Forem: Abraham Acha The latest articles on Forem by Abraham Acha (@airfluke). https://forem.com/airfluke https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3898965%2F827010f1-b357-493b-b4a5-ed015705fb07.jpg Forem: Abraham Acha https://forem.com/airfluke en SwiftDeploy: Building a Self-Writing Infrastructure Manager with Policy Enforcement — A Complete Technical Walkthrough Abraham Acha Wed, 06 May 2026 04:01:09 +0000 https://forem.com/airfluke/-swiftdeploy-building-a-self-writing-infrastructure-manager-with-policy-enforcement-a-complete-2klf https://forem.com/airfluke/-swiftdeploy-building-a-self-writing-infrastructure-manager-with-policy-enforcement-a-complete-2klf <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw24xzkqg7dc6kj858311.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw24xzkqg7dc6kj858311.png" alt=" " width="800" height="533"></a></p> <p><em>How I built a CLI tool that generates its own infrastructure configs, manages a full containerised stack, enforces deployment policies through OPA, exposes Prometheus metrics, and produces a live audit trail — all from a single YAML file.</em></p> <h2> Table of Contents </h2> <ol> <li>The Problem We're Solving</li> <li>Architecture Overview</li> <li> Stage 4A — The Engine <ul> <li>The Manifest</li> <li>The Python HTTP Service</li> <li>The Dockerfile</li> <li>The Templates</li> <li>The CLI</li> <li>The Two Deployment Modes</li> </ul> </li> <li> Stage 4B — The Eyes and Brain <ul> <li>Prometheus Metrics</li> <li>OPA Policy Engine</li> <li>Gated Lifecycle</li> <li>The Status Dashboard</li> <li>The Audit Trail</li> </ul> </li> <li>The Debugging Sagas</li> <li>Full Deployment Walkthrough</li> <li>Key Lessons Learned</li> </ol> <h2> The Problem We're Solving {#the-problem} </h2> <p>Every time you spin up a new service in a real DevOps environment, you repeat the same manual work:</p> <ul> <li>Write an Nginx config</li> <li>Write a Docker Compose file</li> <li>Run Docker commands</li> <li>Check if things are healthy</li> <li>Hope nobody deploys when the disk is full</li> <li>Hope nobody promotes a canary that's throwing 60% errors</li> </ul> <p>SwiftDeploy solves all of this. One YAML manifest describes your entire deployment. A CLI tool generates every config file from it, manages the container lifecycle, enforces safety policies before allowing deployments, exposes real-time metrics, and produces a full audit trail.</p> <p><strong>The golden rule: the manifest is the single source of truth. Everything else is generated.</strong></p> <h2> Architecture Overview {#architecture} </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────────────────┐ │ SwiftDeploy — Full System Architecture │ ├──────────────────┬──────────────────────────────────────┬───────────────────┤ │ ZONE 1 │ ZONE 2 │ ZONE 3 │ │ Operator │ Host Machine / Docker Engine │ Generated Files │ │ │ │ │ │ [Operator] │ ┌─── swiftdeploy-net (bridge) ───┐ │ nginx.conf │ │ │ │ │ │ │ docker-compose │ │ ▼ │ │ [nginx:8080]──────►[app:3000] │ │ history.jsonl │ │ manifest.yaml │ │ PUBLIC INTERNAL │ │ audit_report.md │ │ (source of │ │ │ │ │ │ │ │ truth) │ │ └──[logs vol]─────┘ │ │ │ │ │ │ │ │ │ │ │ ▼ │ │ [opa:8181] │ │ │ │ swiftdeploy │ │ localhost only │ │ │ │ CLI │ │ NOT via nginx ✗ │ │ │ │ ├─ init │ └────────────────────────────────┘ │ │ │ ├─ validate │ │ │ │ ├─ deploy ──────┼──► pre-deploy: OPA infra check │ │ │ ├─ promote ─────┼──► pre-promote: OPA canary check │ │ │ ├─ status ──────┼──► scrapes /metrics every 5s ───────►│ history.jsonl │ │ ├─ audit ───────┼────────────────────────────────────►│ audit_report.md │ │ └─ teardown │ │ │ └──────────────────┴──────────────────────────────────────┴───────────────────┘ </code></pre> </div> <h2> Stage 4A — The Engine {#stage-4a} </h2> <p>Stage 4A is the foundation. It answers one question: <strong>how do you build a tool that writes its own infrastructure configs?</strong></p> <h3> The Project Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>swiftdeploy/ ├── manifest.yaml ← the ONLY file you edit ├── swiftdeploy ← CLI executable ├── Dockerfile ← app image definition ├── app/ │ └── main.py ← Python HTTP service ├── templates/ │ ├── nginx.conf.tmpl ← nginx template │ └── docker-compose.yml.tmpl ← compose template ├── policies/ ← Stage 4B addition │ ├── infrastructure.rego │ ├── canary.rego │ └── data.json ├── nginx.conf ← generated (gitignored) └── docker-compose.yml ← generated (gitignored) </code></pre> </div> <h3> The Manifest {#the-manifest} </h3> <p><code>manifest.yaml</code> is the brain of the entire system. Every component reads from it directly or via generated files.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">swift-deploy-1-node:latest</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">stable</span> <span class="c1"># stable or canary</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.0.0"</span> <span class="na">restart_policy</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">log_volume</span><span class="pi">:</span> <span class="s">swiftdeploy-logs</span> <span class="na">nginx</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">proxy_timeout</span><span class="pi">:</span> <span class="m">30</span> <span class="na">opa</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">openpolicyagent/opa:latest-static</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8181</span> <span class="na">network</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">swiftdeploy-net</span> <span class="na">driver_type</span><span class="pi">:</span> <span class="s">bridge</span> <span class="na">contact</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ops@swiftdeploy.local"</span> </code></pre> </div> <p>Every field propagates through the system. Change <code>nginx.proxy_timeout</code> here and it updates in <code>nginx.conf</code> on the next <code>init</code>. Change <code>services.mode</code> here and the entire deployment mode switches on the next <code>promote</code>.</p> <h3> The Python HTTP Service {#the-python-service} </h3> <p>The app is a from-scratch HTTP server using only Python's stdlib — no Flask, no FastAPI. Three endpoints in Stage 4A, four in Stage 4B.</p> <h4> Configuration from environment </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">MODE</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">MODE</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">stable</span><span class="sh">"</span><span class="p">)</span> <span class="n">APP_VERSION</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">APP_VERSION</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">1.0.0</span><span class="sh">"</span><span class="p">)</span> <span class="n">APP_PORT</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">APP_PORT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">3000</span><span class="sh">"</span><span class="p">))</span> <span class="n">START_TIME</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> </code></pre> </div> <p>Configuration comes entirely from environment variables injected by Docker Compose at runtime. <code>START_TIME</code> is captured at module load — this is how <code>/healthz</code> calculates uptime without a database.</p> <h4> Thread-safe chaos state </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">chaos_lock</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="nc">Lock</span><span class="p">()</span> <span class="n">chaos_state</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">"</span><span class="s">duration</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">"</span><span class="s">rate</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">}</span> <span class="k">def</span> <span class="nf">get_chaos</span><span class="p">():</span> <span class="k">with</span> <span class="n">chaos_lock</span><span class="p">:</span> <span class="k">return</span> <span class="nf">dict</span><span class="p">(</span><span class="n">chaos_state</span><span class="p">)</span> <span class="c1"># returns a copy — callers can't mutate internal state </span> <span class="k">def</span> <span class="nf">set_chaos</span><span class="p">(</span><span class="n">state</span><span class="p">):</span> <span class="k">with</span> <span class="n">chaos_lock</span><span class="p">:</span> <span class="n">chaos_state</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">state</span><span class="p">)</span> </code></pre> </div> <p>The <code>Lock</code> prevents race conditions when multiple requests read and write chaos state simultaneously. <code>dict(chaos_state)</code> returns a copy so the caller never holds a reference to the mutable internal dict.</p> <h4> The three Stage 4A endpoints </h4> <p><strong>GET /</strong> — welcome<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">self</span><span class="p">.</span><span class="nf">send_json</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Welcome to SwiftDeploy API</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="n">MODE</span><span class="p">,</span> <span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">:</span> <span class="n">APP_VERSION</span><span class="p">,</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">"</span><span class="s">%Y-%m-%dT%H:%M:%SZ</span><span class="sh">"</span><span class="p">,</span> <span class="n">time</span><span class="p">.</span><span class="nf">gmtime</span><span class="p">()),</span> <span class="p">})</span> </code></pre> </div> <p><strong>GET /healthz</strong> — liveness check<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">uptime</span> <span class="o">=</span> <span class="nf">round</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">START_TIME</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_json</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="n">MODE</span><span class="p">,</span> <span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">:</span> <span class="n">APP_VERSION</span><span class="p">,</span> <span class="sh">"</span><span class="s">uptime_seconds</span><span class="sh">"</span><span class="p">:</span> <span class="n">uptime</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <p>The <code>/healthz</code> endpoint does three jobs: proves the server is alive (Docker healthcheck), reports current mode (so <code>promote</code> can confirm the switch happened), and reports uptime (useful for debugging restart loops).</p> <p><strong>POST /chaos</strong> — chaos injection (canary only)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">MODE</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">canary</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_json</span><span class="p">(</span><span class="mi">403</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">chaos endpoint only available in canary mode</span><span class="sh">"</span><span class="p">})</span> <span class="k">return</span> <span class="n">length</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Content-Length</span><span class="sh">"</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="n">data</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">rfile</span><span class="p">.</span><span class="nf">read</span><span class="p">(</span><span class="n">length</span><span class="p">))</span> <span class="n">mode</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">mode</span> <span class="o">==</span> <span class="sh">"</span><span class="s">slow</span><span class="sh">"</span><span class="p">:</span> <span class="nf">set_chaos</span><span class="p">({</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">slow</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">duration</span><span class="sh">"</span><span class="p">:</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">duration</span><span class="sh">"</span><span class="p">,</span> <span class="mi">2</span><span class="p">),</span> <span class="sh">"</span><span class="s">rate</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">})</span> <span class="k">elif</span> <span class="n">mode</span> <span class="o">==</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="nf">set_chaos</span><span class="p">({</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">duration</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">"</span><span class="s">rate</span><span class="sh">"</span><span class="p">:</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">rate</span><span class="sh">"</span><span class="p">,</span> <span class="mf">0.5</span><span class="p">)})</span> <span class="k">elif</span> <span class="n">mode</span> <span class="o">==</span> <span class="sh">"</span><span class="s">recover</span><span class="sh">"</span><span class="p">:</span> <span class="nf">set_chaos</span><span class="p">({</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">"</span><span class="s">duration</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">"</span><span class="s">rate</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">})</span> </code></pre> </div> <p>Reading <code>Content-Length</code> before <code>rfile.read()</code> is mandatory HTTP protocol — otherwise <code>read()</code> blocks forever waiting for data that never arrives.</p> <p>The chaos modes:</p> <ul> <li> <code>slow</code> — injects <code>time.sleep(N)</code> before responding, simulating a slow upstream</li> <li> <code>error</code> — uses <code>random.random() &lt; rate</code> to return 500 on a configurable percentage of requests</li> <li> <code>recover</code> — clears all chaos state, returning to normal behaviour</li> </ul> <h3> The Dockerfile {#the-dockerfile} </h3> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> python:3.12-alpine</span> <span class="k">RUN </span>addgroup <span class="nt">-S</span> appgroup <span class="o">&amp;&amp;</span> adduser <span class="nt">-S</span> appuser <span class="nt">-G</span> appgroup <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> app/main.py .</span> <span class="k">RUN </span><span class="nb">chown</span> <span class="nt">-R</span> appuser:appgroup /app <span class="k">USER</span><span class="s"> appuser</span> <span class="k">ENV</span><span class="s"> MODE=stable</span> <span class="k">ENV</span><span class="s"> APP_VERSION=1.0.0</span> <span class="k">ENV</span><span class="s"> APP_PORT=3000</span> <span class="k">EXPOSE</span><span class="s"> 3000</span> <span class="k">HEALTHCHECK</span><span class="s"> --interval=10s --timeout=5s --start-period=15s --retries=5 \</span> CMD python -c "import urllib.request; urllib.request.urlopen('http://127.0.0.1:3000/healthz', timeout=4)" || exit 1 <span class="k">CMD</span><span class="s"> ["python", "main.py"]</span> </code></pre> </div> <p><strong>Why Alpine?</strong> <code>python:3.12-alpine</code> is ~60MB. <code>python:3.12</code> (Debian) is ~1GB. We need under 300MB.</p> <p><strong>Why non-root?</strong> If someone exploits the app, they get a powerless user, not root access to the server.</p> <p><strong>Why Python urllib for the healthcheck?</strong> This was a hard-won lesson. <code>wget</code> couldn't resolve <code>localhost</code> inside Alpine on WSL2 + Docker Desktop — a known network namespace quirk. Python's <code>urllib</code> bypasses the system resolver entirely and connects directly via socket. More reliable, no external tool needed.</p> <h3> The Templates {#the-templates} </h3> <p>Templates are blueprints with <code>{{ placeholder }}</code> values that the CLI replaces with real values from the manifest.</p> <p><strong>nginx.conf.tmpl</strong> key sections:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">upstream</span> <span class="s">app_backend</span> <span class="p">{</span> <span class="kn">server</span> <span class="s">app:</span><span class="p">{</span><span class="err">{</span> <span class="kn">service_port</span> <span class="err">}}</span><span class="p">;</span> <span class="kn">keepalive</span> <span class="mi">32</span><span class="p">;</span> <span class="p">}</span> <span class="kn">log_format</span> <span class="s">swiftdeploy</span> <span class="s">'</span><span class="nv">$time_iso8601</span> <span class="s">|</span> <span class="nv">$status</span> <span class="s">|</span> $<span class="p">{</span><span class="kn">request_time</span><span class="err">}</span><span class="s">s</span> <span class="s">|</span> <span class="nv">$upstream_addr</span> <span class="s">|</span> <span class="nv">$request</span><span class="s">'</span><span class="p">;</span> <span class="kn">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="p">{</span><span class="err">{</span> <span class="kn">nginx_port</span> <span class="err">}}</span><span class="p">;</span> <span class="kn">proxy_connect_timeout</span> <span class="p">{</span><span class="err">{</span> <span class="kn">proxy_timeout</span> <span class="err">}}</span><span class="s">s</span><span class="p">;</span> <span class="kn">proxy_send_timeout</span> <span class="p">{</span><span class="err">{</span> <span class="kn">proxy_timeout</span> <span class="err">}}</span><span class="s">s</span><span class="p">;</span> <span class="kn">proxy_read_timeout</span> <span class="p">{</span><span class="err">{</span> <span class="kn">proxy_timeout</span> <span class="err">}}</span><span class="s">s</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">X-Deployed-By</span> <span class="s">swiftdeploy</span> <span class="s">always</span><span class="p">;</span> <span class="kn">proxy_pass_header</span> <span class="s">X-Mode</span><span class="p">;</span> <span class="kn">location</span> <span class="s">@error502</span> <span class="p">{</span> <span class="kn">default_type</span> <span class="nc">application/json</span><span class="p">;</span> <span class="kn">return</span> <span class="mi">502</span> <span class="s">'</span><span class="p">{</span><span class="kn">"error":"Bad</span> <span class="s">Gateway","code":502,"service":"app","contact":"</span><span class="p">{</span><span class="err">{</span> <span class="kn">contact</span> <span class="err">}}</span><span class="s">"</span><span class="err">}</span><span class="s">'</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Design decisions:</p> <ul> <li> <strong>Custom log format</strong> — ISO timestamp, status code, response time, upstream IP, full request on one line</li> <li> <strong>JSON error bodies</strong> — APIs need machine-readable errors, not nginx HTML pages</li> <li> <strong><code>proxy_pass_header X-Mode</code></strong> — nginx strips custom headers by default; this forwards the canary header through to clients</li> <li> <strong><code>keepalive 32</code></strong> — maintains 32 persistent connections to the upstream, reducing connection overhead</li> </ul> <p><strong>docker-compose.yml.tmpl</strong> key sections:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">app</span><span class="pi">:</span> <span class="na">expose</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">service_port</span><span class="nv"> </span><span class="s">}}"</span> <span class="c1"># container-to-container only, NEVER published to host</span> <span class="na">nginx</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">nginx_port</span><span class="nv"> </span><span class="s">}}:{{</span><span class="nv"> </span><span class="s">nginx_port</span><span class="nv"> </span><span class="s">}}"</span> <span class="c1"># only nginx faces the world</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="c1"># nginx waits for app healthcheck to pass</span> </code></pre> </div> <p>The <code>expose</code> vs <code>ports</code> distinction is a security boundary. <code>expose</code> = container-to-container only. <code>ports</code> = host-facing. The app is never reachable from outside Docker.</p> <h3> The CLI — Five Stage 4A Subcommands {#the-cli} </h3> <h4> The template engine </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">render_template</span><span class="p">(</span><span class="n">tmpl_path</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">tmpl_path</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">content</span> <span class="o">=</span> <span class="n">f</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> <span class="k">for</span> <span class="n">key</span><span class="p">,</span> <span class="n">val</span> <span class="ow">in</span> <span class="n">context</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="n">content</span> <span class="o">=</span> <span class="n">content</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">"</span><span class="s">{{ </span><span class="sh">"</span> <span class="o">+</span> <span class="n">key</span> <span class="o">+</span> <span class="sh">"</span><span class="s"> }}</span><span class="sh">"</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="n">val</span><span class="p">))</span> <span class="k">return</span> <span class="n">content</span> </code></pre> </div> <p>Five lines. No Jinja2. Simple string replacement. The templates are straightforward enough that a minimal custom engine is cleaner than pulling in a dependency.</p> <h4> <code>init</code> — generates everything from the manifest </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">cmd_init</span><span class="p">():</span> <span class="n">manifest</span> <span class="o">=</span> <span class="nf">load_manifest</span><span class="p">()</span> <span class="n">ctx</span> <span class="o">=</span> <span class="nf">build_context</span><span class="p">(</span><span class="n">manifest</span><span class="p">)</span> <span class="n">nginx_conf</span> <span class="o">=</span> <span class="nf">render_template</span><span class="p">(</span><span class="n">NGINX_TMPL</span><span class="p">,</span> <span class="n">ctx</span><span class="p">)</span> <span class="n">compose_conf</span> <span class="o">=</span> <span class="nf">render_template</span><span class="p">(</span><span class="n">COMPOSE_TMPL</span><span class="p">,</span> <span class="n">ctx</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">NGINX_OUT</span><span class="p">,</span> <span class="sh">"</span><span class="s">w</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">nginx_conf</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">COMPOSE_OUT</span><span class="p">,</span> <span class="sh">"</span><span class="s">w</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">compose_conf</span><span class="p">)</span> </code></pre> </div> <p>The grader deletes generated files and re-runs <code>init</code> to verify regeneration. Because we built it correctly, this is a non-issue.</p> <h4> <code>validate</code> — five pre-flight checks </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Check 1: manifest.yaml exists and is valid YAML # Check 2: all required fields present and non-empty # Check 3: docker image inspect — exits 0 if exists # Check 4: ss -tlnp | grep :8080 — non-empty means port in use # Check 5: nginx -t via isolated Docker container </span></code></pre> </div> <p>Check 5 is the most interesting. We run <code>nginx -t</code> in a temporary container — validating syntax without needing nginx installed on the host. But we hit a complication: <code>app:3000</code> (the upstream hostname) can't be resolved in an isolated container. Fix: swap <code>server app:</code> with <code>server 127.0.0.1:</code> in a temp copy before testing. Actual <code>nginx.conf</code> on disk is untouched.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">test_content</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">"</span><span class="s">server app:</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">server 127.0.0.1:</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h4> <code>deploy</code> — brings up the stack and blocks until healthy </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">deadline</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">+</span> <span class="mi">60</span> <span class="k">while</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">&lt;</span> <span class="n">deadline</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="k">with</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">http://localhost:</span><span class="si">{</span><span class="n">nginx_port</span><span class="si">}</span><span class="s">/healthz</span><span class="sh">"</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">3</span><span class="p">)</span> <span class="k">as</span> <span class="n">resp</span><span class="p">:</span> <span class="k">if</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">resp</span><span class="p">.</span><span class="nf">read</span><span class="p">()).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">:</span> <span class="n">healthy</span> <span class="o">=</span> <span class="bp">True</span> <span class="k">break</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">pass</span> <span class="c1"># container still starting — connection refused is normal </span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> </code></pre> </div> <p><code>docker compose up -d</code> returns as soon as containers are created, not when they're healthy. The polling loop tries <code>/healthz</code> every 2 seconds for 60 seconds. Only <code>{"status": "ok"}</code> breaks the loop.