2011-07-19

shell, postfix, vps, python, linux, howto, django, nginx, ubuntu

An Ubuntu VPS for Django

Three years ago I wrote a guide to building a VPS web server for serving sites in a PHP environment. That setup served me well for some time, but most of the sites I run now – including this one – are now written in Python. Earlier this year I built another web server to reflect this. It’s similar to before; I still use Ubuntu and I still like to serve pages with nginx. But PHP has been replaced with Python, and many of the packages used to build the environment have changed as a result. As with the last time, I decided to compile my notes into a guide, both for my own reference and in case anyone else would like to duplicate it. So far, the server has proven to be fast and efficient. It serves Python using uWSGI, uses a PostgreSQL database, and includes a simple mail server provided by Postfix. I think it’s a good setup for serving simple Django-based websites.

Basic Setup

As with last time, I recommend following Slicehost’s basic server setup article. It discusses user administration, SSH security, and firewalls. I no longer use Slicehost as my VPS provider, but I find that Slicehost’s articles provide an excellent base regardless of the host.

Packages

Packages should upgraded immediately to address any known security vulnerabilities.

$ sudo apt-get update
$ sudo apt-get upgrade

After the repositories have been updated, I install some essential packages.

1	`$ sudo apt-get install build-essential screen dnsutils`

Build-essential includes necessary tools to compile programs. I am incapable of using a computer that does not have screen on it, so that gets installed too. The third package, dnsutils, is optional, but includes dig which is useful for troubleshooting DNS issues.

DenyHosts

Slicehost’s setup article recommends turning off password authentication in SSH, forcing users to login with keys only. I use keys whenever I can, but I appreciate the option of being able to login to my server from any computer, when I may or may not have my SSH key with me. So I leave password authentication enabled. This presents the possibility of brute-force attacks. Enter DenyHosts. DenyHosts, which I have discussed previously attempts to protect against SSH attacks by banning hosts after a certain number of failed login attempts. When password authentication is enabled, running DenyHosts is a smart move.

$ sudo apt-get install denyhosts
$ sudo vim /etc/denyhosts.conf

Personalize the Environment

I use update-alternatives to set my default editor to vim.

1	`$ sudo update-alternatives --config editor`

All of my personal configuration files are kept in a github repository. I’ll check out that repository into ~/src and install the files.

$ mkdir ~/src
$ cd ~/src
$ sudo apt-get install git-core
$ git clone git://github.com/pigmonkey/dotfiles.git
$ ln -s ~/src/dotfiles/bash_profile ~/.bash_profile
$ ln -s ~/src/dotfiles/bashrc ~/.bashrc
$ ln -s ~/src/dotfiles/bash_aliases ~/.bash_aliases
$ ln -s ~/src/dotfiles/bash_colors ~/.bash_colors
$ ln -s ~/src/dotfiles/vimrc ~/.vimrc
$ ln -s ~/src/dotfiles/vim ~/.vim
$ ln -s ~/src/dotfiles/screenrc ~/.screenrc
$ source ~/.bash_profile

Time

The next step is to set the server’s timezone and sync the clock with NTP.

$ sudo dpkg-reconfigure tzdata
$ sudo apt-get install ntp

Rootkits

There’s no reason not to run both chkrootkit and rkhunter to check for rootkits and related vulnerabilities.

chrkrootkit

Slicehost has an excellent article for setting up and using chkrootkit.

Later on I’ll be installing some Python development packages. One of them creates a directory called /usr/lib/pymodules/python2.6/.path, which sets off a warning in chkrootkit. Part of chkrootkit’s desgin philosophy is to not include any whitelists: if chkrootkit finds something that it doesn’t like, you’re going to hear about it. I have cron run chkrootkit nightly and I want to receive any warnings, but I don’t want to receive the same false positive every morning in my inbox.

The solution is to create a file that contains chkrootkit’s warning. I call that file whitelist and store it in the same directory as chkrootkit. When chkrootkit is run, any output is redirected to a file. That file is compared to the whitelist using diff and the output of that – if any – is then read. At the end, the file containing chkrootkit’s output is deleted so that the working directory is ready for the next run. The effect is that I only hear warnings from chkrootkit that I have not explicit whitelisted. All of this can be accomplished in a single crontab entry.

0 3 * * * (cd /home/demo/src/chkrootkit-0.49; ./chkrootkit -q > message 2>&1; diff -w whitelist message; rm -f message)

rkhunter

I’m sure it doesn’t surprise you that I’m going to recommend reading Slicehost’s article on rkhunter.

Unlike chkrootkit, rkhunter does allow for whitelists. On a clean Ubuntu 10.04 system, I find that I need to whitelist a few items in the config.

$ sudo vim /etc/rkhunter.conf

SCRIPTWHITELIST="/usr/sbin/adduser /usr/bin/ldd /bin/which"
ALLOWHIDDENDIR="/dev/.udev /dev/.initramfs"
APP_WHITELIST="openssl:0.9.8k gpg:1.4.10"

$ sudo /usr/local/bin/rkhunter --propupd

The script that my cronjob runs is slightly different from the one demonstrated in the Slicehost article. Their script executes a few commands, groups the output together, and sends it to mail to email the system administrator. This results in daily emails, regardless of whether rkhunter finds any warnings or not. My script is simpler and does not result in so many messages.

