The uWSGI Emperor – multi-app deployment¶
If you need to deploy a big number of apps on a single server, or a group of servers, the Emperor mode is just the ticket. It is a special uWSGI instance that will monitor specific events and will spawn/stop/reload instances (known as vassals, when managed by an Emperor) on demand.
By default the Emperor will scan specific directories for supported (.ini, .xml, .yml, .json, etc.) uWSGI configuration files, but it is extensible using imperial monitor plugins. The dir:// and glob:// plugins are embedded in the core, so they need not be loaded, and are automatically detected. The dir:// plugin is the default.
- Whenever an imperial monitor detects a new configuration file, a new uWSGI instance will be spawned with that configuration.
- Whenever a configuration file is modified (its modification time changed, so touch --no-dereference may be your friend), the corresponding app will be reloaded.
- Whenever a config file is removed, the corresponding app will be stopped.
- If the emperor dies, all the vassals die.
- If a vassal dies for any reason, the emperor will respawn it.
Multiple sources of configuration may be monitored by specifying --emperor multiple times.
See Imperial monitors for a list of the Imperial Monitor plugins shipped with uWSGI and how to use them.
- Imperial monitors
- dir:// – scan a directory for uWSGI config files
- glob:// – monitor a shell pattern
- pg:// – scan a PostgreSQL table for configuration
- mongodb:// – Scan MongoDB collections for configuration
- amqp:// – Use an AMQP compliant message queue to announce events
- zmq:// – ZeroMQ
- zoo:// – Zookeeper
- ldap:// – LDAP
- The Emperor protocol
Special configuration variables¶
Using Placeholders and Magic variables in conjunction with the Emperor will probably save you a lot of time and make your configuration more DRY. Suppose that in /opt/apps there are only Django apps. /opt/apps/app.skel (the .skel extension is not a known configuration file type to uWSGI and will be skipped)
[uwsgi] chdir = /opt/apps/%n master = true threads = 20 socket = /tmp/sockets/%n.sock env = DJANGO_SETTINGS_MODULE=%n.settings module = django.core.handlers.wsgi:WSGIHandler()
And then for each app create a symlink:
ln -s /opt/apps/app.skel /opt/apps/app1.ini ln -s /opt/apps/app.skel /opt/apps/app2.ini
Finally, start the Emperor with the --emperor-nofollow option. Now you can reload each vassal separately with the command:
touch --no-dereference $INI_FILE
Passing configuration parameters to all vassals¶
Starting from 1.9.19 you can pass options using the --vassal-set facility
[uwsgi] emperor = /etc/uwsgi/vassals vassal-set = processes=8 vassal-set = enable-metrics=1
this will add --set processes=8 and --set enable-metrics=1 to each vassal
You can force the Emperor to pass options to uWSGI instances using environment variables too. Every environment variable of the form UWSGI_VASSAL_xxx will be rewritten in the new instance as UWSGI_xxx, with the usual configuration implications.
UWSGI_VASSAL_SOCKET=/tmp/%n.sock uwsgi --emperor /opt/apps
will let you avoid specifying the socket option in configuration files.
Alternatively, you can use the --vassals-include option let each vassal automatically include a complete config file:
uwsgi --emperor /opt/apps --vassals-include /etc/uwsgi/vassals-default.ini
Note that if you do this, %n (and other magic variables) in the included file will resolve to the name of the included file, not the original vassal configuration file. If you want to set options in the included file using the vassal name, you’ll have to use placeholders. For example, in the vassal config, you write:
[uwsgi] vassal_name = %n ... more options
In the vassal-defaults.ini, you write:
[uwsgi] socket = /tmp/sockets/%(vassal_name).sock
Tyrant mode (secure multi-user hosting)¶
The emperor is normally be run as root, setting the UID and GID in each instance’s config. The vassal instance then drops privileges before serving requests. In this mode, if your users have access to their own uWSGI configuration files, you can’t trust them to set the correct uid and gid. You could run the emperor as unprivileged user (with uid and gid) but all of the vassals would then run under the same user, as unprivileged users are not able to promote themselves to other users. For this case the Tyrant mode is available – just add the emperor-tyrant option.
In Tyrant mode the Emperor will run the vassal with the UID/GID of its configuration file (or for other Imperial Monitors, by some other method of configuration). If Tyrant mode is used, the vassal configuration files must have UID/GID > 0. An error will occur if the UID or GID is zero, or if the UID or GID of the configuration of an already running vassal changes.
Tyrant mode for paranoid sysadmins (Linux only)¶
If you have built a uWSGI version with Setting POSIX Capabilities options enabled, you can run the Emperor as unprivileged user but maintaining the minimal amount of root-capabilities needed to apply the tyrant mode
[uwsgi] uid = 10000 gid = 10000 emperor = /tmp emperor-tyrant = true cap = setgid,setuid
On demand vassals (socket activation)¶
Inspired by the venerable xinetd/inetd approach, you can spawn your vassals only after the first connection to a specific socket. This feature is available as of 1.9.1. Check the changelog for more information: uWSGI 1.9.1
As soon as a vassal manages a request it will became “loyal”. This status is used by the Emperor to identify bad-behaving vassals and punish them.