</p> <h4> <code>promote</code> — rolling restart with zero nginx downtime </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># 1. Update manifest in-place </span><span class="n">content</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">sub</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">(mode:\s*)(\S+)</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="se">\\</span><span class="s">g&lt;1&gt;</span><span class="si">{</span><span class="n">target_mode</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">content</span><span class="p">,</span> <span class="n">count</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># 2. Regenerate docker-compose.yml with new MODE env var </span> <span class="c1"># 3. Restart ONLY the app container — nginx stays up </span><span class="nf">run</span><span class="p">(</span><span class="nf">compose_cmd</span><span class="p">(</span><span class="sh">"</span><span class="s">up -d --no-deps app</span><span class="sh">"</span><span class="p">))</span> <span class="c1"># 4. Confirm mode via /healthz </span></code></pre> </div> <p><code>--no-deps</code> is the key — it tells Compose to restart only the <code>app</code> service without touching <code>nginx</code>. Zero proxy downtime during the switch.</p> <h3> The Two Deployment Modes {#deployment-modes} </h3> <p><strong>Stable mode</strong> — normal production behaviour. Clean responses. No special headers. <code>/chaos</code> returns 403.</p> <p><strong>Canary mode</strong> — test mode before full rollout:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">MODE</span> <span class="o">==</span> <span class="sh">"</span><span class="s">canary</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_header</span><span class="p">(</span><span class="sh">"</span><span class="s">X-Mode</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">canary</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># on EVERY response </span></code></pre> </div> <p>Canary mode:</p> <ul> <li>Adds <code>X-Mode: canary</code> to every response — callers can identify which mode they're hitting</li> <li>Unlocks <code>/chaos</code> — lets you simulate slow responses, random errors, then recover</li> <li>You promote with <code>./swiftdeploy promote canary</code>, stress test, then <code>./swiftdeploy promote stable</code> to roll back</li> </ul> <h2> Stage 4B — The Eyes and The Brain {#stage-4b} </h2> <p>Stage 4A built the engine. Stage 4B adds observability and policy enforcement. The stack now has <strong>eyes</strong> (metrics), a <strong>brain</strong> (OPA policies), and <strong>memory</strong> (audit trail).</p> <h3> Prometheus Metrics — The Eyes {#prometheus-metrics} </h3> <p>The app gains a <code>/metrics</code> endpoint exposing five metric types in Prometheus text format.</p> <h4> Tracking infrastructure </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Counter: {(method, path, status_code): count} </span><span class="n">request_counts</span> <span class="o">=</span> <span class="p">{}</span> <span class="c1"># Histogram state per path </span><span class="n">HISTOGRAM_BUCKETS</span> <span class="o">=</span> <span class="p">[</span><span class="mf">0.005</span><span class="p">,</span> <span class="mf">0.01</span><span class="p">,</span> <span class="mf">0.025</span><span class="p">,</span> <span class="mf">0.05</span><span class="p">,</span> <span class="mf">0.1</span><span class="p">,</span> <span class="mf">0.25</span><span class="p">,</span> <span class="mf">0.5</span><span class="p">,</span> <span class="mf">1.0</span><span class="p">,</span> <span class="mf">2.5</span><span class="p">,</span> <span class="mf">5.0</span><span class="p">,</span> <span class="mf">10.0</span><span class="p">]</span> <span class="n">request_durations</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">def</span> <span class="nf">record_request</span><span class="p">(</span><span class="n">method</span><span class="p">,</span> <span class="n">path</span><span class="p">,</span> <span class="n">status_code</span><span class="p">,</span> <span class="n">duration_seconds</span><span class="p">):</span> <span class="k">with</span> <span class="n">metrics_lock</span><span class="p">:</span> <span class="n">key</span> <span class="o">=</span> <span class="p">(</span><span class="n">method</span><span class="p">,</span> <span class="n">path</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="n">status_code</span><span class="p">))</span> <span class="n">request_counts</span><span class="p">[</span><span class="n">key</span><span class="p">]</span> <span class="o">=</span> <span class="n">request_counts</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span> <span class="k">if</span> <span class="n">path</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">request_durations</span><span class="p">:</span> <span class="n">request_durations</span><span class="p">[</span><span class="n">path</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">buckets</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="nf">str</span><span class="p">(</span><span class="n">le</span><span class="p">):</span> <span class="mi">0</span> <span class="k">for</span> <span class="n">le</span> <span class="ow">in</span> <span class="n">HISTOGRAM_BUCKETS</span><span class="p">},</span> <span class="sh">"</span><span class="s">sum</span><span class="sh">"</span><span class="p">:</span> <span class="mf">0.0</span><span class="p">,</span> <span class="sh">"</span><span class="s">count</span><span class="sh">"</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="p">}</span> <span class="n">hist</span> <span class="o">=</span> <span class="n">request_durations</span><span class="p">[</span><span class="n">path</span><span class="p">]</span> <span class="n">hist</span><span class="p">[</span><span class="sh">"</span><span class="s">sum</span><span class="sh">"</span><span class="p">]</span> <span class="o">+=</span> <span class="n">duration_seconds</span> <span class="n">hist</span><span class="p">[</span><span class="sh">"</span><span class="s">count</span><span class="sh">"</span><span class="p">]</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">for</span> <span class="n">le</span> <span class="ow">in</span> <span class="n">HISTOGRAM_BUCKETS</span><span class="p">:</span> <span class="k">if</span> <span class="n">duration_seconds</span> <span class="o">&lt;=</span> <span class="n">le</span><span class="p">:</span> <span class="n">hist</span><span class="p">[</span><span class="sh">"</span><span class="s">buckets</span><span class="sh">"</span><span class="p">][</span><span class="nf">str</span><span class="p">(</span><span class="n">le</span><span class="p">)]</span> <span class="o">+=</span> <span class="mi">1</span> </code></pre> </div> <p><code>record_request()</code> is called after every request regardless of path — timing wraps the entire handler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">do_GET</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">start</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="n">path</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">?</span><span class="sh">"</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="n">status</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_handle_get</span><span class="p">()</span> <span class="nf">record_request</span><span class="p">(</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="n">path</span><span class="p">,</span> <span class="n">status</span><span class="p">,</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">start</span><span class="p">)</span> </code></pre> </div> <h4> The five metrics </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># 1. http_requests_total — counter, labels: method, path, status_code # 2. http_request_duration_seconds — histogram with standard buckets # 3. app_uptime_seconds — gauge # 4. app_mode — gauge: 0=stable, 1=canary # 5. chaos_active — gauge: 0=none, 1=slow, 2=error </span></code></pre> </div> <h4> The /metrics output </h4> <div class="highlight js-code-highlight"> <pre class="highlight prometheus"><code><span class="c"># HELP http_requests_total Total number of HTTP requests</span> <span class="c"># TYPE http_requests_total counter</span> <span class="n">http_requests_total</span><span class="p">{</span><span class="na">method</span><span class="o">=</span><span class="s2">"GET"</span><span class="p">,</span><span class="na">path</span><span class="o">=</span><span class="s2">"/"</span><span class="p">,</span><span class="na">status_code</span><span class="o">=</span><span class="s2">"200"</span><span class="p">}</span> <span class="mi">42</span> <span class="n">http_requests_total</span><span class="p">{</span><span class="na">method</span><span class="o">=</span><span class="s2">"GET"</span><span class="p">,</span><span class="na">path</span><span class="o">=</span><span class="s2">"/healthz"</span><span class="p">,</span><span class="na">status_code</span><span class="o">=</span><span class="s2">"200"</span><span class="p">}</span> <span class="mi">60</span> <span class="n">http_requests_total</span><span class="p">{</span><span class="na">method</span><span class="o">=</span><span class="s2">"GET"</span><span class="p">,</span><span class="na">path</span><span class="o">=</span><span class="s2">"/"</span><span class="p">,</span><span class="na">status_code</span><span class="o">=</span><span class="s2">"500"</span><span class="p">}</span> <span class="mi">38</span> <span class="c"># HELP http_request_duration_seconds HTTP request latency in seconds</span> <span class="c"># TYPE http_request_duration_seconds histogram</span> <span class="n">http_request_duration_seconds_bucket</span><span class="p">{</span><span class="na">path</span><span class="o">=</span><span class="s2">"/"</span><span class="p">,</span><span class="na">le</span><span class="o">=</span><span class="s2">"0.005"</span><span class="p">}</span> <span class="mi">40</span> <span class="n">http_request_duration_seconds_bucket</span><span class="p">{</span><span class="na">path</span><span class="o">=</span><span class="s2">"/"</span><span class="p">,</span><span class="na">le</span><span class="o">=</span><span class="s2">"+Inf"</span><span class="p">}</span> <span class="mi">80</span> <span class="n">http_request_duration_seconds_sum</span><span class="p">{</span><span class="na">path</span><span class="o">=</span><span class="s2">"/"</span><span class="p">}</span> <span class="mf">0.042381</span> <span class="n">http_request_duration_seconds_count</span><span class="p">{</span><span class="na">path</span><span class="o">=</span><span class="s2">"/"</span><span class="p">}</span> <span class="mi">80</span> <span class="c"># HELP app_mode Current deployment mode (0=stable, 1=canary)</span> <span class="c"># TYPE app_mode gauge</span> <span class="n">app_mode</span> <span class="mi">1</span> <span class="c"># HELP chaos_active Current chaos state (0=none, 1=slow, 2=error)</span> <span class="c"># TYPE chaos_active gauge</span> <span class="n">chaos_active</span> <span class="mi">2</span> </code></pre> </div> <h3> OPA Policy Engine — The Brain {#opa-policy-engine} </h3> <p>Open Policy Agent is a dedicated container whose only job is making allow/deny decisions based on rules written in Rego. The core principle: <strong>the CLI never makes allow/deny decisions itself. All decision logic lives exclusively in OPA.</strong></p> <h4> Why OPA instead of if/else in the CLI? </h4> <p>If the policy logic lives in the CLI, changing a threshold means editing Python code, rebuilding, redeploying. With OPA, you edit <code>data.json</code>, restart the OPA container, and the new threshold is live. Policy as code, not policy as application logic.</p> <h4> data.json — thresholds live here, never hardcoded in Rego </h4> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"thresholds"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"min_disk_free_gb"</span><span class="p">:</span><span class="w"> </span><span class="mf">10.0</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_cpu_load"</span><span class="p">:</span><span class="w"> </span><span class="mf">2.0</span><span class="p">,</span><span class="w"> </span><span class="nl">"min_mem_free_percent"</span><span class="p">:</span><span class="w"> </span><span class="mf">10.0</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_error_rate_percent"</span><span class="p">:</span><span class="w"> </span><span class="mf">1.0</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_p99_latency_ms"</span><span class="p">:</span><span class="w"> </span><span class="mf">500.0</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h4> infrastructure.rego — pre-deploy policy </h4> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="ow">package</span> <span class="n">swiftdeploy</span><span class="p">.</span><span class="n">infrastructure</span> <span class="ow">import</span> <span class="n">future</span><span class="p">.</span><span class="n">keywords</span><span class="p">.</span><span class="n">if</span> <span class="ow">import</span> <span class="n">future</span><span class="p">.</span><span class="n">keywords</span><span class="p">.</span><span class="n">contains</span> <span class="ow">default</span> <span class="n">allow</span> <span class="o">:=</span> <span class="kc">false</span> <span class="n">allow</span> <span class="n">if</span> <span class="p">{</span> <span class="n">disk_ok</span> <span class="n">cpu_ok</span> <span class="n">mem_ok</span> <span class="p">}</span> <span class="n">disk_ok</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">disk_free_gb</span> <span class="o">&gt;=</span> <span class="n">data</span><span class="p">.</span><span class="n">thresholds</span><span class="p">.</span><span class="n">min_disk_free_gb</span> <span class="p">}</span> <span class="n">cpu_ok</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">cpu_load_1m</span> <span class="o">&lt;=</span> <span class="n">data</span><span class="p">.</span><span class="n">thresholds</span><span class="p">.</span><span class="n">max_cpu_load</span> <span class="p">}</span> <span class="n">mem_ok</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">mem_free_percent</span> <span class="o">&gt;=</span> <span class="n">data</span><span class="p">.</span><span class="n">thresholds</span><span class="p">.</span><span class="n">min_mem_free_percent</span> <span class="p">}</span> <span class="n">reasons</span> <span class="n">contains</span> <span class="n">msg</span> <span class="n">if</span> <span class="p">{</span> <span class="ow">not</span> <span class="n">disk_ok</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span> <span class="s2">"disk_free_gb is %.1f, minimum required is %.1f"</span><span class="p">,</span> <span class="p">[</span><span class="n">input</span><span class="p">.</span><span class="n">disk_free_gb</span><span class="p">,</span> <span class="n">data</span><span class="p">.</span><span class="n">thresholds</span><span class="p">.</span><span class="n">min_disk_free_gb</span><span class="p">]</span> <span class="p">)</span> <span class="p">}</span> <span class="c1"># decision is what the CLI reads — never a bare boolean</span> <span class="n">decision</span> <span class="o">:=</span> <span class="p">{</span> <span class="s2">"allow"</span><span class="o">:</span> <span class="n">allow</span><span class="p">,</span> <span class="s2">"reasons"</span><span class="o">:</span> <span class="n">reasons</span><span class="p">,</span> <span class="s2">"domain"</span><span class="o">:</span> <span class="s2">"infrastructure"</span><span class="p">,</span> <span class="s2">"checked"</span><span class="o">:</span> <span class="p">{</span> <span class="s2">"disk_free_gb"</span><span class="o">:</span> <span class="n">input</span><span class="p">.</span><span class="n">disk_free_gb</span><span class="p">,</span> <span class="s2">"cpu_load_1m"</span><span class="o">:</span> <span class="n">input</span><span class="p">.</span><span class="n">cpu_load_1m</span><span class="p">,</span> <span class="s2">"mem_free_percent"</span><span class="o">:</span> <span class="n">input</span><span class="p">.</span><span class="n">mem_free_percent</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why <code>import future.keywords</code>?</strong> The <code>openpolicyagent/opa:latest-static</code> image uses Rego v1 which requires explicit <code>if</code> and <code>contains</code> keywords. Without these imports, OPA crashes on startup. This was discovered the hard way during testing.</p> <h4> canary.rego — pre-promote policy </h4> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="ow">package</span> <span class="n">swiftdeploy</span><span class="p">.</span><span class="n">canary</span> <span class="ow">import</span> <span class="n">future</span><span class="p">.</span><span class="n">keywords</span><span class="p">.</span><span class="n">if</span> <span class="ow">import</span> <span class="n">future</span><span class="p">.</span><span class="n">keywords</span><span class="p">.</span><span class="n">contains</span> <span class="ow">default</span> <span class="n">allow</span> <span class="o">:=</span> <span class="kc">false</span> <span class="n">allow</span> <span class="n">if</span> <span class="p">{</span> <span class="n">error_rate_ok</span> <span class="n">latency_ok</span> <span class="p">}</span> <span class="n">error_rate_ok</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">error_rate_percent</span> <span class="o">&lt;=</span> <span class="n">data</span><span class="p">.</span><span class="n">thresholds</span><span class="p">.</span><span class="n">max_error_rate_percent</span> <span class="p">}</span> <span class="n">latency_ok</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">p99_latency_ms</span> <span class="o">&lt;=</span> <span class="n">data</span><span class="p">.</span><span class="n">thresholds</span><span class="p">.</span><span class="n">max_p99_latency_ms</span> <span class="p">}</span> <span class="n">reasons</span> <span class="n">contains</span> <span class="n">msg</span> <span class="n">if</span> <span class="p">{</span> <span class="ow">not</span> <span class="n">error_rate_ok</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span> <span class="s2">"error_rate is %.2f%%, maximum allowed is %.2f%%"</span><span class="p">,</span> <span class="p">[</span><span class="n">input</span><span class="p">.</span><span class="n">error_rate_percent</span><span class="p">,</span> <span class="n">data</span><span class="p">.</span><span class="n">thresholds</span><span class="p">.</span><span class="n">max_error_rate_percent</span><span class="p">]</span> <span class="p">)</span> <span class="p">}</span> <span class="n">decision</span> <span class="o">:=</span> <span class="p">{</span> <span class="s2">"allow"</span><span class="o">:</span> <span class="n">allow</span><span class="p">,</span> <span class="s2">"reasons"</span><span class="o">:</span> <span class="n">reasons</span><span class="p">,</span> <span class="s2">"domain"</span><span class="o">:</span> <span class="s2">"canary"</span><span class="p">,</span> <span class="s2">"checked"</span><span class="o">:</span> <span class="p">{</span> <span class="s2">"error_rate_percent"</span><span class="o">:</span> <span class="n">input</span><span class="p">.</span><span class="n">error_rate_percent</span><span class="p">,</span> <span class="s2">"p99_latency_ms"</span><span class="o">:</span> <span class="n">input</span><span class="p">.</span><span class="n">p99_latency_ms</span><span class="p">,</span> <span class="s2">"window_seconds"</span><span class="o">:</span> <span class="n">input</span><span class="p">.</span><span class="n">window_seconds</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <h4> OPA isolation — no leakage via nginx </h4> <p>In <code>docker-compose.yml.tmpl</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">opa</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">127.0.0.1:{{</span><span class="nv"> </span><span class="s">opa_port</span><span class="nv"> </span><span class="s">}}:8181"</span> <span class="c1"># localhost only — never 0.0.0.0</span> </code></pre> </div> <p><code>127.0.0.1:8181</code> means only the host machine can reach OPA. The nginx container on port 8080 has no route to OPA. This is enforced at the Docker network binding level, not just convention.</p> <h4> The policy query function </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">query_opa</span><span class="p">(</span><span class="n">manifest</span><span class="p">,</span> <span class="n">package</span><span class="p">,</span> <span class="n">input_data</span><span class="p">):</span> <span class="n">url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="nf">opa_url</span><span class="p">(</span><span class="n">manifest</span><span class="p">)</span><span class="si">}</span><span class="s">/v1/data/</span><span class="si">{</span><span class="n">package</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">'</span><span class="s">.</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">/</span><span class="sh">'</span><span class="p">)</span><span class="si">}</span><span class="s">/decision</span><span class="sh">"</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">input</span><span class="sh">"</span><span class="p">:</span> <span class="n">input_data</span><span class="p">}).</span><span class="nf">encode</span><span class="p">()</span> <span class="k">try</span><span class="p">:</span> <span class="n">req</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nc">Request</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">payload</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">},</span> <span class="n">method</span><span class="o">=</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">)</span> <span class="k">with</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">5</span><span class="p">)</span> <span class="k">as</span> <span class="n">resp</span><span class="p">:</span> <span class="n">body</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">resp</span><span class="p">.</span><span class="nf">read</span><span class="p">())</span> <span class="n">result</span> <span class="o">=</span> <span class="n">body</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">result</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">result</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">"</span><span class="s">OPA returned empty result — check policy package name</span><span class="sh">"</span> <span class="k">return</span> <span class="n">result</span><span class="p">,</span> <span class="bp">None</span> <span class="k">except</span> <span class="n">urllib</span><span class="p">.</span><span class="n">error</span><span class="p">.</span><span class="n">URLError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">OPA unreachable: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">reason</span><span class="si">}</span><span class="sh">"</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">OPA query failed: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span> </code></pre> </div> <p>Every distinct failure mode returns a different error string. The CLI never crashes or hangs when OPA is unavailable — it warns and fails open. This is intentional: you don't want OPA unavailability to block emergency deployments.</p> <h3> Gated Lifecycle — The CLI Brain {#gated-lifecycle} </h3> <h4> Pre-deploy check </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">cmd_deploy</span><span class="p">():</span> <span class="n">manifest</span> <span class="o">=</span> <span class="nf">load_manifest</span><span class="p">()</span> <span class="n">host_stats</span> <span class="o">=</span> <span class="nf">get_host_stats</span><span class="p">()</span> <span class="c1"># Collect host stats </span> <span class="n">disk_free_gb</span> <span class="o">=</span> <span class="n">shutil</span><span class="p">.</span><span class="nf">disk_usage</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">).</span><span class="n">free</span> <span class="o">/</span> <span class="p">(</span><span class="mi">1024</span> <span class="o">**</span> <span class="mi">3</span><span class="p">)</span> <span class="n">cpu_load_1m</span> <span class="o">=</span> <span class="nf">float</span><span class="p">(</span><span class="nf">open</span><span class="p">(</span><span class="sh">"</span><span class="s">/proc/loadavg</span><span class="sh">"</span><span class="p">).</span><span class="nf">read</span><span class="p">().