#!/bin/sh
/usr/local/bin/rkhunter --versioncheck -q
/usr/local/bin/rkhunter --update -q
/usr/local/bin/rkhunter --cronjob --report-warnings-only

The version check and update commands both have the -q switch, which disables any output – I don’t care to know whether rkhunter updated itself or not. The final line actually executes the scan. Notice that there’s no reference to mail. This script does not send any messages. The reason for that is that rkhunter itself provides the mail functionality. Inside of /etc/rkhunter.conf there is a MAIL-ON-WARNING variable. As long as the machine has an smtp server on it (which I’ll get to later in this guide), simply filling in this variable will result in any warnings being emailed to the system administrator.

Web Server

With the basics complete, it’s time to start serving something! In my previous article I covered serving a PHP-based Wordpress site via FastCGI and nginx. This time around the stack will be different: nginx, uWSGI, Python, and Django.

A few basic packages will help flesh out the server’s Python development environment:

$ sudo apt-get install python-psycopg2 python-setuptools python2.6-dev psmisc python-imaging locate python-dateutil libxml2-dev python-software-properties

uWSGI

Installing uWSGI is a simple matter of compiling it and moving the resulting binary into one of your system’s bin directories.

$ cd ~/src/
$ wget http://projects.unbit.it/downloads/uwsgi-0.9.8.tar.gz
$ tar xvzf ~/uwsgi-0.9.8.tar.gz
$ cd uwsgi-0.9.8/
$ make -f Makefile.Py26
$ sudo cp uwsgi /usr/local/sbin

nginx

The nginx package in Ubuntu’s official repositories is always notoriously outdated. It used to be you had to compile the server from source, but there is now an Ubuntu PPA for the latest stable versions. As described by the nginx wiki, all that is needed is to add the PPA to your sources.list and apt-get away!

$ sudo add-apt-repository ppa:nginx/stable
$ sudo apt-get update 
$ sudo apt-get install nginx

Python and Django

If you do Python development and haven’t heard of virtualenv, it is well worth reading up on. It allows the user to create an isolated, virtual Python environment for each project. This helps immensely when developing (or serving) multiple projects on a single machine. Needless to say, I consider it to be a required package.

Install

I’ll be installing virtualenv and virtualenvwrapper (a set of scripts to facilitate working with virtual environments). I also prefer pip over easy_install for managing Python packages.

$ sudo easy_install -U pip 
$ sudo pip install virtualenv
$ sudo pip install virtualenvwrapper

Setup a virtual environment

Virtual environments can be stored wherever you fancy. For now, I keep them in a hidden folder in my home directory. For these examples, I’ll setup an environment called myproject.

$ mkdir ~/.virtualenvs
$ cd ~/.virtualenvs
$ virtualenv --no-site-packages --distribute myproject

Notice the --no-site-packages switch. That tells virtualenv to create this environment without any of the Python packages already installed, creating a completely fresh, clean environment. The --distribute switch causes the new virtual environment to be setup with distribute, a replacement for the old and rather broken setuptools.

All that’s needed to get virtualenvwrapper up and running is to add two lines to your .bashrc and re-source the file.

$ vim ~/.bashrc

export WORKON_HOME=$HOME/.virtualenvs
source /usr/local/bin/virtualenvwrapper.sh

$ . ~/.bashrc

We can now use commands like workon to ease the process of activating a certain environment.

I’ll go ahead and install yolk in the environment to help manage packages.

$ workon myproject
$ pip install yolk
$ yolk -l

The last command will cause yolk to list all packages installed in the environment. Try deactivating the environment and then running yolk again.

$ deactivate
$ yolk -l
yolk: command not found

‘yolk’ wasn’t found, because it was only installed within the virtual environment. Neat!

Install Django

Finally, it’s time to install Django! The process is simple enough.

$ workon myproject
$ pip install django

And that’s it!

The Python Imaging Library is likely to be needed for any Django project. I installed it in the beginning of this section, but because I used the --no-site-packages when creating my virtual environment, it is not available for use within the project. To fix that, I’ll just link the package in. I also previously installed psyopg2, which Python will need to communicate with my PostgreSQL database, so I’ll link that in as well. psyopg2 depends on mx, which was also previously installed but still must be made available in the environment.

$ cdsitepackages
$ ln -s /usr/lib/python2.6/dist-packages/PIL
$ ln -s /usr/lib/python2.6/dist-packages/PIL.pth
$ ln -s /usr/lib/python2.6/dist-packages/psycopg2
$ ln -s /usr/lib/python2.6/dist-packages/mx

That wasn’t too painful!

Create a Django project

While I’m still in the virtual environment, I’ll go ahead and create a new Django project. The project will have the same name as the environment: myproject. For this tutorial, I’ll stick with the precedence set by the Slicehost tutorials and use demo as the name of both my user and group on the server.

I like to keep my sites in the /srv/ directory. I structure them so that the code that runs the site, any public files, logs, and backups are all stored in separate sub-directories.

$ cd /srv/
$ sudo mkdir -p myproject.com/{code,public,logs,backup}
$ sudo mkdir -p myproject.com/public/{media,static}
$ sudo chown -R demo:demo myproject.com
$ cd myproject.com
$ sudo chown -R :www-data logs public
$ sudo chmod -R g+w logs public
$ cd code/
$ django-admin.py startproject myproject

Notice that the logs and public directories were chowned to the www-data group. That is the name of the user and group that nginx will run as. The web server will need permissions to write to those locations.

Save Requirements

With the environment setup and all the necessary packages installed, now is a good time to tell pip to freeze all the packages and their versions. I keep this file in a deploy folder in my project.

