Flynn

From Leaky
Revision as of 10:37, 27 February 2017 by Leaky (talk | contribs) (Copied the rules from Philip's page in case it ever disappears)
Jump to: navigation, search

Open-source PaaS software

Available from https://flynn.io/

Perl applications

There's no out of the box support for Perl PSGI applications, but it just takes a single command to setup the environment. 

flynn -a yourappname env set \
  BUILDPACK_URL=https://github.com/pnu/heroku-buildpack-perl \
  PERL5LIB=/app/lib:/app/local/lib/perl5

There has to be an app.psgi file (the actual filename is app.psgi, that's not a placeholder) in the top directory of your application. If you use the default Catalyst application structure, you should have a 'yourappname.psgi' which can just be renamed to app.psgi

Useful commands

Recover dashboard login token: 

flynn -a dashboard env | grep LOGIN_TOKEN

Git requirements

Requires git 1.8.5 or higher for seamless publishing via git

1.8.3 (CentOS7 default) requires an environment variable to publish app due to the self-signed SSL certificate. Since the CA certificate is stored within ~/.flynn/ when you setup the cluster, the GIT_SSL_CAINFO env can be used to specify the CA used. 

$ GIT_SSL_CAINFO=~/.flynn/ca-certs/default.pem git push flynn master

Below 1.7.3 (e.g CentOS6 default of 1.7.1) there's a little more work required because it doesn't support the credential helper. You'll need the key for your flynn cluster which can be found with: 

$ grep Key ~/.flynnrc
    Key = "44161646005d26ede2c6687aaaaaaaaa"

$ git remote get-url flynn
https://git.flynn1.bocks.com/myapp.git
$ git remote set-url flynn https://:44161646005d26ede2c6687aaaaaaaaa@git.flynn1.bocks.com/myapp.git

To push the repository with git 1.7.x, you still need the GIT_SSL_CAINFO env as for git 1.8.3

See Updating Git for instructions.

Firewall

Flynn requires a bunch of firewall rules to secure the API from external users. 

ufw allow ssh
ufw allow http
ufw allow https
ufw allow 3000:3500/tcp
ufw allow from a.b.c.d   # repeat for each node IP address if in a cluster
ufw enable
ufw allow in on flynnbr0
ufw allow in on flannel.1

This next line is only required if you want to give connection refused instead of silently dropping packets. 

ufw default REJECT

Because applications run in Docker, ufw needs to forward some traffic so edit the ufw config /etc/default/ufw and change 

DEFAULT_FORWARD_POLICY="DROP"

to 

DEFAULT_FORWARD_POLICY="ACCEPT"

Then reload the firewall 

ufw reload

The full information about these rules can be found at https://www.philiplb.de/flynn/2016/04/19/flynn-ufw/

Retrieved from "https://wiki.leaky.org/index.php?title=Flynn&oldid=313"