</span><span class="nf">split</span><span class="p">()[</span><span class="mi">0</span><span class="p">])</span> <span class="n">mem_free_percent</span> <span class="o">=</span> <span class="p">(</span><span class="n">meminfo</span><span class="p">[</span><span class="sh">"</span><span class="s">MemAvailable</span><span class="sh">"</span><span class="p">]</span> <span class="o">/</span> <span class="n">meminfo</span><span class="p">[</span><span class="sh">"</span><span class="s">MemTotal</span><span class="sh">"</span><span class="p">])</span> <span class="o">*</span> <span class="mi">100</span> <span class="c1"># Send to OPA </span> <span class="n">allowed</span> <span class="o">=</span> <span class="nf">enforce_policy</span><span class="p">(</span><span class="n">manifest</span><span class="p">,</span> <span class="sh">"</span><span class="s">swiftdeploy.infrastructure</span><span class="sh">"</span><span class="p">,</span> <span class="n">host_stats</span><span class="p">,</span> <span class="sh">"</span><span class="s">infrastructure</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">allowed</span><span class="p">:</span> <span class="nf">append_history</span><span class="p">({</span><span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">deploy_blocked</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">reason</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">infrastructure_policy</span><span class="sh">"</span><span class="p">})</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="c1"># Only reach here if OPA allows </span> <span class="nf">run</span><span class="p">(</span><span class="nf">compose_cmd</span><span class="p">(</span><span class="sh">"</span><span class="s">up -d --build</span><span class="sh">"</span><span class="p">))</span> </code></pre> </div> <p>If the disk is full, OPA returns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ✘ Policy [infrastructure] DENIED ! disk_free_gb is 8.2, minimum required is 10.0 Deployment blocked by policy: infrastructure </code></pre> </div> <h4> Pre-promote check </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">cmd_promote</span><span class="p">(</span><span class="n">target_mode</span><span class="p">):</span> <span class="k">if</span> <span class="n">target_mode</span> <span class="o">==</span> <span class="sh">"</span><span class="s">canary</span><span class="sh">"</span><span class="p">:</span> <span class="n">raw</span> <span class="o">=</span> <span class="nf">scrape_metrics</span><span class="p">(</span><span class="n">nginx_port</span><span class="p">)</span> <span class="n">metrics</span> <span class="o">=</span> <span class="nf">parse_prometheus</span><span class="p">(</span><span class="n">raw</span><span class="p">)</span> <span class="n">error_rate</span> <span class="o">=</span> <span class="nf">calculate_error_rate</span><span class="p">(</span><span class="n">metrics</span><span class="p">)</span> <span class="n">p99_ms</span> <span class="o">=</span> <span class="nf">calculate_p99_latency_ms</span><span class="p">(</span><span class="n">metrics</span><span class="p">)</span> <span class="n">allowed</span> <span class="o">=</span> <span class="nf">enforce_policy</span><span class="p">(</span><span class="n">manifest</span><span class="p">,</span> <span class="sh">"</span><span class="s">swiftdeploy.canary</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">error_rate_percent</span><span class="sh">"</span><span class="p">:</span> <span class="n">error_rate</span><span class="p">,</span> <span class="sh">"</span><span class="s">p99_latency_ms</span><span class="sh">"</span><span class="p">:</span> <span class="n">p99_ms</span><span class="p">,</span> <span class="sh">"</span><span class="s">window_seconds</span><span class="sh">"</span><span class="p">:</span> <span class="mi">30</span><span class="p">},</span> <span class="sh">"</span><span class="s">canary safety</span><span class="sh">"</span> <span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">allowed</span><span class="p">:</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </code></pre> </div> <h4> P99 latency calculation from histogram </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">calculate_p99_latency_ms</span><span class="p">(</span><span class="n">metrics</span><span class="p">,</span> <span class="n">path_filter</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="n">buckets</span> <span class="o">=</span> <span class="p">{}</span> <span class="n">total_count</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">for</span> <span class="n">entry</span> <span class="ow">in</span> <span class="n">metrics</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">http_request_duration_seconds_bucket</span><span class="sh">"</span><span class="p">,</span> <span class="p">[]):</span> <span class="n">le</span> <span class="o">=</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">labels</span><span class="sh">"</span><span class="p">].</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">le</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">if</span> <span class="n">le</span> <span class="o">==</span> <span class="sh">"</span><span class="s">+Inf</span><span class="sh">"</span><span class="p">:</span> <span class="n">total_count</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="n">total_count</span><span class="p">,</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">value</span><span class="sh">"</span><span class="p">])</span> <span class="k">continue</span> <span class="n">buckets</span><span class="p">[</span><span class="nf">float</span><span class="p">(</span><span class="n">le</span><span class="p">)]</span> <span class="o">=</span> <span class="n">buckets</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nf">float</span><span class="p">(</span><span class="n">le</span><span class="p">),</span> <span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">value</span><span class="sh">"</span><span class="p">]</span> <span class="k">if</span> <span class="n">total_count</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="k">return</span> <span class="mf">0.0</span> <span class="n">p99_threshold</span> <span class="o">=</span> <span class="n">total_count</span> <span class="o">*</span> <span class="mf">0.99</span> <span class="k">for</span> <span class="n">le</span> <span class="ow">in</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">buckets</span><span class="p">.</span><span class="nf">keys</span><span class="p">()):</span> <span class="k">if</span> <span class="n">buckets</span><span class="p">[</span><span class="n">le</span><span class="p">]</span> <span class="o">&gt;=</span> <span class="n">p99_threshold</span><span class="p">:</span> <span class="k">return</span> <span class="nf">round</span><span class="p">(</span><span class="n">le</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="c1"># seconds → milliseconds </span> <span class="k">return</span> <span class="mf">10000.0</span> </code></pre> </div> <p>P99 means: the smallest histogram bucket where 99% of requests have completed. If 99 out of 100 requests finished within 250ms, P99 = 250ms.</p> <h3> The Status Dashboard — The Eyes {#status-dashboard} </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">cmd_status</span><span class="p">():</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">raw</span> <span class="o">=</span> <span class="nf">scrape_metrics</span><span class="p">(</span><span class="n">nginx_port</span><span class="p">)</span> <span class="n">metrics</span> <span class="o">=</span> <span class="nf">parse_prometheus</span><span class="p">(</span><span class="n">raw</span><span class="p">)</span> <span class="n">error_rate</span> <span class="o">=</span> <span class="nf">calculate_error_rate</span><span class="p">(</span><span class="n">metrics</span><span class="p">)</span> <span class="n">p99_ms</span> <span class="o">=</span> <span class="nf">calculate_p99_latency_ms</span><span class="p">(</span><span class="n">metrics</span><span class="p">)</span> <span class="c1"># Query OPA for live compliance </span> <span class="n">infra_dec</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="nf">query_opa</span><span class="p">(</span><span class="n">manifest</span><span class="p">,</span> <span class="sh">"</span><span class="s">swiftdeploy.infrastructure</span><span class="sh">"</span><span class="p">,</span> <span class="nf">get_host_stats</span><span class="p">())</span> <span class="n">canary_dec</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="nf">query_opa</span><span class="p">(</span><span class="n">manifest</span><span class="p">,</span> <span class="sh">"</span><span class="s">swiftdeploy.canary</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">error_rate_percent</span><span class="sh">"</span><span class="p">:</span> <span class="n">error_rate</span><span class="p">,</span> <span class="sh">"</span><span class="s">p99_latency_ms</span><span class="sh">"</span><span class="p">:</span> <span class="n">p99_ms</span><span class="p">,</span> <span class="sh">"</span><span class="s">window_seconds</span><span class="sh">"</span><span class="p">:</span> <span class="mi">30</span><span class="p">})</span> <span class="n">os</span><span class="p">.</span><span class="nf">system</span><span class="p">(</span><span class="sh">"</span><span class="s">clear</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># ... render dashboard ... </span> <span class="nf">append_history</span><span class="p">({</span> <span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">status_scrape</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">error_rate_percent</span><span class="sh">"</span><span class="p">:</span> <span class="n">error_rate</span><span class="p">,</span> <span class="sh">"</span><span class="s">p99_latency_ms</span><span class="sh">"</span><span class="p">:</span> <span class="n">p99_ms</span><span class="p">,</span> <span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="n">mode_str</span><span class="p">,</span> <span class="sh">"</span><span class="s">chaos</span><span class="sh">"</span><span class="p">:</span> <span class="n">chaos_str</span><span class="p">,</span> <span class="sh">"</span><span class="s">policy_infra_pass</span><span class="sh">"</span><span class="p">:</span> <span class="n">infra_dec</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">allow</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">infra_dec</span> <span class="k">else</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">"</span><span class="s">policy_canary_pass</span><span class="sh">"</span><span class="p">:</span> <span class="n">canary_dec</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">allow</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">canary_dec</span> <span class="k">else</span> <span class="bp">None</span><span class="p">,</span> <span class="p">})</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> </code></pre> </div> <p>What the dashboard looks like with chaos active:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> SwiftDeploy Status Dashboard 2026-05-05T21:00:37Z ──────────────────────────────────────────────── ── Throughput ────────────────────────────────── req/s : 2.4 error rate : 56.45% ← red P99 latency : 5.0ms ── App State ─────────────────────────────────── mode : canary chaos : error ← red uptime : 316s ── Policy Compliance ─────────────────────────── ✔ infrastructure PASS ✘ canary FAIL ! error_rate is 56.45%, maximum allowed is 1.00% Refreshing every 5s — Ctrl+C to exit </code></pre> </div> <p>This is exactly what real SRE dashboards do — they show you the current state AND whether it violates policy in real time.</p> <h3> The Audit Trail — The Memory {#audit-trail} </h3> <p>Every event appends a JSON line to <code>history.jsonl</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{"timestamp":"2026-05-05T20:34:51Z","event":"deploy","mode":"stable"} {"timestamp":"2026-05-05T20:55:22Z","event":"promote","target_mode":"canary"} {"timestamp":"2026-05-05T20:55:23Z","event":"status_scrape","error_rate_percent":62.5,"chaos":"error","policy_canary_pass":false} {"timestamp":"2026-05-05T21:01:01Z","event":"promote","target_mode":"stable"} </code></pre> </div> <p><code>swiftdeploy audit</code> reads this file and generates <code>audit_report.md</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gu">## Mode Changes</span> | Timestamp | From | To | |-----------|------|----| | 2026-05-05T20:34:51Z | unknown | stable | | 2026-05-05T20:55:22Z | stable | canary | | 2026-05-05T21:01:01Z | canary | stable | <span class="gu">## Policy Violations</span> | Timestamp | Infrastructure | Canary | Error Rate | P99 | |-----------|---------------|--------|------------|-----| | 2026-05-05T20:55:23Z | ✔ PASS | ✘ FAIL | 62.5% | 5.0ms | | 2026-05-05T20:55:28Z | ✔ PASS | ✘ FAIL | 63.6% | 5.0ms | </code></pre> </div> <p>This report renders perfectly as GitHub Flavored Markdown — every table, every checkmark, every timestamp.</p> <h2> The Debugging Sagas {#debugging} </h2> <p>No real DevOps project ships without war stories. Here are the ones that taught the most.</p> <h3> Saga 1 — Six layers of healthcheck failure </h3> <p>The app container kept showing <code>unhealthy</code> despite the server running fine. The debugging sequence:</p> <p><strong>Failure 1:</strong> <code>${APP_PORT}</code> doesn't expand in Dockerfile HEALTHCHECK CMD. Env vars evaluate at build time, not runtime. Fixed by hardcoding <code>3000</code>.</p> <p><strong>Failure 2:</strong> <code>localhost</code> doesn't resolve inside Alpine's healthcheck context on WSL2 + Docker Desktop. Fixed by using <code>127.0.0.1</code>.</p> <p><strong>Failure 3:</strong> <code>wget</code> with <code>127.0.0.1</code> still failed. Confirmed the server WAS listening:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec </span>swiftdeploy-app ss <span class="nt">-tlnp</span> <span class="c"># tcp LISTEN 0.0.0.0:3000</span> docker <span class="nb">exec </span>swiftdeploy-app python <span class="nt">-c</span> <span class="s2">"import urllib.request; print(urllib.request.urlopen('http://127.0.0.1:3000/healthz').read())"</span> <span class="c"># b'{"status": "ok", ...}' ← works via exec, not via healthcheck</span> </code></pre> </div> <p>This is a known WSL2 + Docker Desktop network namespace issue. Fixed by using Python's <code>urllib</code> instead of <code>wget</code>.</p> <p><strong>Failure 4:</strong> Docker cache was serving the old image despite the Dockerfile fix. Fixed with <code>--no-cache</code>.</p> <p><strong>Failure 5:</strong> The <code>docker-compose.yml</code> template had its own <code>healthcheck</code> block overriding the Dockerfile. <strong>Docker Compose healthcheck always wins.</strong> Fixed the template too.</p> <p><strong>Failure 6:</strong> The healthcheck YAML block had 3 spaces indent instead of 4. A single space difference caused a YAML parse error. Fixed by carefully rewriting the block.</p> <h3> Saga 2 — OPA Rego v1 syntax </h3> <p>The <code>openpolicyagent/opa:latest-static</code> image enforces strict Rego v1 syntax. Our policies used the older syntax:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="c1"># OLD — crashes on latest OPA</span> <span class="n">allow</span> <span class="p">{</span> <span class="n">disk_ok</span> <span class="p">}</span> <span class="n">reasons</span><span class="p">[</span><span class="n">msg</span><span class="p">]</span> <span class="p">{</span> <span class="ow">not</span> <span class="n">disk_ok</span> <span class="n">msg</span> <span class="o">:=</span> <span class="s2">"..."</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="c1"># NEW — Rego v1 required syntax</span> <span class="n">allow</span> <span class="n">if</span> <span class="p">{</span> <span class="n">disk_ok</span> <span class="p">}</span> <span class="n">reasons</span> <span class="n">contains</span> <span class="n">msg</span> <span class="n">if</span> <span class="p">{</span> <span class="ow">not</span> <span class="n">disk_ok</span> <span class="n">msg</span> <span class="o">:=</span> <span class="s2">"..."</span> <span class="p">}</span> </code></pre> </div> <p>Without <code>import future.keywords.if</code> and <code>import future.keywords.contains</code> at the top of each file, OPA refuses to start.</p> <h3> Saga 3 — WSL2 path spaces breaking docker run </h3> <p>The project lived at <code>/mnt/c/Users/RAZER BLADE/Desktop/HNG/hng-swiftdeploy</code>. The space in <code>RAZER BLADE</code> caused <code>docker run -v {path}:...</code> to split the path at the space, making Docker interpret the second half as an image name.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">docker: invalid reference format: repository name (Desktop/HNG/hng-swiftdeploy/nginx.conf) must be lowercase </span></code></pre> </div> <p>Fixed by quoting all paths containing the project directory and using <code>subprocess.run</code> with a list instead of <code>shell=True</code> to avoid shell word-splitting entirely.</p> <h2> Full Deployment Walkthrough {#deployment} </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Build the image</span> docker build <span class="nt">-t</span> swift-deploy-1-node:latest <span class="nb">.</span> <span class="c"># 2. Validate pre-flight checks</span> ./swiftdeploy validate <span class="c"># 3. Deploy (OPA policy check runs first)</span> ./swiftdeploy deploy <span class="c"># 4. Verify metrics</span> curl http://localhost:8080/metrics <span class="c"># 5. Verify OPA isolation</span> curl http://127.0.0.1:8181/health <span class="c"># works — internal</span> curl http://localhost:8080/v1/data <span class="c"># 404 — nginx blocks it</span> <span class="c"># 6. Launch status dashboard</span> ./swiftdeploy status <span class="c"># 7. Promote to canary (OPA canary policy check runs first)</span> ./swiftdeploy promote canary <span class="c"># 8. Inject chaos</span> curl <span class="nt">-X</span> POST http://localhost:8080/chaos <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"mode": "error", "rate": 0.5}'</span> <span class="c"># 9. Watch status dashboard catch it — canary policy FAIL visible in real time</span> <span class="c"># 10. Recover</span> curl <span class="nt">-X</span> POST http://localhost:8080/chaos <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"mode": "recover"}'</span> <span class="c"># 11. Promote back to stable</span> ./swiftdeploy promote stable <span class="c"># 12. Generate audit report</span> ./swiftdeploy audit <span class="nb">cat </span>audit_report.md <span class="c"># 13. Teardown</span> ./swiftdeploy teardown <span class="nt">--clean</span> </code></pre> </div> <h2> Key Lessons Learned {#lessons} </h2> <p><strong>1. Docker Compose healthcheck overrides Dockerfile HEALTHCHECK.</strong> Always check both places when healthchecks misbehave. Compose wins every time.</p> <p><strong>2. WSL2 has a different network namespace for healthchecks than for <code>docker exec</code>.</strong> If something works via <code>exec</code> but not via healthcheck, it's almost certainly a tool or network namespace issue. Python's stdlib is more portable than <code>wget</code> in this environment.</p> <p><strong>3. OPA Rego v1 requires explicit keywords.</strong> <code>latest-static</code> means the latest OPA — which enforces Rego v1 syntax. Always <code>import future.keywords.if</code> and <code>import future.keywords.contains</code>.</p> <p><strong>4. <code>expose</code> vs <code>ports</code> is a security boundary, not documentation.</strong> <code>expose</code> = container-to-container only. <code>ports</code> = host-facing. Binding OPA to <code>127.0.0.1</code> enforces isolation at the network level.</p> <p><strong>5. The CLI should never make policy decisions.</strong> Every time you add an if/else for a deployment condition in the CLI, you're doing OPA's job badly. Push all allow/deny logic into Rego. The CLI's job is to collect data and surface decisions.</p> <p><strong>6. P99 latency is more useful than average.</strong> An average latency of 10ms can hide the fact that 1 in 100 requests takes 5 seconds. P99 exposes that tail. Always instrument histograms, not just averages.</p> <p><strong>7. Declarative infrastructure pays off immediately.</strong> The grader deletes generated files and re-runs <code>init</code>. Because the manifest is always there and regeneration is instantaneous, this is a non-issue. Manual configs would have been a problem.</p> <p><strong>8. An audit trail is not optional.</strong> <code>history.jsonl</code> made it trivial to answer "when did chaos start?", "which policy was failing?", "how long was the canary running before we promoted?" These questions matter in production incidents.</p> <h2> Conclusion </h2> <p>SwiftDeploy started as a task requirement and became a complete mental model for how modern deployment tooling works. Every major concept is here:</p> <ul> <li> <strong>Declarative infrastructure</strong> — describe what you want, generate everything else</li> <li> <strong>Immutable configs</strong> — generated files are outputs, never inputs</li> <li> <strong>Policy as code</strong> — OPA enforces safety standards that can't be bypassed</li> <li> <strong>Observability</strong> — Prometheus metrics feed the dashboard and the policy engine</li> <li> <strong>Audit trail</strong> — every event recorded, every violation surfaced</li> </ul> <p>The combination of Stage 4A and 4B forms a complete deployment lifecycle: generate → validate → deploy (gated) → promote (gated) → observe → audit → tear down.</p> <p>The full source code is available at: <strong><a href="https://github.com/AirFluke/hng-swiftdeploy" rel="noopener noreferrer">https://github.com/AirFluke/hng-swiftdeploy</a></strong></p> <p><em>Tags: #devops #docker #nginx #python #opa #prometheus #infrastructure #hng</em></p> automation devops python tutorial SwiftDeploy: Building a Declarative Infrastructure Manager from Scratch; A Complete Technical Walkthrough Abraham Acha Sun, 03 May 2026 17:27:03 +0000 https://forem.com/airfluke/swiftdeploy-building-a-declarative-infrastructure-manager-from-scratch-a-complete-technical-39c6 https://forem.com/airfluke/swiftdeploy-building-a-declarative-infrastructure-manager-from-scratch-a-complete-technical-39c6 <p><em>How I built a CLI tool that generates, manages, and monitors a full containerised stack from a single YAML manifest — and everything that broke along the way.</em></p> <h2> Introduction </h2> <p>Most DevOps tasks ask you to configure infrastructure manually. You write an Nginx config. You write a Docker Compose file. You run commands. You check if things are healthy. You repeat this every time you spin up a new service.</p> <p>SwiftDeploy flips that script entirely.</p> <p>The premise is simple but powerful: <strong>one YAML file describes your entire deployment, and a CLI tool derives everything else from it.</strong> No handwritten Nginx configs. No manually crafted Docker Compose files. No guessing at container states. You edit the manifest, you run the CLI, and your stack is live.</p> <p>This article is a complete technical walkthrough of how I built SwiftDeploy for the HNG DevOps Internship Stage 4A task — covering the architecture, every component, every design decision, the bugs I hit (including a particularly nasty WSL2 healthcheck issue), and the debugging process that resolved them.</p> <p>By the end, you'll understand:</p> <ul> <li>How to build a declarative infrastructure tool from scratch</li> <li>How template-based config generation works</li> <li>How to write a multi-subcommand Python CLI</li> <li>How Docker healthchecks work and why they fail in unexpected ways</li> <li>How nginx reverse proxying, canary deployments, and chaos engineering fit together</li> </ul> <p>Let's get into it.</p> <h2> The Architecture </h2> <p>Before writing a single line of code, I mapped out how the pieces would connect.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>You (the human) │ │ edit only this ▼ manifest.yaml ─────────────────────────────────────┐ │ ▼ swiftdeploy (CLI) │ ┌───────────────────────────┤ │ │ ▼ ▼ nginx.conf docker-compose.yml (generated file) (generated file) │ │ └──────────────┬────────────┘ │ ▼ Docker starts 2 containers │ ┌──────────────┴──────────────┐ │ │ ▼ ▼ [nginx container] [app container] port 8080 (public) port 3000 (private) │ │ └──── nginx proxies ──────────┘ Internet → port 8080 → nginx → port 3000 → Python app </code></pre> </div> <p>The key architectural decisions:</p> <ol> <li><p><strong>The manifest is the single source of truth.</strong> Everything — nginx timeouts, container ports, network names, deployment mode — lives in <code>manifest.yaml</code>. The CLI reads it and generates everything else.</p></li> <li><p><strong>The app is never exposed directly.</strong> All traffic flows through nginx on port 8080. The app container only uses <code>expose</code> (internal Docker network), never <code>ports</code> (host-facing).</p></li> <li><p><strong>Generated files are gitignored.</strong> <code>nginx.conf</code> and <code>docker-compose.yml</code> are outputs, not inputs. They're always regeneratable from the manifest. The grader tests this explicitly — deleting generated files and re-running <code>init</code>.</p></li> <li><p><strong>The CLI is self-contained.</strong> One executable Python script, no framework, handles five subcommands.</p></li> </ol> <h2> The Project Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>swiftdeploy/ ├── manifest.yaml ← the ONLY file you edit ├── swiftdeploy ← CLI executable ├── Dockerfile ← app image definition ├── app/ │ └── main.py ← Python HTTP service ├── templates/ │ ├── nginx.conf.tmpl ← nginx template │ └── docker-compose.yml.tmpl ← compose template ├── nginx.conf ← generated by init (gitignored) ├── docker-compose.yml ← generated by init (gitignored) ├── .gitignore └── README.md </code></pre> </div> <h2> Component 1: The Manifest </h2> <p><code>manifest.yaml</code> is the brain of the entire system. Every other component reads from it either directly or via the generated files.