- Package a project as a ‘release’ for deployment
- Include only the OTP applications necessary for production use
Packaging and deploying a project as a release is a good way to reduce the attack surface. A release only includes those parts of the Erlang/OTP runtime system that are actually needed to run the application, eliminating unnecessary code.
Whether introspection and development tools, such as observer, runtime_tools and even compiler, should be included or excluded is a policy decision: traditionally, removing developer tools such as compilers from a production environment is considered good practice, but on the other hand, the ability to monitor, debug and even patch the application in-place may be one of the reasons for choosing the BEAM platform in the first place.
It is worth noting that Elixir applications always ship with the full Elixir standard library, including the compiler.
At runtime, another advantage of a release over other deployment methods is the use of embedded mode for the code server (the
code module). In this mode, modules are loaded once at release startup by the boot script, and automatic loading of code on-demand is disabled. This eliminates some paths for code injection by an attacker with limited control over the host machine/VM.