$ mkdir /srv/myproject.com/code/deploy
$ pip freeze > /srv/myproject.com/code/deploy/requirements.txt

Now, if I needed to recreate the virtual environment somewhere else, I could just tell pip to install all the packages from that file.

1	`$ pip install -r /srv/myproject.com/code/deploy/requirements.txt`

Configure uWSGI

Now that I have something to serve, I’ll configure uWSGI to serve it. The first step is to create a configuration file for the project. I call mine wsgi.py and store it in /srv/myproject.com/code/myproject/. It appends the current directory to the Python path, specifies the Django settings file for the project, and registers the WSGI handler.

import sys
import os

sys.path.append(os.path.abspath(os.path.dirname(__file__)))
os.environ['DJANGO_SETTINGS_MODULE'] = 'myproject.settings'

import django.core.handlers.wsgi

application = django.core.handlers.wsgi.WSGIHandler()

With that done, the next step is to decide how uWSGI should be run. I’m going to use Ubuntu’s upstart to supervise the service. I keep the upstart script in my project’s deploy/ directory.

$ vim /srv/myproject.com/code/deploy/uwsgi.conf

description "uWSGI server for My Project"

start on runlevel [2345]
stop on runlevel [!2345]

respawn
exec /usr/local/sbin/uwsgi \
--home /home/demo/.virtualenvs/myproject/ \
--socket /var/run/myproject.com.sock \
--chmod-socket \
--pythonpath /srv/myproject.com/code/ \
--module myproject.wsgi \
--process 2 \
--harakiri 30 \
--master \
--logto /srv/myproject.com/logs/uwsgi.log

Sadly, upstart doesn’t seem to recognize links. Rather than linking the config file into /etc/init/, I have to copy it.

$ sudo cp /srv/myproject.com/code/deploy/uwsgi.conf /etc/init/uwsgi-myproject.conf

Configure nginx

Nginx’s configuration is pretty straight-forward. If you’ve never configured the server before, Slicehost’s articles can set you down the right path. My own nginx config looks something like this:

user www-data www-data;
worker_processes 4;
pid /var/run/nginx.pid;

events {
        worker_connections 768;
        use epoll;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 30;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
    gzip_proxied any;
    gzip_comp_level 2;

    # gzip_vary on;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

I keep the virtual host config for my project inside the project’s code/deploy/ directory. A basic virtual host for a Django project would looks like this:

server {
    listen 80;
    server_name www.myproject.com;
    rewrite ^/(.*) http://myproject.com/$1 permanent;
}

server {
    listen 80;
    server_name myproject.com;

    access_log /srv/myproject.com/logs/access.log;
    error_log /srv/myproject.com/logs/error.log;

    location /media {
        root /srv/myproject.com/public/;
    }

    location /static {
        root /srv/myproject.com/public/;
    }

    location / {
        uwsgi_pass unix:///var/run/myproject.com.sock;
        include uwsgi_params;
    }
}

To install and enable the virtual host, I’ll link the configuration file first to the nginx sites-available directory, and then link that link to the sites-enabled directory.

$ sudo ln -s /srv/myproject.com/code/deploy/nginx.conf /etc/nginx/sites-available/myproject.com
$ sudo ln -s /etc/nginx/sites-available/myproject.com /etc/nginx/sites-enabled/myproject.com

SSL

If you need to encrypt communications, Linode has a tutorial on using both self-signed certificates and commercial certificates with nginx.

Fire it Up

Nginx should be set to talk to uWSGI, which should be set to talk to the Django project. Time for a test run!

$ sudo start uwsgi-myproject
$ sudo /etc/init.d/nginx start

memcached

Django has a very good built-in cache framework. I like to take advantage of it with a memory-based backend: namely, memcached. It’s fast, efficient, and easy to setup.

All that’s needed is to install memcached on the server, followed by the Python API python-memcached.

$ sudo apt-get install memcached
$ workon myproject
$ pip install python-memcached

The default configuration file in Ubuntu lives at /etc/memcached.conf. I usually stick with the defaults, but sometimes end up changing the port that memchached runs on or the amount of memory it is allowed to use.

logrotate

With the web server more-or-less complete, I like to setup logrotate to manage the logs in my project’s directory. Once again, Slicehost has an excellent introduction to logrotate and an example config for virtual hosts.

I maintain a configuration file for each of the domains being served by the machine. The file for a domain lives in – you guessed it – the associated project’s deploy/ folder. Each contains two entries: one for the nginx virtual host and one for the uWSGI instance. The reason for this is that each config block needs a postrotate section to restart the associated server after the logs have been rotated. I don’t want nginx to be restarted everytime a uWSGI log is rotated, and I don’t want uWSGI restarted everytime an nginx log is rotated.

$ vim /srv/myproject.com/code/deploy/logrotate

/srv/myproject.com/logs/access.log /srv/myproject.com/logs/error.log {
    rotate 14
    daily
    compress
    delaycompress
    sharedscripts
    postrotate
        [ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
    endscript
}

/srv/myproject.com/logs/uwsgi.log {
    rotate 14
    daily
    compress
    delaycompress
    postrotate
       restart --quiet uwsgi-myproject
    endscript
}

This file is linked in to the /etc/logrotate.d/ directory. Logrotate will automatically include any file in that directory inside its configuration.

$ sudo ln -s /srv/myproject.com/code/deploy/logrotate /etc/logrotate.d/myproject

Database Server

A web server isn’t much use without a database these days. I use PostgreSQL.