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">swift-deploy-1-node:latest</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">stable</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.0.0"</span> <span class="na">restart_policy</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">log_volume</span><span class="pi">:</span> <span class="s">swiftdeploy-logs</span> <span class="na">nginx</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">proxy_timeout</span><span class="pi">:</span> <span class="m">30</span> <span class="na">network</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">swiftdeploy-net</span> <span class="na">driver_type</span><span class="pi">:</span> <span class="s">bridge</span> <span class="na">contact</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ops@swiftdeploy.local"</span> </code></pre> </div> <p>The design intention is that this reads like infrastructure-as-documentation. You can look at this file and understand the entire deployment without reading a single generated config.</p> <h3> What each field controls </h3> <ul> <li> <code>services.mode</code> — controls whether the app runs in <code>stable</code> or <code>canary</code> mode. The CLI's <code>promote</code> subcommand updates this in-place.</li> <li> <code>nginx.proxy_timeout</code> — propagates into the nginx config as <code>proxy_connect_timeout</code>, <code>proxy_send_timeout</code>, and <code>proxy_read_timeout</code>.</li> <li> <code>contact</code> — injected into nginx's custom JSON error bodies for 502/503/504 responses.</li> <li> <code>log_volume</code> — a named Docker volume shared between the app container and nginx, so both write logs to the same persistent location.</li> </ul> <h2> Component 2: The Python HTTP Service </h2> <p>The app is a from-scratch HTTP server built on Python's <code>http.server</code> stdlib — no Flask, no FastAPI, no external dependencies. This keeps the Docker image small and the container startup fast.</p> <h3> The server setup </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">import</span> <span class="n">random</span> <span class="kn">import</span> <span class="n">threading</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">from</span> <span class="n">http.server</span> <span class="kn">import</span> <span class="n">HTTPServer</span><span class="p">,</span> <span class="n">BaseHTTPRequestHandler</span> <span class="n">MODE</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">MODE</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">stable</span><span class="sh">"</span><span class="p">)</span> <span class="n">APP_VERSION</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">APP_VERSION</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">1.0.0</span><span class="sh">"</span><span class="p">)</span> <span class="n">APP_PORT</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">APP_PORT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">3000</span><span class="sh">"</span><span class="p">))</span> <span class="n">START_TIME</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> </code></pre> </div> <p>Configuration comes entirely from environment variables injected by Docker Compose at runtime. The defaults exist only as fallbacks for local development.</p> <p><code>START_TIME</code> is captured at module load — this is how <code>/healthz</code> calculates uptime without a database or external state store.</p> <h3> Thread-safe chaos state </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">chaos_lock</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="nc">Lock</span><span class="p">()</span> <span class="n">chaos_state</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">"</span><span class="s">duration</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">"</span><span class="s">rate</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">}</span> <span class="k">def</span> <span class="nf">get_chaos</span><span class="p">():</span> <span class="k">with</span> <span class="n">chaos_lock</span><span class="p">:</span> <span class="k">return</span> <span class="nf">dict</span><span class="p">(</span><span class="n">chaos_state</span><span class="p">)</span> <span class="k">def</span> <span class="nf">set_chaos</span><span class="p">(</span><span class="n">state</span><span class="p">):</span> <span class="k">with</span> <span class="n">chaos_lock</span><span class="p">:</span> <span class="n">chaos_state</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">state</span><span class="p">)</span> </code></pre> </div> <p>Python's <code>http.server</code> handles each request in the same thread by default (it's not async), but I added explicit thread safety here anyway — the Lock ensures that if you ever extend this to a threaded server, chaos state reads and writes remain atomic. <code>dict(chaos_state)</code> returns a copy, preventing the caller from holding a reference to the mutable internal state.</p> <h3> The request handler </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">Handler</span><span class="p">(</span><span class="n">BaseHTTPRequestHandler</span><span class="p">):</span> <span class="k">def</span> <span class="nf">log_message</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="nb">format</span><span class="p">,</span> <span class="o">*</span><span class="n">args</span><span class="p">):</span> <span class="k">pass</span> <span class="c1"># suppress default logging — nginx handles access logs </span> <span class="k">def</span> <span class="nf">send_json</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">code</span><span class="p">,</span> <span class="n">body</span><span class="p">,</span> <span class="n">extra_headers</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">body</span><span class="p">).</span><span class="nf">encode</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_response</span><span class="p">(</span><span class="n">code</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_header</span><span class="p">(</span><span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_header</span><span class="p">(</span><span class="sh">"</span><span class="s">X-Deployed-By</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">swiftdeploy</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">MODE</span> <span class="o">==</span> <span class="sh">"</span><span class="s">canary</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_header</span><span class="p">(</span><span class="sh">"</span><span class="s">X-Mode</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">canary</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">end_headers</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">wfile</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> </code></pre> </div> <p><code>send_json</code> is a helper that consolidates all the boilerplate of setting response codes, content type, and custom headers in one place. Every route calls it — this is the DRY principle applied to HTTP handlers.</p> <p>Suppressing <code>log_message</code> is intentional. The default Python HTTP server writes its own access log to stdout, which would duplicate what nginx already logs in the structured format we defined.</p> <h3> The three routes </h3> <p><strong>GET /</strong> — welcome endpoint<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">path</span> <span class="o">==</span> <span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_json</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Welcome to SwiftDeploy API</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="n">MODE</span><span class="p">,</span> <span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">:</span> <span class="n">APP_VERSION</span><span class="p">,</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">"</span><span class="s">%Y-%m-%dT%H:%M:%SZ</span><span class="sh">"</span><span class="p">,</span> <span class="n">time</span><span class="p">.</span><span class="nf">gmtime</span><span class="p">()),</span> <span class="p">})</span> </code></pre> </div> <p><strong>GET /healthz</strong> — liveness check<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">elif</span> <span class="n">self</span><span class="p">.</span><span class="n">path</span> <span class="o">==</span> <span class="sh">"</span><span class="s">/healthz</span><span class="sh">"</span><span class="p">:</span> <span class="n">uptime</span> <span class="o">=</span> <span class="nf">round</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">START_TIME</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_json</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="n">MODE</span><span class="p">,</span> <span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">:</span> <span class="n">APP_VERSION</span><span class="p">,</span> <span class="sh">"</span><span class="s">uptime_seconds</span><span class="sh">"</span><span class="p">:</span> <span class="n">uptime</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <p>The <code>/healthz</code> endpoint does three jobs simultaneously: it proves the server is alive (Docker healthcheck), it reports the current mode (so <code>promote</code> can confirm the switch happened), and it reports uptime (useful for debugging restart loops).</p> <p><strong>POST /chaos</strong> — chaos injection (canary only)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">do_POST</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">path</span> <span class="o">==</span> <span class="sh">"</span><span class="s">/chaos</span><span class="sh">"</span><span class="p">:</span> <span class="k">if</span> <span class="n">MODE</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">canary</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_json</span><span class="p">(</span><span class="mi">403</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">chaos endpoint only available in canary mode</span><span class="sh">"</span><span class="p">})</span> <span class="k">return</span> <span class="n">length</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Content-Length</span><span class="sh">"</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="n">body</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">rfile</span><span class="p">.</span><span class="nf">read</span><span class="p">(</span><span class="n">length</span><span class="p">)</span> <span class="n">data</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">body</span><span class="p">)</span> <span class="n">mode</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">mode</span> <span class="o">==</span> <span class="sh">"</span><span class="s">slow</span><span class="sh">"</span><span class="p">:</span> <span class="nf">set_chaos</span><span class="p">({</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">slow</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">duration</span><span class="sh">"</span><span class="p">:</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">duration</span><span class="sh">"</span><span class="p">,</span> <span class="mi">2</span><span class="p">),</span> <span class="sh">"</span><span class="s">rate</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">})</span> <span class="k">elif</span> <span class="n">mode</span> <span class="o">==</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="nf">set_chaos</span><span class="p">({</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">duration</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">"</span><span class="s">rate</span><span class="sh">"</span><span class="p">:</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">rate</span><span class="sh">"</span><span class="p">,</span> <span class="mf">0.5</span><span class="p">)})</span> <span class="k">elif</span> <span class="n">mode</span> <span class="o">==</span> <span class="sh">"</span><span class="s">recover</span><span class="sh">"</span><span class="p">:</span> <span class="nf">set_chaos</span><span class="p">({</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">"</span><span class="s">duration</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">,</span> <span class="sh">"</span><span class="s">rate</span><span class="sh">"</span><span class="p">:</span> <span class="bp">None</span><span class="p">})</span> </code></pre> </div> <p>Reading <code>Content-Length</code> before calling <code>rfile.read()</code> is standard HTTP protocol — you must know exactly how many bytes to read, otherwise the read blocks waiting for more data that never comes.</p> <p>The chaos modes:</p> <ul> <li> <code>slow</code> — injects <code>time.sleep(N)</code> before responding, simulating a slow upstream</li> <li> <code>error</code> — uses <code>random.random() &lt; rate</code> to return 500 on a configurable percentage of requests</li> <li> <code>recover</code> — clears all chaos state, returning to normal behaviour</li> </ul> <p>This is real chaos engineering in miniature — the same concept used by tools like Chaos Monkey, just scoped to a single service.</p> <h2> Component 3: The Dockerfile </h2> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> python:3.12-alpine</span> <span class="k">RUN </span>addgroup <span class="nt">-S</span> appgroup <span class="o">&amp;&amp;</span> adduser <span class="nt">-S</span> appuser <span class="nt">-G</span> appgroup <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> app/main.py .</span> <span class="k">RUN </span><span class="nb">chown</span> <span class="nt">-R</span> appuser:appgroup /app <span class="k">USER</span><span class="s"> appuser</span> <span class="k">ENV</span><span class="s"> MODE=stable</span> <span class="k">ENV</span><span class="s"> APP_VERSION=1.0.0</span> <span class="k">ENV</span><span class="s"> APP_PORT=3000</span> <span class="k">EXPOSE</span><span class="s"> 3000</span> <span class="k">HEALTHCHECK</span><span class="s"> --interval=10s --timeout=5s --start-period=15s --retries=5 \</span> CMD python -c "import urllib.request; urllib.request.urlopen('http://127.0.0.1:3000/healthz', timeout=4)" || exit 1 <span class="k">CMD</span><span class="s"> ["python", "main.py"]</span> </code></pre> </div> <h3> Why Alpine? </h3> <p><code>python:3.12-alpine</code> is approximately 60MB. <code>python:3.12</code> (Debian-based) is approximately 1GB. The task requires images under 300MB. Alpine gets us there with room to spare.</p> <h3> Why non-root? </h3> <p>The <code>addgroup</code> / <code>adduser</code> pattern is a security baseline. If someone exploits a vulnerability in the app, they get a user with zero privileges — no ability to write to system directories, install packages, or escalate. Running as root inside a container means a container escape gives the attacker root on the host.</p> <h3> The healthcheck evolution </h3> <p>The Dockerfile healthcheck went through several iterations during development. The original:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># BROKEN — env vars don't expand in CMD array form</span> <span class="k">HEALTHCHECK</span><span class="s"> CMD wget -qO- http://localhost:${APP_PORT}/healthz || exit 1</span> </code></pre> </div> <p><code>${APP_PORT}</code> doesn't expand inside the Dockerfile <code>HEALTHCHECK CMD</code> array — it's evaluated at build time, not runtime, so it literally tries to connect to <code>http://localhost:${APP_PORT}</code>. Fixed by hardcoding:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># BROKEN on WSL2 — localhost doesn't resolve inside Alpine healthcheck context</span> <span class="k">HEALTHCHECK</span><span class="s"> CMD wget -qO- http://localhost:3000/healthz || exit 1</span> </code></pre> </div> <p>This also failed on WSL2 + Docker Desktop. The <code>wget</code> inside Alpine couldn't resolve <code>localhost</code> to <code>127.0.0.1</code> in the healthcheck execution context (a known WSL2 networking quirk). Switching to <code>127.0.0.1</code> still failed because of how Docker Desktop on WSL2 handles the network namespace for healthcheck processes.</p> <p>The final working solution:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># WORKS — uses Python's urllib, no external tool, no DNS resolution</span> <span class="k">HEALTHCHECK</span><span class="s"> --interval=10s --timeout=5s --start-period=15s --retries=5 \</span> CMD python -c "import urllib.request; urllib.request.urlopen('http://127.0.0.1:3000/healthz', timeout=4)" || exit 1 </code></pre> </div> <p>Using Python's own <code>urllib</code> sidesteps the <code>wget</code>/DNS issue entirely. Python's socket layer handles <code>127.0.0.1</code> directly without going through the system resolver.</p> <h2> Component 4: The Templates </h2> <p>Templates are the bridge between the manifest and the generated configs. They contain placeholders in <code>{{ key }}</code> format that the CLI replaces with real values.</p> <h3> nginx.conf.tmpl </h3> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">upstream</span> <span class="s">app_backend</span> <span class="p">{</span> <span class="kn">server</span> <span class="s">app:</span><span class="p">{</span><span class="err">{</span> <span class="kn">service_port</span> <span class="err">}}</span><span class="p">;</span> <span class="kn">keepalive</span> <span class="mi">32</span><span class="p">;</span> <span class="p">}</span> <span class="kn">log_format</span> <span class="s">swiftdeploy</span> <span class="s">'</span><span class="nv">$time_iso8601</span> <span class="s">|</span> <span class="nv">$status</span> <span class="s">|</span> $<span class="p">{</span><span class="kn">request_time</span><span class="err">}</span><span class="s">s</span> <span class="s">|</span> <span class="nv">$upstream_addr</span> <span class="s">|</span> <span class="nv">$request</span><span class="s">'</span><span class="p">;</span> <span class="kn">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="p">{</span><span class="err">{</span> <span class="kn">nginx_port</span> <span class="err">}}</span><span class="p">;</span> <span class="kn">server_name</span> <span class="s">_</span><span class="p">;</span> <span class="kn">access_log</span> <span class="n">/var/log/nginx/access.log</span> <span class="s">swiftdeploy</span><span class="p">;</span> <span class="kn">proxy_connect_timeout</span> <span class="p">{</span><span class="err">{</span> <span class="kn">proxy_timeout</span> <span class="err">}}</span><span class="s">s</span><span class="p">;</span> <span class="kn">proxy_send_timeout</span> <span class="p">{</span><span class="err">{</span> <span class="kn">proxy_timeout</span> <span class="err">}}</span><span class="s">s</span><span class="p">;</span> <span class="kn">proxy_read_timeout</span> <span class="p">{</span><span class="err">{</span> <span class="kn">proxy_timeout</span> <span class="err">}}</span><span class="s">s</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">X-Deployed-By</span> <span class="s">swiftdeploy</span> <span class="s">always</span><span class="p">;</span> <span class="kn">proxy_pass_header</span> <span class="s">X-Mode</span><span class="p">;</span> <span class="kn">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">proxy_pass</span> <span class="s">http://app_backend</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-For</span> <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span> <span class="p">}</span> <span class="kn">error_page</span> <span class="mi">502</span> <span class="p">=</span> <span class="s">@error502</span><span class="p">;</span> <span class="kn">error_page</span> <span class="mi">503</span> <span class="p">=</span> <span class="s">@error503</span><span class="p">;</span> <span class="kn">error_page</span> <span class="mi">504</span> <span class="p">=</span> <span class="s">@error504</span><span class="p">;</span> <span class="kn">location</span> <span class="s">@error502</span> <span class="p">{</span> <span class="kn">default_type</span> <span class="nc">application/json</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">X-Deployed-By</span> <span class="s">swiftdeploy</span> <span class="s">always</span><span class="p">;</span> <span class="kn">return</span> <span class="mi">502</span> <span class="s">'</span><span class="p">{</span><span class="kn">"error":"Bad</span> <span class="s">Gateway","code":502,"service":"app","contact":"</span><span class="p">{</span><span class="err">{</span> <span class="kn">contact</span> <span class="err">}}</span><span class="s">"</span><span class="err">}</span><span class="s">'</span><span class="p">;</span> <span class="p">}</span> <span class="c1"># ... 503, 504 same pattern</span> <span class="p">}</span> </code></pre> </div> <p>Design decisions worth noting:</p> <ul> <li> <strong>Custom log format</strong>: <code>$time_iso8601 | $status | ${request_time}s | $upstream_addr | $request</code> gives you timestamp, HTTP status, response time in seconds, the upstream container IP, and the full request line — everything you need for debugging in one line.</li> <li> <strong>JSON error bodies</strong>: Rather than nginx's default HTML error pages, we return structured JSON. This is essential for APIs — clients expect JSON and need machine-readable error codes.</li> <li> <strong><code>proxy_pass_header X-Mode</code></strong>: nginx strips most custom headers by default. This directive explicitly forwards the <code>X-Mode: canary</code> header from the upstream app through to the client, so callers can identify which mode they're talking to.</li> <li> <strong><code>keepalive 32</code></strong>: keeps 32 persistent connections to the upstream, reducing connection overhead under load.</li> </ul> <h3> docker-compose.yml.tmpl </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">service_image</span> <span class="pi">}}</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">swiftdeploy-app</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">MODE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">mode</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">APP_VERSION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">version</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">APP_PORT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">service_port</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="pi">{{</span> <span class="nv">network_name</span> <span class="pi">}}</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="pi">{{</span> <span class="nv">log_volume</span> <span class="pi">}}</span><span class="s">:/app/logs</span> <span class="na">restart</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">restart_policy</span> <span class="pi">}}</span> <span class="na">user</span><span class="pi">:</span> <span class="s2">"</span><span class="s">appuser"</span> <span class="na">cap_drop</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">NET_ADMIN</span> <span class="pi">-</span> <span class="s">SYS_ADMIN</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD-SHELL"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">python</span><span class="nv"> </span><span class="s">-c</span><span class="nv"> </span><span class="s">'import</span><span class="nv"> </span><span class="s">urllib.request;</span><span class="nv"> </span><span class="s">urllib.request.urlopen(</span><span class="se">\"</span><span class="s">http://127.0.0.1:3000/healthz</span><span class="se">\"</span><span class="s">,</span><span class="nv"> </span><span class="s">timeout=4)'"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">start_period</span><span class="pi">:</span> <span class="s">15s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">expose</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">service_port</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">nginx</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">nginx_image</span> <span class="pi">}}</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">swiftdeploy-nginx</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">nginx_port</span><span class="nv"> </span><span class="s">}}:{{</span><span class="nv"> </span><span class="s">nginx_port</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./nginx.conf:/etc/nginx/conf.d/default.conf:ro</span> <span class="pi">-</span> <span class="pi">{{</span> <span class="nv">log_volume</span> <span class="pi">}}</span><span class="s">:/var/log/nginx</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="pi">{{</span> <span class="nv">network_name</span> <span class="pi">}}</span> <span class="na">restart</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">restart_policy</span> <span class="pi">}}</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> </code></pre> </div> <p>The <code>expose</code> vs <code>ports</code> distinction is critical:</p> <ul> <li> <code>expose: ["3000"]</code> — makes port 3000 reachable between containers on the same Docker network. Not published to the host.</li> <li> <code>ports: ["8080:8080"]</code> — publishes port 8080 to the host machine and the outside world.</li> </ul> <p>The app uses <code>expose</code> only. There is no way to reach port 3000 from outside Docker. All traffic must enter through nginx on 8080.