[Openstack] Why security guide advise against uwsgi for deploying horizon with nginx?

Paul McMillan paul.mcmillan at nebula.com
Wed Aug 27 20:26:30 UTC 2014 

The security guide is written with the general public in mind. While there's nothing inherently wrong with uWSGI, it is common for people to look at synthetic performance benchmarks and make their choice based on those. Unfortunately, uWSGI has an incredibly large number of options, choices, features, and configurations for a deployer to tweak, many of which can result in bad performance or security problems. Furthermore, segfaults are pretty common in that codebase (at least with some configuration options), which is not encouraging from a security perspective.?


The conservative choice is to recommend gunicorn which is stable, has fewer features, and is generally easier to configure and deploy correctly. If you prefer uWSGI and already have experience running it, please feel free to use it with Horizon.


-Paul


________________________________
From: sylecn <sylecn at gmail.com>
Sent: Wednesday, August 27, 2014 1:39 AM
To: <openstack at lists.openstack.org>
Subject: [Openstack] Why security guide advise against uwsgi for deploying horizon with nginx?

HI all,

I'm trying to deploy horizon with nginx, and to my surprise, the security guide advice against uwsgi, which is the WSGI server of choice for all my other WSGI apps.

In the security guide [1], it says

When using nginx, we recommend gunicorn<http://docs.gunicorn.org/en/latest/deploy.html> as the wsgi host with an appropriate number of synchronous workers. We strongly advise against deployments using fastcgi, scgi, or uWSGI. We strongly advise against the use of synthetic performance benchmarks when choosing a wsgi server.

Anyone know the reason behind this? Is it just personal preferences?
I see uwsgi has its own benefits beyond being permanent. It has good documentation, easy nginx integration, is stable and is configurable. Why it is advised against?

[1] http://docs.openstack.org/security-guide/content/ch025_web-dashboard.html

--
YY Inc. is hiring openstack and python developers. Interested? Check http://soa.game.yy.com/jobs.html

--
Thanks,
Yuanle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140827/d2d7898b/attachment.html>

More information about the Openstack mailing list