Install

1	`$ sudo apt-get install postgresql`

Configure

PostgreSQL has some unique terminology and ways of doing things. When I first set it up for the first time, having coming from a MySQL background, not everything was completely straightforward. As usual, Slicehost has a number of articles that will provide a foundation.

In the /etc/postgresql/8.4/main/postgresql.conf file, I uncomment the following two lines:

track_counts = on
autovacuum = on

Then restart the database server.

1	`$ sudo /etc/init.d/postgresql-8.4 restart`

After that I’ll change the password for the postgres user and the postgres database role.

$ sudo passwd postgres
$ sudo -u postgres psql
\password postgres
\q

To allow local socket connections to the database using passwords, I open up /etc/postgresql/8.4/main/pg_hba.conf and find the following line:

local   all         all                               ident

Which I then change to:

local   all         all                               md5

After which another restart is in order.

1	`$ sudo /etc/init.d/postgresql-8.4 restart`

Create a database

The next step is to create a user (or role, in PostgreSQL’s parlance) and database for the project. I use the same name for both.

$ sudo -u postgres createuser -PE myproject
$ sudo -u postgres createdb -O myproject myproject

After that, I should be able to connect.

1	`$ psql -U myproject`

Import the Database

If I’m restoring a previous database from a backup, now would be the time to import the backup.

1	`$ psql -U myproject < myproject.postgresql`

And now Django should be able to connect!

The basic server is setup and secure. Django, uWSGI, nginx and PostgreSQL are all running and getting along swimmingly. At this point, many people would be done, but I also like to have a minimal mail server.

Mail Server

Most of my domains use Google Apps, so I don’t need a full-blown mail server. I do want programs and scripts to be able to send mail, and I prefer not to do so through an external SMTP server – I’d rather just deal with having sendmail running on my own box. And I do have a few domains that do not use Google Apps. They have one or two aliases associated with them, so the server needs to receive messages for those domains and forward them off to an external address. If any of this sounds vaguely familiar, it’s because it’s the same thing I detailed last time. My setup now is the same as then, so I won’t repeat any of it here.

For a more detailed explanation of running Postfix, you can read the Slicehost articles.

A Note on Git

I use Git to keep track of the code for all my projects. (If you’re new to Git, you ought to skim the Git Reference or Everyday GIT With 20 Commands Or So). To manage websites, I create a repository of the directory with the code that runs the site (in this case, /srv/myproject.com/code/) and another empty, bare repository to work as a hub. With a post-update and post-commit, the end result is an excellent web workflow:

A copy of the hub can be checked out on a local machine for development. Whenever a change is committed, a simple git push will push the code to the web server and automatically make it live.
Changes can be made on the server in the actual live website directory. (This is not a best practice, but I do it more often than I should probably admit.) Whenever a change is committed, it is automatically pushed to the hub, so that a simple git pull is all that’s needed on the development machine to update its repository.

A more detailed explanation of this workflow is at Joe Maller’s blog.

To start, I need to create a repository for the new project I created in this tutorial. And, since this is a new server, I need to give Git my name and email address to record with every commit.

$ git config --global user.name "Pig Monkey"
$ git config --global user.email "pm@pig-monkey.com"
$ cd /srv/myproject.com/code/
$ git init

Before adding the files, I create a .gitignore file in the repository root to tell Git to ignore compiled Python files.

$ vim .gitignore

*.pyc

Now I add all the files to the repository, confirm that it worked, and commit the files.

$ git add .
$ git status -s
$ git commit -m "Initial commit of myproject.com"

I create the bare hub directory directly along side the projects code/.

$ cd ../
$ mkdir hub.git
$ cd hub.git
$ git --bare init

With the hub created, I need to add it as the remote for the main repository and push the master branch to it.

$ cd ../code
$ git remote add hub /srv/myproject.com/hub.git
$ git remote show hub
$ git push hub master

Now the hub needs a post-update script so that every time something is pushed to it, that change is automagically pulled into the live website directory.

$ vim /srv/myproject.com/hub.git/hooks/post-update

#!/bin/sh
echo
echo "**** Pulling changes into live"
echo

cd /srv/myproject.com/code || exit
unset GIT_DIR
git pull hub master

exec git-update-server-info

$ chmod +x /srv/myproject.com/hub.git/hooks/post-update

And the live website directory requires a post-commit script so that every time something is committed inside of it, that change is automagically pushed to the hub.

$ vim /srv/myproject.com/code/.git/hooks/post-commit

#!/bin/sh
echo
echo "**** pushing changes to Hub"
echo

git push hub

$ chmod +x /srv/myproject.com/code/.git/hooks/post-commit

All that’s left is to check out the hub onto the development machine – my laptop, in this case!

$ mkdir ~/work/myproject/
$ cd ~/work/myproject/
$ git clone ssh://myserver.com/srv/myproject.com/hub.git code

To test things out, we can add a file to the repository on the development machine.

$ cd code/
$ touch test
$ git add test
$ git commit -m "A test"
$ git push

Now go back to the server, and the file should be there! To test things the other way around, I’ll delete the file from the live repository.

$ cd /srv/myproject.com/code/
$ ls
myproject test
$ git rm test
$ git commit -m "Removing the test file"

And once again to the development machine:

$ git pull
$ ls
deploy  myproject

No more test! It’s pretty dandy.

Restoring

If I was building a new server and restoring a project from an old server, I would simply mirror the old hub and then clone that in the live directory.