</p> <p><code>depends_on: condition: service_healthy</code> means nginx won't start until the app container's healthcheck passes. This prevents nginx from starting and immediately returning 502s because the upstream isn't ready yet.</p> <h2> Component 5: The CLI </h2> <p>The <code>swiftdeploy</code> CLI is a single Python script with five subcommands. Here's how each works internally.</p> <h3> The template engine </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">render_template</span><span class="p">(</span><span class="n">tmpl_path</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">tmpl_path</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">content</span> <span class="o">=</span> <span class="n">f</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> <span class="k">for</span> <span class="n">key</span><span class="p">,</span> <span class="n">val</span> <span class="ow">in</span> <span class="n">context</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="n">content</span> <span class="o">=</span> <span class="n">content</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">"</span><span class="s">{{ </span><span class="sh">"</span> <span class="o">+</span> <span class="n">key</span> <span class="o">+</span> <span class="sh">"</span><span class="s"> }}</span><span class="sh">"</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="n">val</span><span class="p">))</span> <span class="k">return</span> <span class="n">content</span> </code></pre> </div> <p>Five lines. No Jinja2. No external library. Simple string replacement. This is intentional — the templates are straightforward enough that a minimal custom engine is cleaner than pulling in a dependency.</p> <h3> The context builder </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">build_context</span><span class="p">(</span><span class="n">manifest</span><span class="p">):</span> <span class="n">svc</span> <span class="o">=</span> <span class="n">manifest</span><span class="p">[</span><span class="sh">"</span><span class="s">services</span><span class="sh">"</span><span class="p">]</span> <span class="n">ngx</span> <span class="o">=</span> <span class="n">manifest</span><span class="p">[</span><span class="sh">"</span><span class="s">nginx</span><span class="sh">"</span><span class="p">]</span> <span class="n">net</span> <span class="o">=</span> <span class="n">manifest</span><span class="p">[</span><span class="sh">"</span><span class="s">network</span><span class="sh">"</span><span class="p">]</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">service_image</span><span class="sh">"</span><span class="p">:</span> <span class="n">svc</span><span class="p">[</span><span class="sh">"</span><span class="s">image</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">service_port</span><span class="sh">"</span><span class="p">:</span> <span class="n">svc</span><span class="p">[</span><span class="sh">"</span><span class="s">port</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">:</span> <span class="n">svc</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">stable</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">:</span> <span class="n">svc</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">1.0.0</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">restart_policy</span><span class="sh">"</span><span class="p">:</span> <span class="n">svc</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">restart_policy</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">unless-stopped</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">log_volume</span><span class="sh">"</span><span class="p">:</span> <span class="n">svc</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">log_volume</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">swiftdeploy-logs</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">nginx_image</span><span class="sh">"</span><span class="p">:</span> <span class="n">ngx</span><span class="p">[</span><span class="sh">"</span><span class="s">image</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">nginx_port</span><span class="sh">"</span><span class="p">:</span> <span class="n">ngx</span><span class="p">[</span><span class="sh">"</span><span class="s">port</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">proxy_timeout</span><span class="sh">"</span><span class="p">:</span> <span class="n">ngx</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">proxy_timeout</span><span class="sh">"</span><span class="p">,</span> <span class="mi">30</span><span class="p">),</span> <span class="sh">"</span><span class="s">network_name</span><span class="sh">"</span><span class="p">:</span> <span class="n">net</span><span class="p">[</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">network_driver</span><span class="sh">"</span><span class="p">:</span> <span class="n">net</span><span class="p">[</span><span class="sh">"</span><span class="s">driver_type</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">contact</span><span class="sh">"</span><span class="p">:</span> <span class="n">manifest</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">contact</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ops@swiftdeploy.local</span><span class="sh">"</span><span class="p">),</span> <span class="p">}</span> </code></pre> </div> <p>This translates the nested YAML structure into the flat dictionary that matches the <code>{{ placeholders }}</code> in the templates. It's the glue layer between manifest and generated configs.</p> <h3> <code>init</code> subcommand </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">cmd_init</span><span class="p">():</span> <span class="n">manifest</span> <span class="o">=</span> <span class="nf">load_manifest</span><span class="p">()</span> <span class="n">ctx</span> <span class="o">=</span> <span class="nf">build_context</span><span class="p">(</span><span class="n">manifest</span><span class="p">)</span> <span class="n">nginx_conf</span> <span class="o">=</span> <span class="nf">render_template</span><span class="p">(</span><span class="n">NGINX_TMPL</span><span class="p">,</span> <span class="n">ctx</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">NGINX_OUT</span><span class="p">,</span> <span class="sh">"</span><span class="s">w</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">nginx_conf</span><span class="p">)</span> <span class="n">compose_conf</span> <span class="o">=</span> <span class="nf">render_template</span><span class="p">(</span><span class="n">COMPOSE_TMPL</span><span class="p">,</span> <span class="n">ctx</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">COMPOSE_OUT</span><span class="p">,</span> <span class="sh">"</span><span class="s">w</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">compose_conf</span><span class="p">)</span> </code></pre> </div> <p>Straightforward: load manifest → build context → render both templates → write files. The grader deletes the generated files and re-runs this to verify regeneration.</p> <h3> <code>validate</code> subcommand — 5 pre-flight checks </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Check 1: manifest.yaml exists and is valid YAML </span><span class="k">try</span><span class="p">:</span> <span class="n">manifest</span> <span class="o">=</span> <span class="nf">load_manifest</span><span class="p">()</span> <span class="nf">ok</span><span class="p">(</span><span class="sh">"</span><span class="s">manifest.yaml found and parsed successfully</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">yaml</span><span class="p">.</span><span class="n">YAMLError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">fail</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Invalid YAML: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Check 2: required fields present and non-empty </span><span class="n">required</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">services.image</span><span class="sh">"</span><span class="p">:</span> <span class="n">manifest</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">services</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">image</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">services.port</span><span class="sh">"</span><span class="p">:</span> <span class="n">manifest</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">services</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">port</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">nginx.image</span><span class="sh">"</span><span class="p">:</span> <span class="n">manifest</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">nginx</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">image</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">nginx.port</span><span class="sh">"</span><span class="p">:</span> <span class="n">manifest</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">nginx</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">port</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">network.name</span><span class="sh">"</span><span class="p">:</span> <span class="n">manifest</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">network</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">network.driver_type</span><span class="sh">"</span><span class="p">:</span> <span class="n">manifest</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">network</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">driver_type</span><span class="sh">"</span><span class="p">),</span> <span class="p">}</span> <span class="c1"># Check 3: Docker image exists locally </span><span class="n">result</span> <span class="o">=</span> <span class="nf">run</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">docker image inspect </span><span class="si">{</span><span class="n">image</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">capture</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">check</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="c1"># exit code 0 = found, non-zero = not found </span> <span class="c1"># Check 4: Nginx port not already bound </span><span class="n">result</span> <span class="o">=</span> <span class="nf">run</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">ss -tlnp | grep </span><span class="sh">'</span><span class="s">:</span><span class="si">{</span><span class="n">nginx_port</span><span class="si">}</span><span class="s"> </span><span class="sh">'"</span><span class="p">,</span> <span class="n">capture</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">check</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="c1"># stdout non-empty = port in use </span> <span class="c1"># Check 5: nginx.conf syntactically valid </span><span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">docker</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">run</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--rm</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-v</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">test_conf_path</span><span class="si">}</span><span class="s">:/etc/nginx/conf.d/default.conf:ro</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">nginx:latest</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">nginx</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-t</span><span class="sh">"</span><span class="p">],</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="n">combined</span> <span class="o">=</span> <span class="n">result</span><span class="p">.</span><span class="n">stdout</span> <span class="o">+</span> <span class="n">result</span><span class="p">.</span><span class="n">stderr</span> <span class="k">if</span> <span class="sh">"</span><span class="s">successful</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">combined</span><span class="p">:</span> <span class="nf">ok</span><span class="p">(</span><span class="sh">"</span><span class="s">nginx.conf syntax is valid</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>Check 5 is the most interesting. Running <code>nginx -t</code> in an isolated container is elegant — it validates syntax without needing nginx installed on the host. However, we hit a complication: in an isolated container, <code>app:3000</code> (the upstream hostname) can't be resolved because there's no Docker network. nginx refuses to start if it can't resolve upstream hostnames, even for a syntax check.</p> <p>The fix: before handing the config to the test container, swap <code>server app:</code> with <code>server 127.0.0.1:</code> in a temporary copy. <code>127.0.0.1</code> always resolves, so nginx validates the rest of the syntax (listen ports, timeouts, location blocks, error pages) correctly. The actual <code>nginx.conf</code> on disk is untouched.</p> <h3> <code>deploy</code> subcommand </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">cmd_deploy</span><span class="p">():</span> <span class="nf">cmd_init</span><span class="p">()</span> <span class="nf">run</span><span class="p">(</span><span class="nf">compose_cmd</span><span class="p">(</span><span class="sh">"</span><span class="s">up -d --build</span><span class="sh">"</span><span class="p">))</span> <span class="n">deadline</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">+</span> <span class="mi">60</span> <span class="n">healthy</span> <span class="o">=</span> <span class="bp">False</span> <span class="k">while</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">&lt;</span> <span class="n">deadline</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">http://localhost:</span><span class="si">{</span><span class="n">nginx_port</span><span class="si">}</span><span class="s">/healthz</span><span class="sh">"</span> <span class="k">with</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">3</span><span class="p">)</span> <span class="k">as</span> <span class="n">resp</span><span class="p">:</span> <span class="n">body</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">resp</span><span class="p">.</span><span class="nf">read</span><span class="p">())</span> <span class="k">if</span> <span class="n">body</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">:</span> <span class="n">healthy</span> <span class="o">=</span> <span class="bp">True</span> <span class="k">break</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">pass</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">healthy</span><span class="p">:</span> <span class="nf">fail</span><span class="p">(</span><span class="sh">"</span><span class="s">Health checks did not pass within 60 seconds</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </code></pre> </div> <p>The polling loop is the key part. Containers don't start instantly. <code>docker compose up -d</code> returns as soon as the containers are created, not when they're healthy. The loop hits <code>/healthz</code> through nginx every 2 seconds for up to 60 seconds. Connection refused, timeout, bad JSON — all exceptions are caught and ignored. Only <code>{"status": "ok"}</code> breaks the loop successfully.</p> <h3> <code>promote</code> subcommand </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">cmd_promote</span><span class="p">(</span><span class="n">target_mode</span><span class="p">):</span> <span class="c1"># 1. Update manifest in-place using regex </span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">MANIFEST_PATH</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">content</span> <span class="o">=</span> <span class="n">f</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> <span class="n">content</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">sub</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">(mode:\s*)(\S+)</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="se">\\</span><span class="s">g&lt;1&gt;</span><span class="si">{</span><span class="n">target_mode</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">content</span><span class="p">,</span> <span class="n">count</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">MANIFEST_PATH</span><span class="p">,</span> <span class="sh">"</span><span class="s">w</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">content</span><span class="p">)</span> <span class="c1"># 2. Regenerate docker-compose.yml only </span> <span class="n">manifest</span> <span class="o">=</span> <span class="nf">load_manifest</span><span class="p">()</span> <span class="n">ctx</span> <span class="o">=</span> <span class="nf">build_context</span><span class="p">(</span><span class="n">manifest</span><span class="p">)</span> <span class="n">compose_conf</span> <span class="o">=</span> <span class="nf">render_template</span><span class="p">(</span><span class="n">COMPOSE_TMPL</span><span class="p">,</span> <span class="n">ctx</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">COMPOSE_OUT</span><span class="p">,</span> <span class="sh">"</span><span class="s">w</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">compose_conf</span><span class="p">)</span> <span class="c1"># 3. Restart app container only — nginx stays up </span> <span class="nf">run</span><span class="p">(</span><span class="nf">compose_cmd</span><span class="p">(</span><span class="sh">"</span><span class="s">up -d --no-deps app</span><span class="sh">"</span><span class="p">))</span> <span class="c1"># 4. Confirm mode via /healthz </span> <span class="n">deadline</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">+</span> <span class="mi">30</span> <span class="k">while</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">&lt;</span> <span class="n">deadline</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="k">with</span> <span class="n">urllib</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="nf">urlopen</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">3</span><span class="p">)</span> <span class="k">as</span> <span class="n">resp</span><span class="p">:</span> <span class="n">body</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">resp</span><span class="p">.</span><span class="nf">read</span><span class="p">())</span> <span class="k">if</span> <span class="n">body</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="n">target_mode</span> <span class="ow">and</span> <span class="n">body</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">:</span> <span class="n">confirmed</span> <span class="o">=</span> <span class="bp">True</span> <span class="k">break</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">pass</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> </code></pre> </div> <p><code>--no-deps</code> in <code>docker compose up -d --no-deps app</code> is the rolling restart mechanism. It tells Compose to restart only the <code>app</code> service without touching <code>nginx</code>. Since nginx is already running and healthy, there's zero downtime at the proxy level — nginx continues serving requests while the app container restarts with the new mode.</p> <p>The regex <code>re.sub(r"(mode:\s*)(\S+)", f"\\g&lt;1&gt;{target_mode}", content, count=1)</code> uses a backreference <code>\\g&lt;1&gt;</code> to preserve the <code>mode:</code> prefix and only replace the value. <code>count=1</code> ensures only the first occurrence is replaced.</p> <h2> The Debugging Saga: WSL2 + Docker Desktop Healthchecks </h2> <p>This section documents the most painful part of the build — a cascade of healthcheck failures that took multiple debugging rounds to resolve.</p> <h3> Failure 1: <code>${APP_PORT}</code> not expanding </h3> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">wget: can't connect to remote host: Connection refused </span></code></pre> </div> <p>Root cause: environment variables don't expand in Dockerfile <code>HEALTHCHECK CMD</code> at runtime. <code>${APP_PORT}</code> was being passed literally to wget. Fix: hardcode <code>3000</code>.</p> <h3> Failure 2: <code>localhost</code> not resolving in Alpine </h3> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">wget: can't connect to remote host: Connection refused </span></code></pre> </div> <p>Same error, different cause. Inside the Alpine container's healthcheck execution context on WSL2 + Docker Desktop, <code>localhost</code> wasn't resolving to <code>127.0.0.1</code>. Fix: use <code>127.0.0.1</code> explicitly.</p> <h3> Failure 3: <code>wget</code> still failing with <code>127.0.0.1</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">wget: can't connect to remote host: Connection refused </span></code></pre> </div> <p>Confirmed the server was listening:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec </span>swiftdeploy-app ss <span class="nt">-tlnp</span> <span class="c"># tcp LISTEN 0.0.0.0:3000</span> docker <span class="nb">exec </span>swiftdeploy-app python <span class="nt">-c</span> <span class="s2">"import urllib.request; print(urllib.request.urlopen('http://127.0.0.1:3000/healthz').read())"</span> <span class="c"># b'{"status": "ok", ...}'</span> </code></pre> </div> <p>The server was reachable via <code>docker exec</code> but not from the healthcheck process. This is a known WSL2 + Docker Desktop network namespace issue — the healthcheck runs in a slightly different network context than <code>docker exec</code>. Fix: replace <code>wget</code> with Python's <code>urllib</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">CMD</span><span class="s"> python -c "import urllib.request; urllib.request.urlopen('http://127.0.0.1:3000/healthz', timeout=4)" || exit 1</span> </code></pre> </div> <h3> Failure 4: Docker cache serving old image </h3> <p>After fixing the Dockerfile, the healthcheck was still running <code>wget</code>. The container was using a cached image layer. Fix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker rmi swift-deploy-1-node:latest docker build <span class="nt">--no-cache</span> <span class="nt">-t</span> swift-deploy-1-node:latest <span class="nb">.</span> </code></pre> </div> <h3> Failure 5: docker-compose.yml overriding the Dockerfile healthcheck </h3> <p>Even after fixing the image, the container was still running <code>wget</code>. Discovery:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">grep</span> <span class="nt">-A5</span> <span class="s2">"healthcheck"</span> docker-compose.yml <span class="c"># test: ["CMD", "wget", "-qO-", "http://localhost:3000/healthz"]</span> </code></pre> </div> <p>The <code>docker-compose.yml</code> template had its own healthcheck definition that was overriding the Dockerfile's. Docker Compose healthcheck always wins over Dockerfile HEALTHCHECK. Fixed the template to use the Python urllib approach and correct YAML quoting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD-SHELL"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">python</span><span class="nv"> </span><span class="s">-c</span><span class="nv"> </span><span class="s">'import</span><span class="nv"> </span><span class="s">urllib.request;</span><span class="nv"> </span><span class="s">urllib.request.urlopen(</span><span class="se">\"</span><span class="s">http://127.0.0.1:3000/healthz</span><span class="se">\"</span><span class="s">,</span><span class="nv"> </span><span class="s">timeout=4)'"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">start_period</span><span class="pi">:</span> <span class="s">15s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> </code></pre> </div> <h3> Failure 6: YAML indentation error </h3> <p>The healthcheck block had 3 spaces of indentation instead of 4 — a single space difference that broke YAML parsing entirely:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">healthcheck</span><span class="pi">:</span> <span class="c1"># ← 3 spaces — YAML parse error</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">healthcheck</span><span class="pi">:</span> <span class="c1"># ← 4 spaces — correct</span> </code></pre> </div> <p>After all six of these were resolved, the deploy succeeded:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">✔ Container swiftdeploy-app Healthy 6.8s ✔ Container swiftdeploy-nginx Started 7.2s ✔ Stack is healthy! Listening on port 8080 </span></code></pre> </div> <h2> Deployment Walkthrough </h2> <h3> 1. Build the image </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker build <span class="nt">-t</span> swift-deploy-1-node:latest <span class="nb">.</span> </code></pre> </div> <h3> 2. Validate </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./swiftdeploy validate </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">[1/5] manifest.yaml exists and is valid YAML ✔ manifest.yaml found and parsed successfully [2/5] Required fields are present and non-empty ✔ services.image = swift-deploy-1-node:latest ✔ services.port = 3000 ✔ nginx.image = nginx:latest ✔ nginx.port = 8080 ✔ network.name = swiftdeploy-net ✔ network.driver_type = bridge [3/5] Docker image exists locally ✔ Image found: swift-deploy-1-node:latest [4/5] Nginx port not already bound on host ✔ Port 8080 is free [5/5] Generated nginx.conf is syntactically valid ✔ nginx.conf syntax is valid ALL CHECKS PASSED ✔ </span></code></pre> </div> <h3> 3. Deploy </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./swiftdeploy deploy </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">✔ Container swiftdeploy-app Healthy ✔ Container swiftdeploy-nginx Started ✔ Stack is healthy! Listening on port 8080 deploy complete. </span></code></pre> </div> <h3> 4. Test endpoints </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://localhost:8080/ <span class="c"># {"message": "Welcome to SwiftDeploy API", "mode": "stable", "version": "1.0.0", "timestamp": "..."