Posts tagged 'technology' — Typing with mittens on

rspec and exceptions

Rachel Evans — Tue, 12 Sep 2017 08:00:00 GMT

Today I learnt that these two tests are, not only non-functionally different, but functionally different too:

Test A:

    it "should run without raising an exception" do
      some_code_to_test
    end

    Test B:

    it "should run without raising an exception" do
      expect {
        some_code_to_test
      }.not_to raise_error
    end

Like JUnit, rspec reacts to tests which raise exceptions by failing the test, right? So these two tests should (functionally) behave identically?

Wrong!

Well, sometimes wrong.

The difference (or rather, at least one of the differences — perhaps there are more) lies in SystemExit. If some_code_to_test raises this, typically by calling Kernel#exit, then the test runner stops, treats this test as successful, doesn’t show the output of this test, and silently skips all subsequent tests:

it "runs test 1" do
    end

    it "should run without raising an exception (2)" do
      some_code_to_test
    end

    it "runs test 3" do
    end

    // and then run it:

    rachel@shinypig test$ bundle exec rspec --format doc spec/my_spec.rb

    Kernel
      runs test 1

    Finished in 0.00089 seconds (files took 0.08703 seconds to load)
    2 examples, 0 failures

which reports that it ran 2 examples, but only shows one of them, and doesn’t even mention the one that it skipped completely.

On the other hand, if we wrap the code being tested using “expect … not_to raise_error”:

rachel@shinypig test$ bundle exec rspec --format doc spec/my_spec.rb

    Kernel
      runs test 1
      should run without raising an exception (2) (FAILED - 1)
      runs test 3

    Failures:

    1) Kernel should run without raising an exception (2)
         Failure/Error: expect { some_code_to_test }.not_to raise_error

    expected no Exception, got #<SystemExit: exit> with backtrace:
             # ./spec/my_spec.rb:4:in `exit'
             # ./spec/my_spec.rb:4:in `some_code_to_test'
             # ./spec/my_spec.rb:11:in `block (3 levels) in <top (required)>'
             # ./spec/my_spec.rb:11:in `block (2 levels) in <top (required)>'
         # ./spec/my_spec.rb:11:in `block (2 levels) in <top (required)>'

    Finished in 0.01099 seconds (files took 0.07536 seconds to load)
    3 examples, 1 failure

    Failed examples:

    rspec ./spec/my_spec.rb:10 # Kernel should run without raising an exception (2)

So now it runs all three tests, showing all three results, including one failure.

To be honest I’m surprised that the rspec test runner doesn’t deal with this natively: if a test raises an error, it should always be a failure (to my mind anyway), including SystemExit. Maybe there’s a bug / pull request for rspec somewhere discussing this, where the idea was rejected. I might go digging…

Firefox add-ons, 15 years on

Rachel Evans — Sun, 03 Sep 2017 11:29:41 GMT

This is going to be a bit of a ramble. If you're interested: great!

It's just a bunch of stuff that might be of interest to you if you use Firefox, and it's too much to tweet in a giant thread. So here we are.

The long haul

I'm pretty sure that I've been using Firefox since it was first released, back in 2002 — since it was hailed as the brave new lean and super-fast thing that came after Netscape Navigator, and then Mozilla, and then along came Firefox, to counteract Mozilla's perceived bloat. When it comes to my main development machine (which used to be Linux, now Mac OSX), I've used Firefox continuously and almost exclusively since then, with just occasional forays into Chrome or Safari or Opera, and then back to Firefox.

So over the years I've seen a few changes, got used to how things work, developed my way of using the browser, which add-ons and settings I like, and so forth.

And it's easy go get into a habit with that, and never really step back and look at what you're doing … until something makes you do so. Like a data-loss hardware failure, or a major shift in the browser itself.

