Production Tornado Deployment With Systemd

My favorite Python web framework is Tornado; I've been using it since it was first announced, and think it does a lot of things right. Although Tornado is capable of speaking HTTP directly, the recommended way to deploy Tornado in production is to put a web server like Nginx at the edge, with Nginx proxying to backend Tornado instances. The suggestion is to run multiple Tornado processes on each host, with each process binding on a different port. The "frontend" Nginx process on each host then proxies HTTP requests to these "backend" Tornado workers in a round-robin fashion, using the Nginx proxy_pass directive.

This is all pretty standard, and applies to other many other Python (and Ruby, etc.) frameworks as well. However, the docs don't explain how to actually manage the Tornado worker processes. This is because process management on Linux is a fragmented and divisive issue, and many solutions have appeared over the years. I strongly feel that in 2017 the right way to do manage system services is using Systemd. Regardless of your feelings about the project, it's the de facto standard for managing processes on all modern Linux distributions, and has a lot of really powerful features if used correctly. Ben Darnell (the effective project lead for Tornado) has an example repo on GitHub called tornado-production-skeleton that demonstrates how to deploy Tornado using Supervisor; in this post I'm going to explain how to achieve the same using Systemd.

Deploying A Parameterized Systemd Service

Every Tornado app should have a call to app.listen(), which causes the Tornado web process to actually bind and listen on a given port. You'll need to write your app so that it can accept a listen port somehow; I prefer to do this using a command line flag using the builtin Python argparse module. You can also use the tornado.options module or something else that you find convenient. However, I do recommend that you make this a command line option rather than an environment variable, since it makes debugging easier as you'll be able to tell which worker process is using which port from ps and top. Here's a simple Torando app putting this all together:

import argparse

import tornado.ioloop
import tornado.web

class MainHandler(tornado.web.RequestHandler):
    def get(self):
        self.write('Hello, world')

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('-p', '--port', type=int, default=8000)
    args = parser.parse_args()

    app = tornado.web.Application([(r'/', MainHandler)])
    app.listen(args.port, address='')

I would also package this using a file that declares the app as a "console script". Basically in your file you'll have something that looks like (here assuming the previous "Hello world" web server is available as myapp.web):

from setuptools import find_packages, setup

    author='Evan Klitzke',
        'console_scripts': [
            'myapp-web = myapp.web:main',

In production, we'll install this into a virtualenv. Let's say we have a web user, then the virtualenv might live at /home/web/.env. Running install or develop would then create a file called /home/web/.env/bin/myapp-web which can be run as if it's a stand-alone script to launch the Tornaod worker. Under the hood, this script just activates the virtualenv it's part of before running the specified module/function.

Now we need to create a service file. It should be named web@.service and look something like this:

Description=My HTTP service

ExecStart=/home/web/.env/bin/myapp-web -p %I


The @ symbol in the file the name is important---it instructs Systemd to make this service parameterized. The %I directive in the service file is what passes the parameter to the actual service instance.

You can either install this as a regular system service, or a user service. The regular system service is a bit simpler; you'd copy this file to your Systemd services directory (typically /lib/systemd/system/) and then run sudo systemctl daemon-reload to force Systemd to rescan available units. (At the end of this post I'll cover how to run this as a user service.)

Once this is done, you can enable/start an instance for each port. For instance, if we want to have 8 worker processes listening on ports 8000--8007 you could do:

for port in {8000..8007}; do
  sudo systemctl enable web@"${port}".service
  sudo systemctl start web@"${port}".service

You can then check on the status of an individual worker with a command like systemctl status web@8001 to check the woker using port 8001. Your deployment script just needs to update the code and virtualenv for your service when deploys happen, and then run sudo systemctl restart web@"${port}".service for each port you use.

This is pretty much it---you should be good to go at this point. If you want tighter integration with Systemd you can configure your Python code as a notify service which will let Systemd manage the life cycle of the process more closely, but what I have here should be good enough for most projects. You may also want to set up a Systemd timer unit to run a health check on your service, although in my experience most people in production are using active Nagios health checks in which case you don't need to bother.

User Services

The other option is to deploy the code as a Systemd "user service", which means that the code will be run by a special Systemd process that only manages processes for the web user. By default, such a process is scoped to a user's login session. Since this isn't appropriate for a web service, you can enable Systemd persistence using loginctl to put the web user into "linger" mode:

sudo loginctl enable-linger web

Once this is done, the web user should create the directory ~/.config/systemd/user if it doesn't already exist, and then copy the web@.service file to that directory. If you do this, you must remove the User= line from the service file, otherwise Systemd will fail when execing your porocess.

From this point, the commands are the same as the previous example, except the --user flag has to be used with systemctl. As the web user you'd run something like:

systemctl --user daemon-reload

for port in {8000..8007}; do
  sudo systemctl --user enable web@"${port}".service
  sudo systemctl --user start web@"${port}".service

That's it. There's not any real advantage to using a user service this way, so I would generally recommend using a regular system service.