}</span> curl http://localhost:8080/healthz <span class="c"># {"status": "ok", "mode": "stable", "version": "1.0.0", "uptime_seconds": 12.4}</span> </code></pre> </div> <h3> 5. Promote to canary </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./swiftdeploy promote canary curl http://localhost:8080/healthz <span class="c"># {"status": "ok", "mode": "canary", ...}</span> curl <span class="nt">-I</span> http://localhost:8080/ <span class="c"># X-Mode: canary</span> <span class="c"># X-Deployed-By: swiftdeploy</span> </code></pre> </div> <h3> 6. Test chaos (canary mode only) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Slow mode — 3 second delay</span> curl <span class="nt">-X</span> POST http://localhost:8080/chaos <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"mode": "slow", "duration": 3}'</span> <span class="nb">time </span>curl http://localhost:8080/ <span class="c"># real 0m3.012s</span> <span class="c"># Error mode — 50% 500 errors</span> curl <span class="nt">-X</span> POST http://localhost:8080/chaos <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"mode": "error", "rate": 0.5}'</span> <span class="c"># Recover</span> curl <span class="nt">-X</span> POST http://localhost:8080/chaos <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"mode": "recover"}'</span> </code></pre> </div> <h3> 7. View nginx access logs </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker logs swiftdeploy-nginx </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">2026-05-03T14:23:01+00:00 | 200 | 0.002s | 172.18.0.3:3000 | GET / HTTP/1.1 2026-05-03T14:23:05+00:00 | 200 | 0.001s | 172.18.0.3:3000 | GET /healthz HTTP/1.1 2026-05-03T14:23:12+00:00 | 500 | 0.001s | 172.18.0.3:3000 | GET / HTTP/1.1 </span></code></pre> </div> <h3> 8. Teardown </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./swiftdeploy teardown <span class="nt">--clean</span> </code></pre> </div> <h2> Key Learnings </h2> <p><strong>1. Docker Compose healthcheck overrides Dockerfile HEALTHCHECK.</strong> This is documented but easy to miss. If both exist, Compose wins. Always check your generated compose file when healthchecks misbehave.</p> <p><strong>2. WSL2 + Docker Desktop has a quirky network namespace for healthchecks.</strong> <code>docker exec</code> and HEALTHCHECK run in slightly different contexts. If something works via <code>exec</code> but not via healthcheck, it's almost always a network namespace or tool availability issue. Python's stdlib is more portable than <code>wget</code> in this environment.</p> <p><strong>3. <code>--no-cache</code> is essential when debugging Dockerfile changes.</strong> Docker's layer caching is aggressive. If you change a <code>HEALTHCHECK</code> line but the layers above it are cached, Docker will use the old healthcheck. Always <code>docker rmi</code> and <code>--no-cache</code> when debugging image-level issues.</p> <p><strong>4. <code>expose</code> vs <code>ports</code> in Docker Compose is a security boundary, not just documentation.</strong> <code>expose</code> is container-to-container only. <code>ports</code> is host-facing. Using <code>expose</code> for the app and <code>ports</code> only for nginx enforces the proxy pattern at the infrastructure level.</p> <p><strong>5. YAML indentation is unforgiving.</strong> A single space difference between 3 and 4 spaces of indentation produces a cryptic parse error. Always use a YAML linter or at minimum <code>python3 -c "import yaml; yaml.safe_load(open('file.yml'))"</code> to validate before deploying.</p> <p><strong>6. Declarative infrastructure pays off immediately.</strong> The grader deletes generated files and re-runs <code>init</code> — because we built it right, this is a non-issue. The manifest is always there, the templates are always there, and regeneration is instantaneous.</p> <h2> Conclusion </h2> <p>SwiftDeploy started as a task requirement and ended up being a genuinely useful mental model for how declarative infrastructure tools work. Tools like Terraform, Helm, and Pulumi are all variations of the same core idea: describe what you want, let the tool figure out how to get there.</p> <p>Building this from scratch — the template engine, the CLI subcommands, the healthcheck polling loop, the rolling restart — gives you an appreciation for what those tools are doing under the hood at scale.</p> <p>The debugging journey through six layers of healthcheck failures was frustrating in the moment but valuable in retrospect. Every failure taught something concrete about how Docker, WSL2, Alpine Linux, nginx, and Python's network stack interact.</p> <p>The full source code is available at: <strong><a href="https://github.com/AirFluke/hng-swiftdeploy" rel="noopener noreferrer">https://github.com/AirFluke/hng-swiftdeploy</a></strong></p> <p><em>Built for HNG DevOps Internship — Stage 4A: SwiftDeploy</em></p> <p><em>Tags: #devops #docker #nginx #python #infrastructure #hng</em></p> automation cli devops showdev How I Built a Real-Time DDoS Detection Engine from Scratch (No Fail2Ban) Abraham Acha Sun, 26 Apr 2026 15:31:10 +0000 https://forem.com/airfluke/how-i-built-a-real-time-ddos-detection-engine-from-scratch-no-fail2ban-mo5 https://forem.com/airfluke/how-i-built-a-real-time-ddos-detection-engine-from-scratch-no-fail2ban-mo5 <p>Assuming my boss walked in and said "we're getting hit with suspicious traffic and I need you to build something that detects and responds to it automatically," I had two choices: reach for Fail2Ban like everyone else, or build something I actually understood from the ground up.</p> <p>I chose to build it from scratch. This post explains exactly how I did it — in plain English, with real code, and without assuming you've ever touched security tooling before.</p> <p>By the end of this post you will understand:</p> <ul> <li>What the system does and why it matters</li> <li>How a sliding window works (and why it's not just "count requests per minute")</li> <li>How the system learns what normal traffic looks like</li> <li>How it decides something is an attack</li> <li>How it uses iptables to cut off an attacker at the firewall level</li> </ul> <p>Let's go.</p> <h2> What This Project Does and Why It Matters </h2> <p>We run a cloud storage platform built on Nextcloud. It's public-facing, which means anyone on the internet can send requests to it — including bots, scanners, and attackers.</p> <p>Two types of attacks concern us most:</p> <p><strong>A single aggressive IP</strong> — one machine sending hundreds of requests per second, trying to brute-force logins, scrape data, or simply overwhelm the server. This is a classic DDoS from a single source.</p> <p><strong>A global traffic spike</strong> — thousands of different IPs each sending a small number of requests. No single IP looks suspicious, but the total volume is crushing the server. This is a distributed DDoS.</p> <p>The tool I built watches every HTTP request in real time, learns what "normal" traffic looks like, and fires an automatic response the moment something deviates — whether it's a single aggressive IP or a global spike.</p> <p>For a single aggressive IP: it adds an <code>iptables</code> firewall rule to drop every packet from that IP, sends a Slack alert, and automatically releases the ban on a backoff schedule (10 minutes, then 30, then 2 hours, then permanent for repeat offenders).</p> <p>For a global spike: it sends a Slack alert (no single IP to block).</p> <p>The whole thing runs as a daemon — a continuously running background process — alongside the Nextcloud stack in Docker. It never sleeps, never needs a cron job, and never relies on hardcoded thresholds.</p> <p>Here's the architecture at a glance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Internet → Nginx (reverse proxy) → Nextcloud ↓ writes JSON logs [HNG-nginx-logs volume] ↓ reads logs Python Daemon ├── monitor.py (tail the log file) ├── baseline.py (learn normal traffic) ├── detector.py (spot anomalies) ├── blocker.py (iptables + audit log) ├── unbanner.py (auto-release bans) ├── notifier.py (Slack alerts) └── dashboard.py (live web UI) </code></pre> </div> <p>Everything is wired together by <code>main.py</code> and configured through a single <code>config.yaml</code> file — no hardcoded numbers anywhere in the code.</p> <h2> Part 1: Reading the Traffic — The Log Monitor </h2> <p>Before we can detect anything, we need to see the traffic. Nginx is our reverse proxy — every HTTP request passes through it. We configure Nginx to write each request as a JSON object to a log file.</p> <p>Here's the Nginx log format we defined:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">log_format</span> <span class="s">hng_json</span> <span class="s">escape=json</span> <span class="s">'</span><span class="p">{</span><span class="kn">'</span> <span class="s">'"source_ip":"</span><span class="nv">$remote_addr</span><span class="s">",'</span> <span class="s">'"timestamp":"</span><span class="nv">$time_iso8601</span><span class="s">",'</span> <span class="s">'"method":"</span><span class="nv">$request_method</span><span class="s">",'</span> <span class="s">'"path":"</span><span class="nv">$uri</span><span class="s">",'</span> <span class="s">'"status":</span><span class="nv">$status</span><span class="s">,'</span> <span class="s">'"response_size":</span><span class="nv">$body_bytes_sent</span><span class="s">,'</span> <span class="s">'"request_time":</span><span class="nv">$request_time</span><span class="s">,'</span> <span class="s">'"http_user_agent":"</span><span class="nv">$http_user_agent</span><span class="s">"'</span> <span class="s">'</span><span class="err">}</span><span class="s">'</span><span class="p">;</span> <span class="kn">access_log</span> <span class="n">/var/log/nginx/hng-access.log</span> <span class="s">hng_json</span><span class="p">;</span> </code></pre> </div> <p>Every request now produces a line like this in the log file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"source_ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.2.3.4"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-04-26T14:08:21+00:00"</span><span class="p">,</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/index.php/login"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="mi">401</span><span class="p">,</span><span class="w"> </span><span class="nl">"response_size"</span><span class="p">:</span><span class="w"> </span><span class="mi">1842</span><span class="p">,</span><span class="w"> </span><span class="nl">"request_time"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.043</span><span class="p">,</span><span class="w"> </span><span class="nl">"http_user_agent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Mozilla/5.0..."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Now our Python daemon needs to read these lines as they appear — in real time, without missing any, and without crashing if the log file gets rotated. This is called "tailing" a file, like <code>tail -f</code> in Linux.</p> <p>Here's how <code>monitor.py</code> does it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">queue</span> <span class="k">def</span> <span class="nf">parse_line</span><span class="p">(</span><span class="n">raw</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span> <span class="o">|</span> <span class="bp">None</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Parse one JSON log line. Returns None if malformed.</span><span class="sh">"""</span> <span class="n">raw</span> <span class="o">=</span> <span class="n">raw</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">raw</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">try</span><span class="p">:</span> <span class="n">entry</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">raw</span><span class="p">)</span> <span class="k">except</span> <span class="n">json</span><span class="p">.</span><span class="n">JSONDecodeError</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="c1"># drop malformed lines silently </span> <span class="c1"># Make sure all required fields are present </span> <span class="n">required</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">source_ip</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">method</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">path</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">response_size</span><span class="sh">"</span><span class="p">}</span> <span class="k">if</span> <span class="n">required</span> <span class="o">-</span> <span class="n">entry</span><span class="p">.</span><span class="nf">keys</span><span class="p">():</span> <span class="k">return</span> <span class="bp">None</span> <span class="c1"># Coerce types and add a wall-clock timestamp for window math </span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">])</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">response_size</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">response_size</span><span class="sh">"</span><span class="p">])</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">_parsed_at</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="k">return</span> <span class="n">entry</span> <span class="k">class</span> <span class="nc">LogMonitor</span><span class="p">:</span> <span class="k">def</span> <span class="nf">run</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">fh</span> <span class="o">=</span> <span class="nf">open</span><span class="p">(</span><span class="sh">"</span><span class="s">/var/log/nginx/hng-access.log</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">r</span><span class="sh">"</span><span class="p">)</span> <span class="n">fh</span><span class="p">.</span><span class="nf">seek</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="c1"># jump to END of file — don't replay old traffic </span> <span class="n">current_inode</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">stat</span><span class="p">(</span><span class="n">fh</span><span class="p">.</span><span class="n">name</span><span class="p">).</span><span class="n">st_ino</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">line</span> <span class="o">=</span> <span class="n">fh</span><span class="p">.</span><span class="nf">readline</span><span class="p">()</span> <span class="k">if</span> <span class="n">line</span><span class="p">:</span> <span class="n">entry</span> <span class="o">=</span> <span class="nf">parse_line</span><span class="p">(</span><span class="n">line</span><span class="p">)</span> <span class="k">if</span> <span class="n">entry</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">out_queue</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="n">entry</span><span class="p">)</span> <span class="c1"># send downstream </span> <span class="k">else</span><span class="p">:</span> <span class="c1"># Check if the file was rotated (inode changed) </span> <span class="n">new_inode</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">stat</span><span class="p">(</span><span class="n">fh</span><span class="p">.</span><span class="n">name</span><span class="p">).</span><span class="n">st_ino</span> <span class="k">if</span> <span class="n">new_inode</span> <span class="o">!=</span> <span class="n">current_inode</span><span class="p">:</span> <span class="n">fh</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="n">fh</span> <span class="o">=</span> <span class="nf">open</span><span class="p">(</span><span class="n">fh</span><span class="p">.</span><span class="n">name</span><span class="p">,</span> <span class="sh">"</span><span class="s">r</span><span class="sh">"</span><span class="p">)</span> <span class="n">current_inode</span> <span class="o">=</span> <span class="n">new_inode</span> <span class="k">else</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">0.1</span><span class="p">)</span> <span class="c1"># no new data, yield CPU briefly </span></code></pre> </div> <p>Three things worth understanding here:</p> <p><strong><code>fh.seek(0, 2)</code></strong> — When we start the daemon, the log file already has entries from before we launched. We don't want to process all of those as if they're live traffic. Seeking to position 2 (the end) means we only see new lines written after the daemon starts.</p> <p><strong>Inode check</strong> — Log files get rotated (renamed and replaced with a fresh empty file) periodically. If we don't detect this, we'd keep reading the old file and miss all new traffic. The inode (a unique file identifier in Linux) changes when the file is replaced, so we check it on every "no new data" cycle.</p> <p><strong>The queue</strong> — We put parsed entries into a <code>queue.Queue</code>. This decouples reading from processing. The monitor thread just reads and queues; the main thread drains the queue and feeds entries to the baseline and detector. If the detector is temporarily slow, entries buffer in the queue rather than being dropped.</p> <h2> Part 2: How the Sliding Window Works </h2> <p>This is the core data structure of the entire detection system. Get this right and everything else falls into place.</p> <h3> The wrong way: per-minute counters </h3> <p>The naive approach is to count requests per minute:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># WRONG — this is not a sliding window </span><span class="n">requests_this_minute</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">last_minute</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">/</span> <span class="mi">60</span><span class="p">)</span> <span class="k">def</span> <span class="nf">on_request</span><span class="p">():</span> <span class="n">current_minute</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">/</span> <span class="mi">60</span><span class="p">)</span> <span class="k">if</span> <span class="n">current_minute</span> <span class="o">!=</span> <span class="n">last_minute</span><span class="p">:</span> <span class="n">requests_this_minute</span> <span class="o">=</span> <span class="mi">0</span> <span class="c1"># reset </span> <span class="n">last_minute</span> <span class="o">=</span> <span class="n">current_minute</span> <span class="n">requests_this_minute</span> <span class="o">+=</span> <span class="mi">1</span> </code></pre> </div> <p>The problem: imagine an attacker sends 1000 requests at 14:00:59 and another 1000 at 14:01:01. The per-minute counter resets at 14:01:00, so each minute only shows 1000 requests. But in reality, 2000 requests arrived in a 2-second window — a massive spike that the counter completely misses.</p> <h3> The right way: a deque of timestamps </h3> <p>A sliding window stores the <strong>exact timestamp of every request</strong> in a <code>collections.deque</code>. When you want the current rate, you evict old entries and count what remains.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">deque</span> <span class="kn">import</span> <span class="n">time</span> <span class="c1"># One deque per IP, one global </span><span class="n">ip_window</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">()</span> <span class="c1"># stores timestamps of requests from this IP </span><span class="n">WINDOW</span> <span class="o">=</span> <span class="mi">60</span> <span class="c1"># seconds </span> <span class="k">def</span> <span class="nf">on_request</span><span class="p">(</span><span class="n">ip</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">now</span><span class="p">:</span> <span class="nb">float</span><span class="p">):</span> <span class="c1"># Step 1: Add this request's timestamp </span> <span class="n">ip_window</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="c1"># Step 2: Evict entries older than 60 seconds from the LEFT </span> <span class="n">cutoff</span> <span class="o">=</span> <span class="n">now</span> <span class="o">-</span> <span class="n">WINDOW</span> <span class="k">while</span> <span class="n">ip_window</span> <span class="ow">and</span> <span class="n">ip_window</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">cutoff</span><span class="p">:</span> <span class="n">ip_window</span><span class="p">.</span><span class="nf">popleft</span><span class="p">()</span> <span class="c1"># O(1) — this is why we use deque, not list </span> <span class="c1"># Step 3: Rate = requests still in window / window size </span> <span class="n">rate</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">ip_window</span><span class="p">)</span> <span class="o">/</span> <span class="n">WINDOW</span> <span class="k">return</span> <span class="n">rate</span> <span class="c1"># requests per second over the last 60 seconds </span></code></pre> </div> <p>Let's trace through a real example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Time 14:00:00 → request arrives → deque: [14:00:00] rate = 1/60 = 0.017 req/s Time 14:00:01 → request arrives → deque: [14:00:00, 14:00:01] rate = 2/60 = 0.033 req/s ...normal traffic... Time 14:01:30 → attacker starts sending 100 req/s Time 14:01:31 → deque has 100 new entries + a few old ones → evict everything before 14:00:31 → 100 entries remain → rate = 100/60 = 1.67 req/s ← anomaly detected </code></pre> </div> <p>The window "slides" forward with real time. Old entries fall off the left; new entries pile up on the right. The rate you get is always "how many requests from this IP in the last 60 seconds."</p> <p><strong>Why <code>deque</code> and not <code>list</code>?</strong></p> <p><code>list.pop(0)</code> is O(n) — it has to shift every element one position to the left every time you evict. With thousands of entries under a DDoS, this becomes very slow.</p> <p><code>deque.popleft()</code> is O(1) — it just moves a pointer. No matter how many entries are in the deque, eviction is instant.</p> <p>Here's the actual implementation from our <code>detector.py</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">deque</span><span class="p">,</span> <span class="n">defaultdict</span> <span class="kn">from</span> <span class="n">dataclasses</span> <span class="kn">import</span> <span class="n">dataclass</span><span class="p">,</span> <span class="n">field</span> <span class="nd">@dataclass</span> <span class="k">class</span> <span class="nc">IPState</span><span class="p">:</span> <span class="sh">"""</span><span class="s">All per-IP sliding window state.</span><span class="sh">"""</span> <span class="n">timestamps</span><span class="p">:</span> <span class="n">deque</span> <span class="o">=</span> <span class="nf">field</span><span class="p">(</span><span class="n">default_factory</span><span class="o">=</span><span class="n">deque</span><span class="p">)</span> <span class="c1"># request timestamps </span> <span class="n">error_ts</span><span class="p">:</span> <span class="n">deque</span> <span class="o">=</span> <span class="nf">field</span><span class="p">(</span><span class="n">default_factory</span><span class="o">=</span><span class="n">deque</span><span class="p">)</span> <span class="c1"># 4xx/5xx timestamps </span> <span class="c1"># One IPState per IP address, created on first request </span><span class="n">ip_states</span> <span class="o">=</span> <span class="nf">defaultdict</span><span class="p">(</span><span class="n">IPState</span><span class="p">)</span> <span class="c1"># One global window for all traffic combined </span><span class="n">global_ts</span><span class="p">:</span> <span class="n">deque</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">()</span> <span class="k">def</span> <span class="nf">_evict</span><span class="p">(</span><span class="n">dq</span><span class="p">:</span> <span class="n">deque</span><span class="p">,</span> <span class="n">window</span><span class="p">:</span> <span class="nb">float</span><span class="p">,</span> <span class="n">now</span><span class="p">:</span> <span class="nb">float</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Remove timestamps older than `window` seconds from the left.</span><span class="sh">"""</span> <span class="n">cutoff</span> <span class="o">=</span> <span class="n">now</span> <span class="o">-</span> <span class="n">window</span> <span class="k">while</span> <span class="n">dq</span> <span class="ow">and</span> <span class="n">dq</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">cutoff</span><span class="p">:</span> <span class="n">dq</span><span class="p">.</span><span class="nf">popleft</span><span class="p">()</span> <span class="k">def</span> <span class="nf">_rate</span><span class="p">(</span><span class="n">dq</span><span class="p">:</span> <span class="n">deque</span><span class="p">,</span> <span class="n">window</span><span class="p">:</span> <span class="nb">float</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">float</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Requests per second over the window.