$ cd /srv/myproject.com/
$ git clone --mirror ssh://myoldserver.com/srv/myproject.com/hub.git
$ git clone hub.git code/

Resources

Prior to building this server, I was new to a lot of this – particularly, uWSGI and virtualenv. The following tutorials helped me a good deal in putting together the perfect setup for my needs.

A Primer on virtualenv by Chris Scott
A web-focused Git workflow by Joe Maller
Deployment with uWSGI and nginx by Zachary Voase
Django on uWSGI and Nginx by Brandon Konkle
Django, Nginx and uWSGI in production by Jeremy Bowers
Notes on using pip and virtualenv with Django by Eliot
Presentation: pip and virtualenv by Rich Leland
Provisioning a new Ubuntu server for Django by Brandon Konkle
Running Django with Nginx and uWSGI by Simon Westphahl
virtualenvwrapper Command Reference
Working with virtualenv by Arthur Koziel

This article was modified 2012-12-22.

2011-07-02

quote, wilderness

Into the Red Buttes Wilderness

Avagdu and I pulled into the trailhead around 7 PM. After getting our gear together, we decided to take advantage of the long summer evening to log a few miles. The trail into the Red Buttes Wilderness climbs steadily through pine woods. It’s dry and dusty with the lack of rain. But that’s to be expected. We’re back in California, after all.

Occasional glimpses of large slides and the valley below can be had through the trees. Soon enough, the sun sets behind the hills. I remove the headlamp from my pack and throw it around my neck. Avagdu stops a minute later to do the same. There’s another hour or so of good hiking to be got yet.

Our destination this night is Echo Lake. I don’t think it’s too much further down the trail. After I wet my feet in a stream crossing, I figure we must be close, but the sun is down, the moon not yet risen, and I’m worried I’ll miss the spur trail that goes off to the lake. Shortly after the crossing we’re surprised by a small wilderness camp: a shelter made of 4 upright posts and a few pine boughs for a roof, a table, a bit of firewood, and what is either an attempt at a chair or a Nessmuk-style fire. I can’t tell which. It’s an impressive setup. “Someone Ray Mears-ed it up,” Avagdu says. The only thing we can’t figure out is why the shelter is lashed together with duct tape rather than cordage. Or why the bundle of firewood is wrapped in duct tape.

It’s a bit after 10 PM now. We decide to take advantage of our luck and spend the night here. The shelter doesn’t look waterproof, but there’s no other flat ground around. It doesn’t feel like rain tonight anyway. There’s enough room for us both to throw our bivvies down underneath.

I had eaten before reaching the trail. The meal is still sitting in my belly. Forgoing dinner, I go off to hang my food. Avagdu decides to cook a small meal for himself – out of hunger, or just so that he’ll have a few less ounces to carry tomorrow. While we’re sitting around the fire pit, I spot a small mouse scurrying around the shelter. He seems disappointed that new tenants have moved in. Particularly because we had moved the old sock (his bed, I think) from the ground of the shelter to the table. After sniffing around for a while he scurries off.

We’re off early in the morning, with expectations of a short climb before arriving at the lake for breakfast.

Things don’t go as planned.

The grade steepens, as expected, but the trail keeps going on. Eventually we break out of the trees into a muddy meadow. Snow patches begin to appear. Somewhere in the meadow I loose the trail. By 10 AM we both feel that we should have reached Echo Lake. The mileage posted at the trailhead was only 4 miles, which we’ve certainly accomplished by now. I’m getting hungry, so I decide to stop in a patch of trees for a bowl of oatmeal. We both eat. After cleaning my pot I get out the map. It’s a large, ungainly thing. I plot our position and get a bearing to the lake. Not too far off, but I still don’t trust the mileage. It’s definitely further than 4 miles from the trailhead.

We climb up higher. The snow is constant now. We end up on a small knob above the lake. Echo Lake is surrounded by snow and looks to be still partially frozen over. Neither of us feel like venturing down for a visit. Our route now takes us up out of the basin onto the Siskiyou Crest. If we went down to the lake we’d just have to climb back up again. So we decide to forgo the lake and instead head higher, aiming for the saddle between Red Butte and Cook and Green Butte.

The slope we’re climbing is facing north. I hope that once we get over to the other side the snow will be gone. Or at least less. Before leaving for the trip I hadn’t been able to find any recent reports or conditions for the area. I figured we wouldn’t be getting very high and, hey, it’s California (the whole state is a desert, right?), so we didn’t plan for much snow.

I’m wearing my Merrell Trail Gloves, which aren’t exactly ideal for kicking steps. But going uphill isn’t too much trouble. We reach a bare scree field, climb it, and gain the saddle. I’m pleased to see that both the top of the ridge and the south slope are covered not by snow, but by Manzanita.

Just on the other side of the ridge is our goal: the Pacific Crest Trail. We’ll be on the PCT for the next few miles, which ought to help us make up for time lost in the snow. The PCT is the superhighway of the mountains – wide, tame, and well groomed compared to most wilderness trails.

Our route takes us west along the ridge, toward Red Butte. Only a few yards down the trail we come upon a group of three camped on the ridge. They had planned the same route as we, but also did not expect the trail to Echo Lake to be so long nor the snow to be so prevalent. It had upset their schedule. They no longer had time to complete the loop. Instead, they decided to spend some time enjoying the view from the ridgetop before descending and heading out.

The trail is wide and dry. It goes on for a bit before intersecting an old logging road. Just west of the junction both road and trail continue into a snow-filled basin. So much for dry feet! There’s a good stream of snow melt flowing here which we use to fill up our reservoirs, not sure where the next good source will be.

