PMXBOT Log file Viewer

Help | Karma | Search:

#dcpython logs for Sunday the 22nd of January, 2012

(Back to #dcpython overview) (Back to channel listing) (Animate logs)
[20:12:06] <aclark> craigkerstiens: ping
[20:12:10] <craigkerstiens> pong
[20:12:19] <aclark> craigkerstiens: hey yet another q about heroku :-)
[20:12:26] <craigkerstiens> sure, fire away
[20:12:57] <aclark> craigkerstiens: so i've just "come out" a bit with my app on the python catalog-sig list
[20:13:22] <aclark> http://mail.python.org/pipermail/catalog-sig/2012-January/004152.html
[20:13:36] <aclark> and a concern raised was… surprise! security
[20:14:09] <aclark> to which i want to be able to reply: oh, heroku has it covered
[20:14:57] <aclark> a quick goog search indicates you guys are "on it" e.g. https://status.heroku.com/incident/115
[20:15:11] <craigkerstiens> yep yep, any specifics i can answer about security?
[20:15:16] <aclark> but i want to be able to intelligently compare a single vps with the cedar stack in some intelligent way
[20:15:19] <aclark> yes
[20:15:21] <aclark> how is it more secure? :-)
[20:15:28] <aclark> or is it
[20:15:29] <aclark> etc
[20:15:34] <aclark> i picture it being more security
[20:15:44] <aclark> s/security/secure/
[20:15:52] <aclark> but don't have any facts to back it up
[20:15:58] <aclark> other than "managed" vs. "unmanaged" maybe
[20:16:00] <craigkerstiens> sure
[20:16:17] <craigkerstiens> so, each instance of your app or dyno rather is completely lxc contained
[20:16:23] <aclark> (with the most important thing that noone get the priv key of pythonpackages)
[20:16:36] <aclark> lxc?
[20:16:46] <craigkerstiens> http://lxc.sourceforge.net/
[20:16:57] <craigkerstiens> its what a large number of VM's build on top of
[20:16:59] <aclark> oh neat
[20:17:01] <aclark> k
[20:17:06] <craigkerstiens> when it comes down to how to make your app secure
[20:17:17] <craigkerstiens> the safest way is no keys/creds/anything in the code
[20:17:23] <craigkerstiens> always load that up as config vars
[20:17:26] <aclark> k
[20:17:34] <craigkerstiens> we take lots of care to ensure those are secure and not accessible
[20:17:39] <aclark> gotcha
[20:17:54] <craigkerstiens> it comes back to better practices as well including: http://www.12factor.net/config
[20:18:33] <aclark> can this even work on heroku? I basically need a user with a .ssh/id_rsa configured (or equivalent)
[20:19:27] <ericholscher> if only pypi supported oauth..
[20:19:34] <aclark> they may at some point
[20:19:37] <aclark> who knows
[20:19:54] <craigkerstiens> yeah, it should work alright
[20:20:04] <craigkerstiens> i believe others have done similar before, but will have to double check
[20:20:13] <craigkerstiens> i can give you more confirmation this week after validating with a few others
[20:20:41] <aclark> craigkerstiens: cool thanks, i'll research configuring things with config vars…
[20:21:09] <aclark> i know i can get a shell, so worst case i could manually dump the ssh config there
[20:21:30] <craigkerstiens> well the shell is ephemeral
[20:21:35] <craigkerstiens> so its there then gone
[20:21:42] <craigkerstiens> its a whole new instance of your app when you shell in
[20:22:03] <aclark> that's really the only thing that i'm worried about at the moment (though general app security is important too of course)
[20:22:14] <aclark> ok so it would be much better if it were supported in software in the app
[20:22:33] <craigkerstiens> yeah, so i actually have some something similar with python.heroku.com
[20:22:42] <craigkerstiens> it sets up ssh key for pushing to heroku
[20:22:58] <aclark> there you go, that's what i need to implement
[20:23:13] <aclark> and be able to answer to people about the security of it, etc
[20:23:27] <craigkerstiens> actually, it looks like have that remote in there by default
[20:23:35] <craigkerstiens> feel free to peruse: https://github.com/craigkerstiens/Python-heroku/blob/master/demo/views/main.py
[20:23:42] <craigkerstiens> its the flask app that powers python.heroku.com
[20:23:44] <aclark> thx
[20:23:47] <aclark> cool
[20:24:05] <aclark> neat
[20:25:30] <craigkerstiens> just spinning up a heroku run bash will give you some insight into whats there and what you can work wtih
[20:25:42] <craigkerstiens> and all config vars for your app are available as env vars inside the dyno
[20:26:38] <aclark> k
[20:27:21] <aclark> craigkerstiens: heh how do you like envoy?
[20:27:27] <aclark> that's a reitz production IIRC
[20:28:49] <craigkerstiens> it is a reitz production, haha
[20:28:55] <craigkerstiens> its decent, works well in this case
[20:29:12] <craigkerstiens> though i didn't need a ton from it, but still was simple enough to use
[20:47:15] <aclark> craigkerstiens: so basically the point is i store my private key via heroku config e.g. http://devcenter.heroku.com/articles/config-vars#an_example and then use it from the app
[20:47:23] <craigkerstiens> yep yep
[20:47:35] <aclark> so it's never on disk anywhere
[20:47:36] <aclark> k
[20:48:22] <aclark> however if someone "broke in" to the app they could in theory check the environment… i assume (however unlikely that may be)
[20:48:33] <aclark> via setenv or something?
[20:48:51] <aclark> err, env
[20:58:10] <craigkerstiens> yeah, they could
[20:58:27] <craigkerstiens> in general you have the same problem anytime you host anywhere
[21:00:44] <aclark> well you can only do what you can do, i just want to make sure i understand the problem enough to provide a reasonable set of precautions
[21:14:58] <craigkerstiens> things such as regularly rolling your keys/creds are always a good thing to do
[21:24:06] <aclark> craigkerstiens: yeah good idea
[21:24:27] <aclark> can probably automate dumping a new pub key to pypi