</span><span class="sh">"""</span> <span class="k">return</span> <span class="nf">len</span><span class="p">(</span><span class="n">dq</span><span class="p">)</span> <span class="o">/</span> <span class="n">window</span> <span class="k">def</span> <span class="nf">process</span><span class="p">(</span><span class="n">entry</span><span class="p">:</span> <span class="nb">dict</span><span class="p">):</span> <span class="n">ip</span> <span class="o">=</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">source_ip</span><span class="sh">"</span><span class="p">]</span> <span class="n">now</span> <span class="o">=</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">_parsed_at</span><span class="sh">"</span><span class="p">]</span> <span class="n">state</span> <span class="o">=</span> <span class="n">ip_states</span><span class="p">[</span><span class="n">ip</span><span class="p">]</span> <span class="c1"># Update per-IP window </span> <span class="n">state</span><span class="p">.</span><span class="n">timestamps</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="nf">_evict</span><span class="p">(</span><span class="n">state</span><span class="p">.</span><span class="n">timestamps</span><span class="p">,</span> <span class="mi">60</span><span class="p">,</span> <span class="n">now</span><span class="p">)</span> <span class="n">ip_rate</span> <span class="o">=</span> <span class="nf">_rate</span><span class="p">(</span><span class="n">state</span><span class="p">.</span><span class="n">timestamps</span><span class="p">,</span> <span class="mi">60</span><span class="p">)</span> <span class="c1"># Update global window </span> <span class="n">global_ts</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="nf">_evict</span><span class="p">(</span><span class="n">global_ts</span><span class="p">,</span> <span class="mi">60</span><span class="p">,</span> <span class="n">now</span><span class="p">)</span> <span class="n">global_rate</span> <span class="o">=</span> <span class="nf">_rate</span><span class="p">(</span><span class="n">global_ts</span><span class="p">,</span> <span class="mi">60</span><span class="p">)</span> </code></pre> </div> <p>We maintain <strong>two separate windows</strong>: one per IP (so we can detect individual attackers) and one global (so we can detect distributed attacks from many IPs). Both are updated on every single request.</p> <h2> Part 3: How the Baseline Learns from Traffic </h2> <p>Detecting anomalies requires knowing what normal looks like. If normal traffic is 50 req/s, then 100 req/s is suspicious. But if normal traffic is 5 req/s, then even 15 req/s might be an attack.</p> <p>The key insight: <strong>normal changes over time</strong>. A file-sharing platform sees more traffic during business hours than at 3am. A global service sees more traffic from Asia during Asian business hours. You cannot hardcode a threshold — you have to learn it.</p> <h3> Per-second bucketing </h3> <p>Our baseline engine counts requests per second and stores those counts in a rolling 30-minute window:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">deque</span> <span class="kn">import</span> <span class="n">math</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="c1"># Stores one count per second, up to 30 minutes worth (1800 buckets) </span><span class="n">second_buckets</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">(</span><span class="n">maxlen</span><span class="o">=</span><span class="mi">1800</span><span class="p">)</span> <span class="n">current_second</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">())</span> <span class="n">current_count</span> <span class="o">=</span> <span class="mf">0.0</span> <span class="k">def</span> <span class="nf">record</span><span class="p">(</span><span class="n">entry</span><span class="p">:</span> <span class="nb">dict</span><span class="p">):</span> <span class="k">global</span> <span class="n">current_second</span><span class="p">,</span> <span class="n">current_count</span> <span class="n">now</span> <span class="o">=</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">_parsed_at</span><span class="sh">"</span><span class="p">]</span> <span class="n">bucket_sec</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="c1"># When the clock second changes, flush the completed bucket </span> <span class="k">if</span> <span class="n">bucket_sec</span> <span class="o">&gt;</span> <span class="n">current_second</span><span class="p">:</span> <span class="c1"># Fill any empty seconds (gaps where no traffic arrived) </span> <span class="k">for</span> <span class="n">s</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="n">current_second</span><span class="p">,</span> <span class="n">bucket_sec</span><span class="p">):</span> <span class="n">second_buckets</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">current_count</span><span class="p">)</span> <span class="n">current_count</span> <span class="o">=</span> <span class="mf">0.0</span> <span class="n">current_second</span> <span class="o">=</span> <span class="n">bucket_sec</span> <span class="n">current_count</span> <span class="o">+=</span> <span class="mf">1.0</span> </code></pre> </div> <p>So if 47 requests arrived in the second ending at 14:05:00, the deque gets <code>47.0</code> appended. If the next second was quiet (zero requests), it gets <code>0.0</code>. The deque holds up to 1800 of these values — 30 minutes of history.</p> <h3> Computing mean and standard deviation </h3> <p>Every 60 seconds, we recompute the baseline from whatever is in the bucket deque:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_recalculate</span><span class="p">():</span> <span class="n">samples</span> <span class="o">=</span> <span class="nf">list</span><span class="p">(</span><span class="n">second_buckets</span><span class="p">)</span> <span class="n">n</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">samples</span><span class="p">)</span> <span class="k">if</span> <span class="n">n</span> <span class="o">&lt;</span> <span class="mi">30</span><span class="p">:</span> <span class="k">return</span> <span class="c1"># not enough data yet, keep the floor values </span> <span class="c1"># Mean: average requests per second over the last 30 minutes </span> <span class="n">mean</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="n">samples</span><span class="p">)</span> <span class="o">/</span> <span class="n">n</span> <span class="c1"># Standard deviation: how much does traffic vary? </span> <span class="n">variance</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">((</span><span class="n">x</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">**</span> <span class="mi">2</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">samples</span><span class="p">)</span> <span class="o">/</span> <span class="p">(</span><span class="n">n</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span> <span class="n">stddev</span> <span class="o">=</span> <span class="n">math</span><span class="p">.</span><span class="nf">sqrt</span><span class="p">(</span><span class="n">variance</span><span class="p">)</span> <span class="c1"># Apply floor values to prevent false positives during quiet periods </span> <span class="n">mean</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="n">mean</span><span class="p">,</span> <span class="mf">1.0</span><span class="p">)</span> <span class="c1"># never let mean drop below 1 req/s </span> <span class="n">stddev</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="n">stddev</span><span class="p">,</span> <span class="mf">0.5</span><span class="p">)</span> <span class="c1"># never let stddev drop below 0.5 </span> <span class="n">effective_mean</span> <span class="o">=</span> <span class="n">mean</span> <span class="n">effective_stddev</span> <span class="o">=</span> <span class="n">stddev</span> </code></pre> </div> <p><strong>Why do we need floor values?</strong></p> <p>Imagine the server is quiet at 3am with 0.1 req/s average. Without floor values:</p> <ul> <li>mean = 0.1, stddev = 0.05</li> <li>A burst to just 0.25 req/s gives z-score = (0.25 - 0.1) / 0.05 = <strong>3.0</strong> → false alarm!</li> </ul> <p>With floor_mean = 1.0:</p> <ul> <li>The denominator stays reasonable</li> <li>You need a genuine spike to trigger detection</li> </ul> <p><strong>Per-hour preference</strong></p> <p>Traffic patterns repeat by hour of day. We also maintain 24 separate per-hour slot deques:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">hour_slots</span> <span class="o">=</span> <span class="p">{</span><span class="n">h</span><span class="p">:</span> <span class="nf">deque</span><span class="p">(</span><span class="n">maxlen</span><span class="o">=</span><span class="mi">1800</span><span class="p">)</span> <span class="k">for</span> <span class="n">h</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="mi">24</span><span class="p">)}</span> <span class="c1"># When flushing a bucket, also file it into the current hour's slot </span><span class="n">hour</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">fromtimestamp</span><span class="p">(</span><span class="n">current_second</span><span class="p">).</span><span class="n">hour</span> <span class="n">hour_slots</span><span class="p">[</span><span class="n">hour</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">current_count</span><span class="p">)</span> </code></pre> </div> <p>At recalculation time, if the current hour's slot has at least 30 samples, we use it instead of the 30-minute window. This means 9am traffic is compared to yesterday's 9am baseline, not to the 8:30am baseline — much more accurate.</p> <h2> Part 4: How the Detection Logic Makes a Decision </h2> <p>We have a rate (from the sliding window) and a baseline (mean and stddev). How do we decide if the rate is an attack?</p> <h3> Z-score: how many standard deviations above normal? </h3> <p>The z-score is a way of asking "how unusual is this number compared to what we normally see?"<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>z-score = (current_rate - baseline_mean) / baseline_stddev </code></pre> </div> <p>If the baseline is mean=5 req/s, stddev=2:</p> <ul> <li>Current rate 7 req/s → z = (7-5)/2 = <strong>1.0</strong> → normal variation</li> <li>Current rate 11 req/s → z = (11-5)/2 = <strong>3.0</strong> → suspicious </li> <li>Current rate 25 req/s → z = (25-5)/2 = <strong>10.0</strong> → attack</li> </ul> <p>We flag anything with z-score &gt; 3.0. In a normal distribution, only 0.13% of values naturally exceed z=3. So a false positive rate of 0.13% is acceptable.</p> <h3> Multiplier: absolute rate check </h3> <p>Z-score alone has a weakness: if traffic is very consistent (low stddev), even a modest real attack might not produce a high z-score. So we add a second condition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">rate</span> <span class="o">&gt;</span> <span class="mi">5</span> <span class="err">×</span> <span class="n">mean</span> <span class="err">→</span> <span class="n">flag</span> <span class="n">it</span> </code></pre> </div> <p>If normal is 5 req/s and someone hits 26 req/s, that's more than 5× — flag it regardless of stddev.</p> <p>Either condition firing triggers the response. Here's the actual detection code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_zscore</span><span class="p">(</span><span class="n">rate</span><span class="p">:</span> <span class="nb">float</span><span class="p">,</span> <span class="n">mean</span><span class="p">:</span> <span class="nb">float</span><span class="p">,</span> <span class="n">stddev</span><span class="p">:</span> <span class="nb">float</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">float</span><span class="p">:</span> <span class="k">if</span> <span class="n">stddev</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="k">return</span> <span class="mf">0.0</span> <span class="nf">return </span><span class="p">(</span><span class="n">rate</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">/</span> <span class="n">stddev</span> <span class="k">def</span> <span class="nf">check_anomaly</span><span class="p">(</span><span class="n">ip_rate</span><span class="p">,</span> <span class="n">mean</span><span class="p">,</span> <span class="n">stddev</span><span class="p">):</span> <span class="n">z_thresh</span> <span class="o">=</span> <span class="mf">3.0</span> <span class="c1"># loaded from config.yaml </span> <span class="n">m_thresh</span> <span class="o">=</span> <span class="mf">5.0</span> <span class="c1"># loaded from config.yaml </span> <span class="n">ip_z</span> <span class="o">=</span> <span class="nf">_zscore</span><span class="p">(</span><span class="n">ip_rate</span><span class="p">,</span> <span class="n">mean</span><span class="p">,</span> <span class="n">stddev</span><span class="p">)</span> <span class="c1"># Either condition triggers the alert </span> <span class="n">is_anomaly</span> <span class="o">=</span> <span class="p">(</span><span class="n">ip_z</span> <span class="o">&gt;</span> <span class="n">z_thresh</span><span class="p">)</span> <span class="ow">or</span> <span class="p">(</span><span class="n">ip_rate</span> <span class="o">&gt;</span> <span class="n">m_thresh</span> <span class="o">*</span> <span class="n">mean</span> <span class="ow">and</span> <span class="n">mean</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="k">return</span> <span class="n">is_anomaly</span><span class="p">,</span> <span class="n">ip_z</span> </code></pre> </div> <h3> Error surge tightening </h3> <p>There's a third detection mode for slow attacks. An attacker doing credential stuffing (trying username/password combinations) won't necessarily send huge traffic volumes — but they'll generate lots of 401 Unauthorized responses. </p> <p>We track error rates separately:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># If this IP's 4xx/5xx rate is 3× the baseline error rate, # tighten the thresholds for this IP </span><span class="k">if</span> <span class="n">err_rate</span> <span class="o">&gt;=</span> <span class="mf">3.0</span> <span class="o">*</span> <span class="n">baseline_error_mean</span><span class="p">:</span> <span class="n">z_thresh</span> <span class="o">=</span> <span class="mf">2.0</span> <span class="c1"># lower bar → easier to trigger </span> <span class="n">m_thresh</span> <span class="o">=</span> <span class="mf">3.0</span> <span class="c1"># lower bar → easier to trigger </span> <span class="n">state</span><span class="p">.</span><span class="n">tightened</span> <span class="o">=</span> <span class="bp">True</span> </code></pre> </div> <p>This catches slow, stealthy attacks that would otherwise fly under the radar.</p> <h3> Putting it all together </h3> <p>Here's the full <code>process()</code> function that runs on every log line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">process</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">entry</span><span class="p">:</span> <span class="nb">dict</span><span class="p">):</span> <span class="n">ip</span> <span class="o">=</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">source_ip</span><span class="sh">"</span><span class="p">]</span> <span class="n">now</span> <span class="o">=</span> <span class="n">entry</span><span class="p">[</span><span class="sh">"</span><span class="s">_parsed_at</span><span class="sh">"</span><span class="p">]</span> <span class="n">status</span> <span class="o">=</span> <span class="n">entry</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">,</span> <span class="mi">200</span><span class="p">)</span> <span class="n">mean</span><span class="p">,</span> <span class="n">stddev</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">_baseline</span><span class="p">.</span><span class="nf">get_baseline</span><span class="p">()</span> <span class="k">with</span> <span class="n">self</span><span class="p">.</span><span class="n">_lock</span><span class="p">:</span> <span class="n">state</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">_ip_states</span><span class="p">[</span><span class="n">ip</span><span class="p">]</span> <span class="c1"># 1. Update sliding windows </span> <span class="n">state</span><span class="p">.</span><span class="n">timestamps</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">_evict</span><span class="p">(</span><span class="n">state</span><span class="p">.</span><span class="n">timestamps</span><span class="p">,</span> <span class="mi">60</span><span class="p">,</span> <span class="n">now</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">_global_ts</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">_evict</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_global_ts</span><span class="p">,</span> <span class="mi">60</span><span class="p">,</span> <span class="n">now</span><span class="p">)</span> <span class="n">ip_rate</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">state</span><span class="p">.</span><span class="n">timestamps</span><span class="p">)</span> <span class="o">/</span> <span class="mi">60</span> <span class="n">global_rate</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_global_ts</span><span class="p">)</span> <span class="o">/</span> <span class="mi">60</span> <span class="c1"># 2. Check error surge → tighten thresholds if needed </span> <span class="k">if</span> <span class="n">status</span> <span class="o">&gt;=</span> <span class="mi">400</span><span class="p">:</span> <span class="n">state</span><span class="p">.</span><span class="n">error_ts</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">_evict</span><span class="p">(</span><span class="n">state</span><span class="p">.</span><span class="n">error_ts</span><span class="p">,</span> <span class="mi">60</span><span class="p">,</span> <span class="n">now</span><span class="p">)</span> <span class="n">err_rate</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">state</span><span class="p">.</span><span class="n">error_ts</span><span class="p">)</span> <span class="o">/</span> <span class="mi">60</span> <span class="n">z_thresh</span> <span class="o">=</span> <span class="mf">2.0</span> <span class="k">if</span> <span class="n">state</span><span class="p">.</span><span class="n">tightened</span> <span class="k">else</span> <span class="mf">3.0</span> <span class="n">m_thresh</span> <span class="o">=</span> <span class="mf">3.0</span> <span class="k">if</span> <span class="n">state</span><span class="p">.</span><span class="n">tightened</span> <span class="k">else</span> <span class="mf">5.0</span> <span class="c1"># 3. Score and decide </span> <span class="n">ip_z</span> <span class="o">=</span> <span class="p">(</span><span class="n">ip_rate</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">/</span> <span class="n">stddev</span> <span class="k">if</span> <span class="n">stddev</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="k">else</span> <span class="mi">0</span> <span class="n">ip_anomaly</span> <span class="o">=</span> <span class="p">(</span><span class="n">ip_z</span> <span class="o">&gt;</span> <span class="n">z_thresh</span><span class="p">)</span> <span class="ow">or</span> <span class="p">(</span><span class="n">ip_rate</span> <span class="o">&gt;</span> <span class="n">m_thresh</span> <span class="o">*</span> <span class="n">mean</span><span class="p">)</span> <span class="c1"># 4. Fire callback if anomalous (with 10-second cooldown) </span> <span class="k">if</span> <span class="n">ip_anomaly</span><span class="p">:</span> <span class="n">last</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">_last_fired</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="k">if</span> <span class="n">now</span> <span class="o">-</span> <span class="n">last</span> <span class="o">&gt;</span> <span class="mi">10</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">_last_fired</span><span class="p">[</span><span class="n">ip</span><span class="p">]</span> <span class="o">=</span> <span class="n">now</span> <span class="n">self</span><span class="p">.</span><span class="nf">on_ip_anomaly</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">ip_rate</span><span class="sh">"</span><span class="p">:</span> <span class="n">ip_rate</span><span class="p">,</span> <span class="sh">"</span><span class="s">zscore</span><span class="sh">"</span><span class="p">:</span> <span class="n">ip_z</span><span class="p">,</span> <span class="p">...})</span> <span class="c1"># 5. Check global anomaly separately </span> <span class="n">g_z</span> <span class="o">=</span> <span class="p">(</span><span class="n">global_rate</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">/</span> <span class="n">stddev</span> <span class="k">if</span> <span class="n">stddev</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="k">else</span> <span class="mi">0</span> <span class="k">if</span> <span class="n">g_z</span> <span class="o">&gt;</span> <span class="mf">3.0</span> <span class="ow">or</span> <span class="n">global_rate</span> <span class="o">&gt;</span> <span class="mf">5.0</span> <span class="o">*</span> <span class="n">mean</span><span class="p">:</span> <span class="k">if</span> <span class="n">now</span> <span class="o">-</span> <span class="n">self</span><span class="p">.</span><span class="n">_global_last_fired</span> <span class="o">&gt;</span> <span class="mi">30</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">_global_last_fired</span> <span class="o">=</span> <span class="n">now</span> <span class="n">self</span><span class="p">.</span><span class="nf">on_global_anomaly</span><span class="p">({</span><span class="sh">"</span><span class="s">global_rate</span><span class="sh">"</span><span class="p">:</span> <span class="n">global_rate</span><span class="p">,</span> <span class="p">...})</span> </code></pre> </div> <p>When <code>on_ip_anomaly</code> fires, it calls the blocker. When <code>on_global_anomaly</code> fires, it calls the notifier directly (no ban — you can't ban the whole internet).</p> <h2> Part 5: How iptables Blocks an IP </h2> <p><code>iptables</code> is the Linux kernel's firewall. It processes every network packet that enters or leaves your machine and applies rules to decide what to do with each one.</p> <p>Think of it like a bouncer at a club. The bouncer has a list of rules:</p> <ol> <li>Allow anyone with a VIP pass (ACCEPT)</li> <li>Drop anyone on the blacklist (DROP)</li> <li>Default: let everyone in (ACCEPT)</li> </ol> <p>When we detect an attack from IP <code>1.2.3.4</code>, we add a rule to the top of the <code>INPUT</code> chain (the chain that handles incoming packets):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>iptables <span class="nt">-I</span> INPUT <span class="nt">-s</span> 1.2.3.4 <span class="nt">-j</span> DROP </code></pre> </div> <p>Breaking this down:</p> <ul> <li> <code>-I INPUT</code> — Insert at the top of the INPUT chain (before other rules)</li> <li> <code>-s 1.2.3.4</code> — Match packets with source IP 1.2.3.4</li> <li> <code>-j DROP</code> — Silently drop matching packets (no response sent to attacker)</li> </ul> <p>The <code>-I</code> (insert) rather than <code>-A</code> (append) is important. Rules are checked top-to-bottom. By inserting at the top, our DROP rule is checked before any ACCEPT rules — the attacker is blocked immediately.</p> <p>You can verify the rule was added:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>iptables <span class="nt">-L</span> INPUT <span class="nt">-n</span> <span class="nt">-v</span> Chain INPUT <span class="o">(</span>policy ACCEPT<span class="o">)</span> target prot opt <span class="nb">source </span>destination DROP all <span class="nt">--</span> 1.2.3.4 0.0.0.0/0 ACCEPT all <span class="nt">--</span> 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ... </code></pre> </div> <p>Here's the Python code that issues this command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">subprocess</span> <span class="k">def</span> <span class="nf">_iptables_add</span><span class="p">(</span><span class="n">ip</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Add a DROP rule for this IP. Check first to avoid duplicates.</span><span class="sh">"""</span> <span class="c1"># Check if rule already exists </span> <span class="n">check</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">iptables</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-C</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">INPUT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-s</span><span class="sh">"</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="sh">"</span><span class="s">-j</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DROP</span><span class="sh">"</span><span class="p">],</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="k">if</span> <span class="n">check</span><span class="p">.</span><span class="n">returncode</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="k">return</span> <span class="c1"># already banned, nothing to do </span> <span class="c1"># Add the rule </span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">iptables</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-I</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">INPUT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-s</span><span class="sh">"</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="sh">"</span><span class="s">-j</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DROP</span><span class="sh">"</span><span class="p">],</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">_iptables_remove</span><span class="p">(</span><span class="n">ip</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Remove the DROP rule. Loop in case it was added more than once.