From there, the trail climbs over a ridge and down into another basin, which holds Lily Pad Lake. The road parallels the trail and ends in the same lake basin. I choose to follow the road, which is easier to spot under snow. The basin provides views of the other side of Red Butte, the namesake of this Wilderness.

Once across, both road and trail take a steep route up and out of the basin. I decide to take a route slightly longer but easier given the snow. Once gaining the other side, we’re once again in mostly dry territory with only occasional patches of snow. I find the PCT and follow that for a bit before loosing it in another snow field. On the other side, I find the road. Good enough.

The road ends at a fence made of stacked rocks. From there we can look down into this new basin and see the PCT. Lily Pad Lake sits below it. Both hold more snow. The ridge on the west side of the basin has more snow and looks steeper than any field we’ve yet encountered. We must climb that, but not yet. It’s early afternoon and my stomach calls for lunch.

It’s windy up on the ridge. There’s a small notch in the rock fence where I setup my stove, keeping it out of the wind. A pot full of noodles, a few mouthfuls of granola with dark chocolate chips, and I’m feeling copacetic in the sun. But we’re not getting any closer to the other side of the basin and Avagdu has finished his crackers and MRE peanut butter. It’s time to move on.

Climbing down from the end of the road we regain the the PCT. It is soon obscured by snow. The slope is indeed steep here – steep enough that I don’t feel safe crossing it without an ice axe or traction devices. But there’s a bare spot above. I make for that, where we can cross above the snow field and then come back down on the other side. I’m having flashbacks of last year in the Glacier Peak Wilderness.

We make it to the top, and across, but before heading back down to where we need to be there’s a finger of the snow field to descend. Avagdu goes first, sitting down on the snow and attempting a controlled descent that ends up being a glissade to the other side. I do the same.

It’s not much further till we reach a similar obstacle. But this time we can’t go up and around the snow. The only choice is to go straight across. I lead this one, slowly kicking steps across the field. It’s easier to cross on a diagonal line, heading slightly uphill. Eventually I end up above where I need to be, with Avagdu behind me. Below, the snow continues for 30 feet before reaching the trail, which at that point is bare. It’s a steep glissade without an ice axe to control the descent. The best option looks to be to sit and attempt to crab walk down, kicking in my heels to make steps as I descend. This works till about halfway, where a step fails and I slip, sliding down the rest of the way. It’s close – I almost miss the bare spot and end up in a tree well further down the mountain – but I’m able to slide enough to the right that I make it, with no problem other than cold hands from digging into the snow.

Meanwhile, Avagdu is above, watching the performance with some amount of trepidation. He sits down for his turn and I attempt to guide him in, instructing him to kick steps with his heels and aim for the log on the trail. The beginning is good. Then he slips and starts the glissade. He’s further to the left than I was, but he’s reaching for the handholds on the exposed trail and it looks like he’ll make it without trouble, until his reach turns into a somersault. Luckily the somersault takes him in the right direction and he crashes into a branch of the log or a bit of rock. I can’t see which. Later, he says that whatever hit him did so on his heavily padded hip-belt, which probably saved him some discomfort and bruising on the hip.

After a well deserved breather and a bit of water, we continue. It’s not too much longer before, predictably, the trail once again crosses into snow and enters a steep slope. This time it looks like we can go up and around along a tricky scree field, but a group of large boulders prevents me from seeing what is held in store for us on the other side.

We go for it, carefully making our way across the scree along the edge of the snow. It’s the most difficult part yet. On the other side, I climb up the group of boulders to getter a better view of the route above. It’s not a good sight. We’re almost at the top of the ridge, but directly across from us is another steep, snow covered slope. There’s no way around it, above or below, and I don’t want to attempt another crossing so steep without more tools. Directly above us is steep as well. We might be able to make it, climbing with both hands and feet, but there look to be a few cornices up there at the top. That makes me uncomfortable. Avagdu has come around by this time and points out a possible route, saying that there’s a few trees along there to break our fall. I start laughing. That’s exactly what I look for when I’m scouting out a route, but hearing it voiced out loud is somehow humorous. “Yeah, don’t worry, there’s some ground down there to break our fall!”

Another look around. It doesn’t look good. I still can’t see over the top of this ridge, so even if we make it up I’m not sure what waits for us further on. More of the same, likely, which will upset our schedule.

I suggest we turn around. Avagdu agrees. If we’re careful, we can take Avagdu’s suggested route a little further along, which will put is in intermittent trees. We can glissade from tree to tree, hopefully avoiding any big wells, and make it down to the bottom of the basin. From there, it’s a simple matter of crossing the basin (while avoiding a fall into the lake, which is still partially obscured by snow). The other side of the basin is clear of snow, so we can switchback our way up till we hit the trail or road, and then backtrack to the saddle between the two buttes where we first climbed up out of the basin and Echo Lake.

We reached the spot where we first joined the PCT. The camp belonging to the group of 3 is gone. They must have packed out ahead of us.

I scout out the ridge a bit, checking to see if there’s a better way down the north side than the route we took up. There doesn’t seem to be anything. Looking down from the spot where we finally gained the ridge on the way up, our path looks steeper than before. Funny how that works.

Avagdu and I both relax for a bit, enjoying the view and watching a few clouds roll in. The slope isn’t getting any less steep. After chucking a few rocks down to see where they land, we decide to go for it.

