Nginx + GUnicorn + Flask + www-data user - file lockdown

Question

I have some pretty basic questions about I am deploying a Flask application in Gunicorn (19.0-1) on Ubuntu (14.10) in combination with Nginx.

Since this app sits along side to Web2Py, I followed a guide to locking down the website produced by Web2Py and applied the same strategy for my Flask application.

In this example, Gunicorn workers are run as the www-data user, and the files and source in /var/www are locked down by placing making the www-data group the owner and www-data the group.

However, a few points confuse me:

1. Although Gunicorn workers run as www-data, the Gunicorn server daemon runs as root. Will this be a cause for concern?
2. Searching for Nginx + Gunicorn + Flask leads to sites that recommend running Gunicorn through supervisord rather than as an init.d service. Should I consider switching?
3. Since the www-data account is locked down (no shell/no password), where can developers using the VM run their code so that the environment matches production as close as possible?

Answer 1

I use Flask with Nginx and Gunicorn myself, so I'll attempt to answer as best I can:

1). It could be, but from my own research and experience its generally better not to run Gunicorn in daemon mode and use some sort of dedicated process manager instead (like Supervisor).

2). Supervisor and init.d do not strictly serve the same purpose. Init.d is an "Initialization Daemon", its purpose is to be the service that starts all the other services (like, say, Gunicorn). Supervisor is a Process Control Manager which can be used to start other services as well as monitor and restart them if something goes wrong. Supervisor, however, still needs init.d (or its successor Upstart) to start it at boot up. I prefer to use Supervisor because its easy to use and lets me start, stop, and/or restart Gunicorn workers quickly.

3). You usually have some sort of dedicated development environment that's a copy of production. I personally use 3 cloud servers, 1 for production, 1 for staging (a.k.a., the testing ground for making sure the application deploys correctly), and 1 for development. Staging and development are copies of production.