating in a DDoS attack. Network access had been suspended, and I needed to back up any data and kill the server. I had console access via their portal, so I logged in.
Turned out ElasticSearch was the culprit. I found a bash console running under the elasticsearch user, so I killed all their processes (and Elasticsearch). If you are not on on the latest version, you need to be. And if you have dynamic scripting on (the default in previous versions), you need to make sure it’s off.
I didn’t have much of import on there anyway, so I just blew away the server. Then it was time to figure out a new, more secure setup. I use this server to try out quick apps I do on the side. They don’t take very much in terms of resources. Usually they just need a basic app run, and a service like Postgres, Redis, or Mongo at very low scale. There’s no reason to have one or more servers per app.
Heroku has the auto-sleep thing, which sucks, and not all addons are free at the intro tier. For example, Found.
My first thought was Docker, because it’s the new hotness.
- Dooku is the simplest solution, but it seems to be very oriented towards having one app.
- Deis seems production-ready, but it’s very focused on having multiple servers
- Flynn has single-server examples, but no way to add “appliances” (stateful applications) besides Postgres
While I could run just base Docker, I just can’t justify having to do these things manually. For now, I’m sticking with the “just a linux box” architecture.
Enter chef-solo. I’d been itching to write a setup & config script for a while, especially since my apps have so many components in common. Upstart, monit, logrotate, cron jobs - it’s way better to have this stuff in a repo than just sitting on a server somewhere.
Plus, the recipes for the most part come with secure defaults and recommended best practices right in the REAME. My final repo stack ended up using:
- chef-solo for cookbooks
- knife-solo for deploying
- Berkshelf for dependency management
- Vagrant for testing
This made it super easy to write some chef scripts, run a test build on a Vagrant box, and then deploy it to my shiny new dev server. My blahg here is running on nginx on it, since it’s built with Jekyll, Grunt, and rsync, modified from the super-nice yeoman generator.
My new setup is hopefully more secure, and won’t be going down again for a while.