We descend the bare scree field and are back in the snow. Luckily, we can glissade down this time rather than having to climb up. It’s quick, and fun.

Just below where we now know Echo Lake to be we come upon the remains of an old fire ring. There are flat spots around that will make decent spots for us to pitch our tarps, but with the lake on one side and the muddy meadow on the other it looks like it will become too buggy for my tastes. We opt to continue down further, crossing the meadow and descending back into the woods.

At 7 PM we reach a spot with wide flat areas at the base of a cliff. There’s a small trickle of water in the back and the trees are sparse enough to let the sunlight in and allow some views of the sky. This will do for camp.

An abundance of dead wood lies on the floor. The novelty of actually picking dry firewood off the ground rather than having to break it out of trees encourages me to start collecting the makings of a fire. While Avagdu is pitching his tarp I take a spade-shaped rock to dig a small pit. Then I build a basic lay. Soon the flames are jumping.

The night brings heavy rain. The noise on the tarp is enough to wake me up a few times during the night. In the morning I wake but don’t rise for a couple hours, hoping that the rain will soon die down. When it turns to a light sprinkle, I venture out. Our camp has certainly become wet. Avagdu is up and about. He didn’t pack much in the way of insulating layers, so he’s chilly and wants a fire. All of the wood is now sodden. Even that up in the trees is wet, none of the branches being thick enough to protect those below them. It takes some doing, but eventually, with a bit of splitting, feathering, and a few other tricks, we rekindle the fire.

After breakfast the rain picks up again. Neither of us want to sit around outside getting wet, so we retreat to the tarps. The rain puts out our unattended fire.

We have no firm plans for this day. By late morning it appears that the rain won’t give up. We decide that rather than staying in the wet woods all day, it will be better for us to head out and continue on our road trip back up to Washington. A few hours on the road today will make us more likely to accomplish our goal of being in Portland for a meeting on the morrow.

As we break camp the rain continues. We descend lower into the valley. The rain becomes heavier. The sky seems like a torrent by the time we reach the bottom, and both of us are wet. The trailhead is reached shortly after, and there: shelter and some dry clothes.

I leave the mountains, sure in the knowledge that I will return. Perhaps to a different range, but to mountains none the less.

Give him a far reach of eye, the grasses rippling, the small streams talking, buttes swimming clear a hundred miles away. Give him… the clean, ungodly upthrust of the Tetons. They were some.

A.B. Guthrie, Jr., Fair Land, Fair Land

This article was modified 2012-09-15.

2011-06-19

wilderness

Late Spring in the Alpine Lakes Wilderness

The snow is still sitting at 4,000 feet. This weekend I stayed low and enjoyed sleeping on bare ground.

I have a feeling that an ice axe and pair of microspikes will be fairly permanent additions to my pack this summer.

This article was modified 2012-09-15.

2011-06-14

edc, gear, knife

Izula Knife Mods

About a month ago I gave my Izula a cosmetic make-over, inspired by Widerstand‘s similar mods to his Becker knives.

Originally the knife had a light tan powder coating on it, which protected the blade from rust and other wear, but did nothing for style. The first step I made in the modification process was to spend a couple hours with a piece of sandpaper, scraping off the coating until I was down to bare metal. That gave the knife a nice, raw look. But it also made it susceptible to rusting. The solution: a patina!

The last time I talked about patinas I achieved it with moldy potatoes and citrus fruit. This time around I went the easier route and dumped the Izula into a bowl of vinegar over night. I thought it looked great when it came out, and I was pleasantly surprised that I could still see the RAT logo and Izula ant. To finish off the coating I rubbed a little mustard on a few spots on either side of the blade.

The way the knife comes from the factory, the gimping is nice and rounded, providing a comfortable grip for the thumb. I almost never place my thumb on the back of the spine, so gimping doesn’t do much for me. And because it was rounded, it couldn’t throw any sparks off a ferro rod. To make the whole affair a bit more useful I took a Dremel tool and redid the gimping. It’s much more rough and sharp now, less ideal for thumbs but great for throwing sparks.

After that all that was left was to re-wrap the handle with a new piece of paracord – black this time – and the job was done. My favorite EDC knife: even better than before.

This article was modified 2012-09-15.

2011-06-11

admin, python, code, django

A Move to Django

You may not notice much, but this blog has been completely rewritten.

I started developing in Django last winter and quickly became smitten with both the Django framework and the Python. Most of the coding I’ve done this year has been in Python. Naturally, I had thoughts of moving this website from Wordpress over to a Django-based blog.

For a while I did nothing about it. Then I had another project come up that required some basic blog functionality be added to a Django-based site. A blog is – or, at least, can be – a fairly simple affair, but before writing my own I decided to look around and see what else was out there. There’s a number of Django-based blogs floating around (Kevin Fricovsky has a list), but few of them jumped out at me. Most were not actively developed and depended on too many stale packages for my taste, or they just had a feature set that I didn’t like.

Out of all of them, two presented themselves as possibilities: Mingus (written by the previously mentioned Kevin) and Nathan Borror’s django-basic-apps. Mingus tries to be a full-featured blogging application and was much too complex for the simple project I was then working on. But the blog application in django-basic-apps (a fork of which provides Mingus with its core blog functionality) looked like it would fit the bill. As the name implies, it is meant to be a very basic blog. I dived in to the code I discovered that, with a few modifications, it would do what I needed.