Whenever two or more vassals are spawned in the same second, the Emperor will start a throttling subsystem to avoid fork bombing. The system adds a throttle delta (specified in milliseconds via the OptionEmperorThrottle option) whenever it happens, and waits for that duration before spawning a new vassal. Every time a new vassal spawns without triggering throttling, the current throttling duration is halved.
Whenever a non-loyal vassal dies, it is put in a shameful blacklist. When in a blacklist, that vassal will be throttled up to a maximum value (tunable via OptionEmperorMaxThrottle), starting from the default throttle delta of 3. Whenever a blacklisted vassal dies, its throttling value is increased by the delta (OptionEmperorThrottle).
Vassals can voluntarily ask the Emperor to monitor their status. Workers of heartbeat-enabled vassals will send “heartbeat” messages to the Emperor. If the Emperor does not receive heartbeats from an instance for more than N (default 30, OptionEmperorRequiredHeartbeat) seconds, that instance will be considered hung and thus reloaded. To enable sending of heartbeat packet in a vassal, add the OptionHeartbeat option.
If all of your workers are stuck handling perfectly legal requests such as slow, large file uploads, the Emperor will trigger a reload as if the workers are hung. The reload triggered is a graceful one, so you can be able to tune your config/timeout/mercy for sane behaviour.
Using Linux namespaces for vassals¶
On Linux you can tell the Emperor to run vassals in “unshared” contexts. That means you can run each vassal with a dedicated view of the filesystems, ipc, uts, networking, pids and uids.
Things you generally do with tools like lxc or its abstractions like docker are native in uWSGI.
For example if you want to run each vassals in a new namespace:
[uwsgi] emperor = /etc/uwsgi/vassals emperor-use-clone = fs,net,ipc,pid,uts
now each vassal will be able to modify the filesystem layout, networking, hostname and so on without damaging the main system.
A couple of helper daemons are included in the uWSGI distribution to simplify management of jailed vassals. Most notably The TunTap Router allows full user-space networking in jails, while the forkpty router allows allocation of pseudoterminals in jails
It is not needed to unshare all of the subsystem in your vassals, sometimes you only want to give dedicated ipc and hostname to a vassal and hide from the processes list:
[uwsgi] emperor = /etc/uwsgi/vassals emperor-use-clone = fs,ipc,pid,uts
a vassal could be:
[uwsgi] ; set the hostname exec-as-root = hostname foobar ; umount /proc and remount to hide processes ; as we are in the 'fs' namespace umounting /proc does not interfere with the main one exec-as-root = umount /proc exec-as-root = mount -t proc none /proc ; drop privileges uid = foobar gid = foobar ; bind to the socket socket = /tmp/myapp.socket psgi = myapp.pl
The Imperial Bureau of Statistics¶
You can enable a statistics/status service for the Emperor by adding the OptionEmperorStats option with a TCP address. By connecting to that address, you’ll get a JSON-format blob of statistics.
Running non-uWSGI apps or using alternative uWSGIs as vassals¶
You can exec() a different binary as your vassal using the privileged-binary-patch/unprivileged-binary-patch options. The first one patches the binary after socket inheritance and shared socket initialization (so you will be able to use uWSGI-defined sockets). The second one patches the binary after privileges drop. In this way you will be able to use uWSGI’s UID/GID/chroot/namespace/jailing options. The binary is called with the same arguments that were passed to the vassal by the Emperor.
; i am a special vassal calling a different binary in a new linux network namespace [uwsgi] uid = 1000 gid = 1000 unshare = net unprivileged-binary-patch = /usr/bin/myfunnyserver
DO NOT DAEMONIZE your apps. If you do so, the Emperor will lose its connection with them.
The uWSGI arguments are passed to the new binary. If you do not like that behaviour (or need to pass custom arguments) add -arg to the binary patch option, yielding:
; i am a special vassal calling a different binary in a new linux network namespace ; with custom options [uwsgi] uid = 1000 gid = 1000 unshare = net unprivileged-binary-patch-arg = ps aux
;nginx example [uwsgi] privileged-binary-patch-arg = nginx -g "daemon off;"
Your custom vassal apps can also speak with the emperor using the emperor protocol.
Integrating the Emperor with the FastRouter¶
The FastRouter is a proxy/load-balancer/router speaking The uwsgi Protocol. Yann Malet from Lincoln Loop has released a draft about massive Emperor + Fastrouter deployment (PDF) using The uWSGI caching framework as a hostname to socket mapping storage.
At startup, the emperor chdir() to the vassal dir. All vassal instances will start from here.
If the uwsgi binary is not in your system path you can force its path with binary-path:
./uwsgi --emperor /opt/apps --binary-path /opt/uwsgi/uwsgi
Sending SIGUSR1 to the emperor will print vassal status in its log.
Stopping (SIGINT/SIGTERM/SIGQUIT) the Emperor will invoke Ragnarok and kill all the vassals.
Sending SIGHUP to the Emperor will reload all vassals.
The emperor should generally not be run with --master, unless master features like advanced logging are specifically needed.
The emperor should generally be started at server boot time and left alone, not reloaded/restarted except for uWSGI upgrades; emperor reloads are a bit drastic, reloading all vassals at once. Instead vassals should be reloaded individually when needed, in the manner of the imperial monitor in use.
- Docs-TODO: Clarify what the “chdir-on-startup” behavior does with non-filesystem monitors.
- Export more magic vars
- Add support for multiple sections in xml/ini/yaml files (this will allow to have a single config file for multiple instances)