</span><span class="sh">"""</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">iptables</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-D</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">INPUT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-s</span><span class="sh">"</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="sh">"</span><span class="s">-j</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DROP</span><span class="sh">"</span><span class="p">],</span> <span class="n">capture_output</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="n">returncode</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">:</span> <span class="k">break</span> <span class="c1"># no more rules for this IP </span></code></pre> </div> <h3> The backoff schedule </h3> <p>We don't ban forever on the first offence. The ban duration follows a backoff schedule:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Offence</th> <th>Duration</th> </tr> </thead> <tbody> <tr> <td>1st ban</td> <td>10 minutes</td> </tr> <tr> <td>2nd ban</td> <td>30 minutes</td> </tr> <tr> <td>3rd ban</td> <td>2 hours</td> </tr> <tr> <td>4th+ ban</td> <td>Permanent</td> </tr> </tbody> </table></div> <p>A background thread (the unbanner) wakes up every 30 seconds and checks whether any bans have expired:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">threading</span> <span class="kn">import</span> <span class="n">time</span> <span class="k">class</span> <span class="nc">UnbannerThread</span><span class="p">(</span><span class="n">threading</span><span class="p">.</span><span class="n">Thread</span><span class="p">):</span> <span class="k">def</span> <span class="nf">run</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">while</span> <span class="ow">not</span> <span class="n">self</span><span class="p">.</span><span class="n">_stop</span><span class="p">.</span><span class="nf">wait</span><span class="p">(</span><span class="mi">30</span><span class="p">):</span> <span class="c1"># check every 30 seconds </span> <span class="n">expired</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">_blocker</span><span class="p">.</span><span class="nf">get_expired_bans</span><span class="p">()</span> <span class="k">for</span> <span class="n">ip</span> <span class="ow">in</span> <span class="n">expired</span><span class="p">:</span> <span class="n">record</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">_blocker</span><span class="p">.</span><span class="nf">unban</span><span class="p">(</span><span class="n">ip</span><span class="p">)</span> <span class="k">if</span> <span class="n">record</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">_notifier</span><span class="p">.</span><span class="nf">send_unban</span><span class="p">(</span><span class="n">record</span><span class="p">)</span> <span class="c1"># Slack alert </span> <span class="k">def</span> <span class="nf">get_expired_bans</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="nb">str</span><span class="p">]:</span> <span class="n">now</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="k">return</span> <span class="p">[</span> <span class="n">ip</span> <span class="k">for</span> <span class="n">ip</span><span class="p">,</span> <span class="n">rec</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">_bans</span><span class="p">.</span><span class="nf">items</span><span class="p">()</span> <span class="k">if</span> <span class="n">rec</span><span class="p">.</span><span class="n">expires_at</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span> <span class="ow">and</span> <span class="n">now</span> <span class="o">&gt;=</span> <span class="n">rec</span><span class="p">.</span><span class="n">expires_at</span> <span class="p">]</span> </code></pre> </div> <p>When an IP is unbanned, <code>iptables -D INPUT -s &lt;ip&gt; -j DROP</code> removes the rule, and a Slack notification goes out so the team knows the ban was lifted.</p> <h2> Part 6: Slack Alerts </h2> <p>Every ban, unban, and global anomaly sends a Slack message. We use Slack's Incoming Webhooks — a URL you POST JSON to, and it appears as a message in your channel.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="kn">import</span> <span class="n">json</span> <span class="k">def</span> <span class="nf">send_ban</span><span class="p">(</span><span class="n">ip</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">info</span><span class="p">:</span> <span class="nb">dict</span><span class="p">,</span> <span class="n">record</span><span class="p">):</span> <span class="n">text</span> <span class="o">=</span> <span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">:rotating_light: *IP BANNED* — `</span><span class="si">{</span><span class="n">ip</span><span class="si">}</span><span class="s">`</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Rate:* `</span><span class="si">{</span><span class="n">info</span><span class="p">[</span><span class="sh">'</span><span class="s">ip_rate</span><span class="sh">'</span><span class="p">]</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s"> req/s` </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Baseline:* `</span><span class="si">{</span><span class="n">info</span><span class="p">[</span><span class="sh">'</span><span class="s">mean</span><span class="sh">'</span><span class="p">]</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">` </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Z-score:* `</span><span class="si">{</span><span class="n">info</span><span class="p">[</span><span class="sh">'</span><span class="s">zscore</span><span class="sh">'</span><span class="p">]</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">`</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Duration:* `</span><span class="si">{</span><span class="n">record</span><span class="p">.</span><span class="n">duration_label</span><span class="si">}</span><span class="s">` (ban #</span><span class="si">{</span><span class="n">record</span><span class="p">.</span><span class="n">ban_count</span><span class="si">}</span><span class="s">)</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Time:* </span><span class="si">{</span><span class="n">timestamp</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="n">webhook_url</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="n">text</span><span class="p">}),</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">},</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">5</span> <span class="p">)</span> </code></pre> </div> <p>Critically, Slack calls happen in a <strong>thread pool</strong> — they never block the main detection loop. If Slack is slow or down, we don't miss detecting the next attack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">concurrent.futures</span> <span class="kn">import</span> <span class="n">ThreadPoolExecutor</span> <span class="n">executor</span> <span class="o">=</span> <span class="nc">ThreadPoolExecutor</span><span class="p">(</span><span class="n">max_workers</span><span class="o">=</span><span class="mi">4</span><span class="p">)</span> <span class="k">def</span> <span class="nf">send_ban_async</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">record</span><span class="p">):</span> <span class="n">executor</span><span class="p">.</span><span class="nf">submit</span><span class="p">(</span><span class="n">_post_to_slack</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">record</span><span class="p">)</span> </code></pre> </div> <h2> Part 7: The Live Dashboard </h2> <p>The dashboard is a Flask web app that serves a single HTML page which polls <code>/api/metrics</code> every 3 seconds via JavaScript <code>fetch()</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">jsonify</span> <span class="kn">import</span> <span class="n">psutil</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/metrics</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">metrics</span><span class="p">():</span> <span class="n">snap</span> <span class="o">=</span> <span class="n">detector</span><span class="p">.</span><span class="nf">get_snapshot</span><span class="p">()</span> <span class="n">mean</span><span class="p">,</span> <span class="n">stddev</span> <span class="o">=</span> <span class="n">baseline</span><span class="p">.</span><span class="nf">get_baseline</span><span class="p">()</span> <span class="n">banned</span> <span class="o">=</span> <span class="n">blocker</span><span class="p">.</span><span class="nf">get_banned_ips</span><span class="p">()</span> <span class="k">return</span> <span class="nf">jsonify</span><span class="p">({</span> <span class="sh">"</span><span class="s">uptime</span><span class="sh">"</span><span class="p">:</span> <span class="nf">get_uptime_string</span><span class="p">(),</span> <span class="sh">"</span><span class="s">global_rate</span><span class="sh">"</span><span class="p">:</span> <span class="n">snap</span><span class="p">[</span><span class="sh">"</span><span class="s">global_rate</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">top_ips</span><span class="sh">"</span><span class="p">:</span> <span class="n">snap</span><span class="p">[</span><span class="sh">"</span><span class="s">top_ips</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">mean</span><span class="sh">"</span><span class="p">:</span> <span class="nf">round</span><span class="p">(</span><span class="n">mean</span><span class="p">,</span> <span class="mi">3</span><span class="p">),</span> <span class="sh">"</span><span class="s">stddev</span><span class="sh">"</span><span class="p">:</span> <span class="nf">round</span><span class="p">(</span><span class="n">stddev</span><span class="p">,</span> <span class="mi">3</span><span class="p">),</span> <span class="sh">"</span><span class="s">banned</span><span class="sh">"</span><span class="p">:</span> <span class="p">[{</span><span class="sh">"</span><span class="s">ip</span><span class="sh">"</span><span class="p">:</span> <span class="n">r</span><span class="p">.</span><span class="n">ip</span><span class="p">,</span> <span class="sh">"</span><span class="s">duration</span><span class="sh">"</span><span class="p">:</span> <span class="n">r</span><span class="p">.</span><span class="n">duration_label</span><span class="p">,</span> <span class="p">...}</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">banned</span><span class="p">],</span> <span class="sh">"</span><span class="s">cpu_pct</span><span class="sh">"</span><span class="p">:</span> <span class="n">psutil</span><span class="p">.</span><span class="nf">cpu_percent</span><span class="p">(),</span> <span class="sh">"</span><span class="s">mem_pct</span><span class="sh">"</span><span class="p">:</span> <span class="n">psutil</span><span class="p">.</span><span class="nf">virtual_memory</span><span class="p">().</span><span class="n">percent</span><span class="p">,</span> <span class="sh">"</span><span class="s">audit_tail</span><span class="sh">"</span><span class="p">:</span> <span class="nf">read_last_20_audit_lines</span><span class="p">(),</span> <span class="p">})</span> </code></pre> </div> <p>The frontend JavaScript refreshes this every 3 seconds and updates the DOM without a full page reload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">refresh</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">r</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/metrics</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">d</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">r</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">global-rate</span><span class="dl">'</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">d</span><span class="p">.</span><span class="nx">global_rate</span><span class="p">.</span><span class="nf">toFixed</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="o">+</span> <span class="dl">'</span><span class="s1"> req/s</span><span class="dl">'</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">mean</span><span class="dl">'</span><span class="p">).</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">d</span><span class="p">.</span><span class="nx">mean</span><span class="p">;</span> <span class="c1">// Color the rate red if it's approaching the anomaly threshold</span> <span class="kd">const</span> <span class="nx">rateEl</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">global-rate</span><span class="dl">'</span><span class="p">);</span> <span class="nx">rateEl</span><span class="p">.</span><span class="nx">style</span><span class="p">.</span><span class="nx">color</span> <span class="o">=</span> <span class="nx">d</span><span class="p">.</span><span class="nx">global_rate</span> <span class="o">&gt;</span> <span class="nx">d</span><span class="p">.</span><span class="nx">mean</span> <span class="o">*</span> <span class="mi">3</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">#f87171</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">#4ade80</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Render banned IPs table</span> <span class="kd">const</span> <span class="nx">bannedRows</span> <span class="o">=</span> <span class="nx">d</span><span class="p">.</span><span class="nx">banned</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">b</span> <span class="o">=&gt;</span> <span class="s2">`&lt;tr&gt;&lt;td&gt;</span><span class="p">${</span><span class="nx">b</span><span class="p">.</span><span class="nx">ip</span><span class="p">}</span><span class="s2">&lt;/td&gt;&lt;td&gt;</span><span class="p">${</span><span class="nx">b</span><span class="p">.</span><span class="nx">duration</span><span class="p">}</span><span class="s2">&lt;/td&gt;&lt;td&gt;</span><span class="p">${</span><span class="nx">b</span><span class="p">.</span><span class="nx">banned_at</span><span class="p">}</span><span class="s2">&lt;/td&gt;&lt;/tr&gt;`</span> <span class="p">).</span><span class="nf">join</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">banned-table</span><span class="dl">'</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">bannedRows</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">&lt;tr&gt;&lt;td colspan="3"&gt;No active bans ✓&lt;/td&gt;&lt;/tr&gt;</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="nf">setInterval</span><span class="p">(</span><span class="nx">refresh</span><span class="p">,</span> <span class="mi">3000</span><span class="p">);</span> <span class="nf">refresh</span><span class="p">();</span> <span class="c1">// immediate first load</span> </code></pre> </div> <h2> Part 8: The Audit Log </h2> <p>Every significant event is written to a structured audit log in a format designed to be both human-readable and grep-able:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="err">[</span><span class="py">2026-04-26T14</span><span class="p">:</span><span class="s">08:21Z] BAN ip=1.2.3.4 | condition=zscore=4.21 rate=87.3req/s mean=5.2 | rate=87.300 | baseline=5.200 | duration=10m</span> <span class="err">[</span><span class="py">2026-04-26T14</span><span class="p">:</span><span class="s">18:22Z] UNBAN ip=1.2.3.4 | condition=zscore=4.21 rate=87.3req/s mean=5.2 | rate=87.300 | baseline=5.200 | duration=10m</span> <span class="err">[</span><span class="py">2026-04-26T14</span><span class="p">:</span><span class="s">07:06Z] BASELINE_RECALC ip=N/A | condition=recalculation | rate=5.200 | baseline=1.100 | duration=N/A</span> </code></pre> </div> <p>You can search these logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># All bans today</span> <span class="nb">grep</span> <span class="s2">"BAN "</span> /var/log/detector/audit.log | <span class="nb">grep</span> <span class="s2">"2026-04-26"</span> <span class="c"># All recalculations (to see baseline evolution)</span> <span class="nb">grep</span> <span class="s2">"BASELINE_RECALC"</span> /var/log/detector/audit.log <span class="c"># How often was 1.2.3.4 banned?</span> <span class="nb">grep</span> <span class="s2">"ip=1.2.3.4"</span> /var/log/detector/audit.log | <span class="nb">grep</span> <span class="s2">"^.*BAN "</span> </code></pre> </div> <h2> Putting It All Together </h2> <p>Here's <code>main.py</code> — the entry point that wires every component together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">queue</span> <span class="kn">import</span> <span class="n">signal</span> <span class="kn">import</span> <span class="n">threading</span> <span class="c1"># 1. Build all components </span><span class="n">log_queue</span> <span class="o">=</span> <span class="n">queue</span><span class="p">.</span><span class="nc">Queue</span><span class="p">(</span><span class="n">maxsize</span><span class="o">=</span><span class="mi">100_000</span><span class="p">)</span> <span class="n">monitor</span> <span class="o">=</span> <span class="nc">LogMonitor</span><span class="p">(</span><span class="n">log_path</span><span class="p">,</span> <span class="n">log_queue</span><span class="p">)</span> <span class="n">baseline</span> <span class="o">=</span> <span class="nc">BaselineEngine</span><span class="p">(</span><span class="n">cfg</span><span class="p">)</span> <span class="n">blocker</span> <span class="o">=</span> <span class="nc">BlockerEngine</span><span class="p">(</span><span class="n">cfg</span><span class="p">,</span> <span class="n">audit_path</span><span class="p">)</span> <span class="n">notifier</span> <span class="o">=</span> <span class="nc">NotifierEngine</span><span class="p">(</span><span class="n">cfg</span><span class="p">)</span> <span class="n">detector</span> <span class="o">=</span> <span class="nc">DetectorEngine</span><span class="p">(</span><span class="n">cfg</span><span class="p">,</span> <span class="n">baseline</span><span class="p">)</span> <span class="c1"># 2. Wire the anomaly callbacks </span><span class="k">def</span> <span class="nf">on_ip_anomaly</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">info</span><span class="p">):</span> <span class="k">if</span> <span class="n">blocker</span><span class="p">.</span><span class="nf">is_banned</span><span class="p">(</span><span class="n">ip</span><span class="p">):</span> <span class="k">return</span> <span class="c1"># already banned, skip </span> <span class="n">record</span> <span class="o">=</span> <span class="n">blocker</span><span class="p">.</span><span class="nf">ban</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">condition</span><span class="o">=</span><span class="p">...,</span> <span class="n">rate</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="sh">"</span><span class="s">ip_rate</span><span class="sh">"</span><span class="p">],</span> <span class="n">baseline</span><span class="o">=</span><span class="n">info</span><span class="p">[</span><span class="sh">"</span><span class="s">mean</span><span class="sh">"</span><span class="p">])</span> <span class="n">notifier</span><span class="p">.</span><span class="nf">send_ban</span><span class="p">(</span><span class="n">ip</span><span class="p">,</span> <span class="n">info</span><span class="p">,</span> <span class="n">record</span><span class="p">)</span> <span class="k">def</span> <span class="nf">on_global_anomaly</span><span class="p">(</span><span class="n">info</span><span class="p">):</span> <span class="n">notifier</span><span class="p">.</span><span class="nf">send_global_anomaly</span><span class="p">(</span><span class="n">info</span><span class="p">)</span> <span class="n">detector</span><span class="p">.</span><span class="n">on_ip_anomaly</span> <span class="o">=</span> <span class="n">on_ip_anomaly</span> <span class="n">detector</span><span class="p">.</span><span class="n">on_global_anomaly</span> <span class="o">=</span> <span class="n">on_global_anomaly</span> <span class="c1"># 3. Start background threads </span><span class="n">monitor</span><span class="p">.</span><span class="nf">start</span><span class="p">()</span> <span class="nc">UnbannerThread</span><span class="p">(</span><span class="n">blocker</span><span class="p">,</span> <span class="n">notifier</span><span class="p">).</span><span class="nf">start</span><span class="p">()</span> <span class="nf">run_dashboard</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="sh">"</span><span class="s">0.0.0.0</span><span class="sh">"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">8080</span><span class="p">)</span> <span class="c1"># 4. Main loop — drain queue, feed baseline and detector </span><span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">entry</span> <span class="o">=</span> <span class="n">log_queue</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">timeout</span><span class="o">=</span><span class="mf">0.05</span><span class="p">)</span> <span class="n">baseline</span><span class="p">.</span><span class="nf">record</span><span class="p">(</span><span class="n">entry</span><span class="p">)</span> <span class="c1"># update statistics </span> <span class="n">detector</span><span class="p">.</span><span class="nf">process</span><span class="p">(</span><span class="n">entry</span><span class="p">)</span> <span class="c1"># check for anomalies </span> <span class="k">except</span> <span class="n">queue</span><span class="p">.</span><span class="n">Empty</span><span class="p">:</span> <span class="k">pass</span> <span class="c1"># no new log lines, loop again </span></code></pre> </div> <p>The design is intentionally simple: one hot path (queue drain → baseline → detector) runs in the main thread. All I/O — Slack posts, iptables calls, dashboard requests — happens in separate threads and never blocks detection.</p> <h2> What I Learned </h2> <p>Building this from scratch taught me things that using Fail2Ban never would have:</p> <p><strong>Deques are the right tool for sliding windows.</strong> The O(1) popleft makes a real difference when you're processing thousands of events per second. A list would have worked fine until the DDoS actually started — which is exactly when you need it to be fast.</p> <p><strong>Baselines must have floors.</strong> My first version had no floor values. It triggered constantly at night because the stddev got so low that normal morning traffic looked like an anomaly. One line of code (<code>mean = max(mean, 1.0)</code>) fixed it.</p> <p><strong>Per-hour slots matter more than you'd think.</strong> Without them, the 30-minute window picks up the tail of the previous hour's traffic and skews the baseline for the current hour. The hour slots give you a cleaner "what does this hour normally look like" answer.</p> <p><strong>iptables rules apply to the host kernel, not the container.</strong> The detector container has to run with <code>network_mode: host</code> and <code>CAP_NET_ADMIN</code>. If you run it in a bridge network and add iptables rules inside the container, those rules only affect traffic inside the container's network namespace — not the actual packets arriving at the server.</p> <p><strong>Thread safety is non-negotiable.</strong> The log monitor, the main loop, the Flask dashboard, the unbanner, and the Slack notifier all touch shared state. A <code>threading.Lock()</code> around every mutation took 20 minutes to add and saved hours of debugging mysterious state corruption.</p> <h2> Running It Yourself </h2> <p>The full source code is on GitHub: <a href="https://github.com/AirFluke/hng-detector.git" rel="noopener noreferrer">github.com/Airfluke/hng-detector</a></p> <p>To run it on a fresh Ubuntu VPS:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install Docker</span> curl <span class="nt">-fsSL</span> https://get.docker.com | sh <span class="c"># Clone and configure</span> git clone https://github.com/AirFluke/hng-detector.git <span class="nb">cd </span>hng-detector <span class="nb">cp</span> .env.example .env nano .env <span class="c"># add your Slack webhook URL and server IP</span> <span class="c"># Launch everything</span> docker compose up <span class="nt">-d</span> <span class="nt">--build</span> <span class="c"># Watch the detector work</span> docker logs <span class="nt">-f</span> hng-detector <span class="c"># Test it with a traffic burst</span> apt <span class="nb">install </span>apache2-utils ab <span class="nt">-n</span> 2000 <span class="nt">-c</span> 150 http://localhost/ <span class="c"># Check iptables for the ban</span> iptables <span class="nt">-L</span> INPUT <span class="nt">-n</span> <span class="nt">-v</span> </code></pre> </div> <p>The dashboard will be live at <code>http://your-server-ip:8080</code>.</p> <h2> Conclusion </h2> <p>Security tooling doesn't have to be a black box. The core ideas here — a deque-based sliding window, a rolling statistical baseline, z-score anomaly detection, and iptables for enforcement — are each individually simple. The power comes from wiring them together into a continuously running daemon that never sleeps.</p> <p>If you're new to security tooling, I hope this post demystified what's happening under the hood of the tools you've always treated as magic. Go build something.</p> <p><em>Found this useful? Share it with someone learning DevSecOps. Questions? Drop them in the comments.</em></p> networking security showdev tutorial