So I finished that project. But now having messed with blogging in Django I was more motivated to get started on rewriting my own site. I took another look at Mingus. Although it was too complex for the previous project, the features it provides are very similar to the features I wanted for this website. I looked at and thought about Mingus for a time, repeatedly turning it down and then coming back to it. The question centered around the project’s staleness more than anything else. Currently, Mingus is built for Django 1.1. That’s an old version. As of this writing, the current version is 1.3. Many improvements have been made in Django since 1.1 and I was not too keen to forgo them and run an old piece of code. Mingus is under active development, and will be updated for Django 1.3, but it’s a hobby-project, so the work is understandably slow.

In the end, I decided that the best thing to do was go my own route, but take some pointers and inspiration from Mingus. I would make my own fork of django-basic-apps, using that blog as the basis, and build a system on top of that. I created my fork last month and have been steadily plodding away on it in my free time. Over the course of the development I created a few simple applications to complement the core blog, and contributed code to another project.

It’s not quite done – there’s still a few things I want to improve – but it’s good enough to launch. (If you notice any kinks, let me know.) I’m quite pleased with it.

This is a notable occasion. I’ve been using Wordpress since before it was Wordpress, but it is time to move on. (Wordpress is a fork of an old piece of code called b2/cafelog. My database tables have been rocking the b2 prefix since 2002.)

As you’ve no doubt noticed, the look of the site hasn’t changed much. I tweaked a few things here and there, but for the most part just recreated the same template as what I had written for Wordpress. I am planning on a redesign eventually. For now, I wanted to spend my time developing the actual blog rather than screwing with CSS.

So, there you have it. Everything is open source. Download it, fork it, hack it (and don’t forget to send your code changes back my way). Let me know what you think. Build your own blog with it! (There’s even a script to import data from Wordpress.) I think it’s pretty sweet. The only thing lacking is documentation, and that’s my next goal.

Disqus

The biggest change for the user is probably the comments, which are now powered by Disqus. Consider it a trial. I’ve seen Disqus popping up on a number of sites the past year or so. At first it annoyed me, mostly because I use NoScript and did not want to enable JavaScript for another domain just to comment on a site. But after I got over that I found that Disqus wasn’t too bad. As a user I found it to be on par with the standard comment systems provided by Wordpress, Blogger, and the like. The extra features don’t appeal to me. But as an administrator, Disqus appeals to me more because it means that I no longer have to manage comments myself! And as a developer, I’m attracted to some of the things that Disqus has done (they’re a Python shop, and run on top of Django) and their open source contributions.

So I’m giving it a shot. Disqus will happily export comments, so if I (or you) decide that I don’t like it, it will be easy to move to another system.

Markdown

One final note: I like Markdown. That might be an understatement.

I first starting using Markdown on GitHub, which I signed up for about the same time I started with Django and Python. After learning the syntax and playing with it for a few weeks, I discovered that I had a very hard time writing prose in anything else. In fact, the desire to write blog posts in Markdown was probably the biggest factor that influenced me to get off my butt and move away from Wordpress.

So, I incorporated Markdown into the blog. But rather than just making the blog Markdown-only, I took a hint from Mingus and included django-markup, which supports rendering in many lightweight markup languages.

Because I’m still new to Markdown and occasionally cannot remember the correct syntax, I wanted to include some version of WMD. WMD is a What You See Is What You Mean editor for Markdown, a sort of alternative to WYSIWYG editors like TinyMCE. (It is my believe that WYSIWYG editors are one of the worst things to happen to the Internet.) All WMD consists of is a JavaScript library. The original was written by a guy named John Fraser, who was abducted by aliens some time in 2008. Since his disappearance from the interwebs, WMD has been forked countless times. I looked around at a few found a version that I was happy with (which happens to be a fork of a fork of a fork of a fork), and rolled it into a reusable app. While I was at it, I made some visual changes to the editing area for the post body. The result is an attractive post editing area that is simple to use and produces clean code. I think it is much better than what is offered by Wordpress.

This article was modified 2012-12-22.

2011-05-07

gear, triple aught design

TAD Gear FAST Pack EDC Strap Failure

Last week I noticed that the top right compression strap on my Triple Aught Design FAST Pack EDC had begun to rip off from the pack. This is the first failure I’ve experienced on the pack, which has been in regular use since Fall 2007.

I’m surprised that it was this particular strap that failed first. I don’t often carry heavy items in the Transporter Tail, so the strap does not have a lot of stress placed on it. Still, I feel better about sewing it back down than I would about repairing a load-bearing strap.

Now: A needle, a length of #69 nylon thread, and a bit of time.

This article was modified 2012-09-15.

2011-05-01

bicycle

Whidbey Island by Bike

I’ve toured Whidbey Island before by bus, car and foot, but never by bicycle. I decided to remedy that today. It was forecast to be warm and sunny (only the third day of the year I can say that about), so I woke up early to make the 9:00 AM ferry sailing.

Whidbey is a pleasant mixture of forest and pastoral farmland. I decided to confine my explorations to the south end of the island, as that’s the area I know least.

I logged about 45 miles in the saddle over a leisurely 6 hours, plus about 2 hours of breaks, including lunch in Langley.

More photos are on Flickr.

A map of my route is also available.

This article was modified 2012-09-30.

2011-04-30

physical training, run

Rucksack Run

Yesterday I felt that I was becoming too complacent on my runs. I needed something to increase the challenge. So, this morning I tossed 20 lbs. into the FAST Pack and strapped it on. That made things interesting.

Dry heaving is a measure of success.

This article was modified 2012-09-15.