The changing world

Enter “Web Extensions”, a change in the way that Firefox extensions work. This landed with Firefox version 55, and the big challenge is that from version 57 (scheduled for November 2017) onwards, older extensions — ones that aren't written using the Web Extension mechanism — will be disabled. No longer work. Kaput, dead, gone, no more.

Exciting, huh? 😬

You can tell which extensions (of the ones you have installed) are going to suffer this fate, because from Firefox 55, non-WebExt add-ons are marked as “Legacy” in about:addons. More about that.

So, this seems like a good opportunity for me to take a look at what add-ons I'm using, whether I really need each one, and if so, how I might be able to continue to get the functionality I need in a post-FF-57 world.

Multi-process

But wait: there's one more thing. Last night with I was reading about Multi-Process Firefox, how it's good for performance and stability and security. And yes, this sounds like a very good thing indeed. But here's the rub: for now, Firefox (or is it each FF window?) can operate either in single-process, or multi-process mode. Single-process bad, multi-process good. And you can tell which is which by looking at about:support, under “Application Basics”, look for the “Multiprocess Windows” bit. Mine said: 0/1 (Disabled by add-ons). 🙁

There doesn't appear to be a way of seeing which add-ons are doing the disabling, so as far as I could tell, it was a matter of working through the add-ons I had, disabling and enabling things until I found a minimal set of things to disable that got me the magic words, “Multiprocess Windows 1/1 (Enabled by default)”. \ø/

Add-ons

So which add-ons was I using before, and how did they fare? Do I still even need them?

An incomplete list, roughly categorised:

For security and privacy: NoScript, RequestPolicy Continued, CookieCuller, LastPass

For development: Web Developer, RestClient, Firebug, Markdown Viewer.

General: Multifox, TabMixPlus, Stylish, Popup ALT Attribute, GreaseMonkey, Flash Video Downloader.

NoScript

Essential, IMO. Thankfully despite being a “legacy” add-on, it still works, and doesn't cause FF to go to single-process mode. I'm not sure but I think the FF developers may have whitelisted this specific add-on.

RequestPolicy Continued

I used this one to block third-party requests as a way of improving performance and privacy (e.g. prevent a site from loading ads from a third-party). Trouble is, an awful lot of the modern web does use third-party requests (CDNs, separate domains for “static” or “media” resources, etc). I'd set this add-on to block by default, which meant that it defaulted to “safe”, i.e. “massively inconvenient”.

I haven't really found an up-to-date alternative for this add-on yet, but given that it was very inconvenient for questionable benefit anyway, I've just gone without this “functionality” for now. Maybe Privacy Badger?

CookieCuller

Deletes non-whitelisted cookies on browser startup. I've switched to Cookie Auto-Delete instead. It seems to work well: enable “Active Mode” in the preferences (as far as I can tell the add-on is completely dormant without this). In fact it's probably better than CookieCuller anyway, since it deletes cookies when tabs are closed, rather than when the browser is restarted; and since I quite rarely restart my browser, CookieCuller didn't often get to do its job, whereas hopefully Cookie Auto-Delete will.

LastPass

Legacy, but still works. Good.

Web Developer

Turns out I never actually used any of the functionality of this add-on. Zap, gone.

RestClient

I'm trying out RESTED. As long as it can do GET/POST/PUT/DELETE, with custom headers (mainly Content-Type), and can handle X509 client certificate authentication, we'll get along just fine.

Firebug

Still works, even though it's legacy, and marked as “not compatible with your version of Firefox”. Hmm.

Markdown Viewer

I used this to preview local markdown files before I pushed them to github. I haven't found a replacement for this yet 🙁 . But, I very rarely need this functionality, and it's not exactly a show-stopper for me not to have this, so whatever. Disabled.

Multifox

I did briefly use this add-on, but then disabled it again. And now it seems to have been pulled from addons.mozilla.org. Basically, the functionality it aimed to provide was to allow each tab to have its own space of cookies, authentication, etc. — so for example you could open three different tabs and log into three different accounts on the same web site.

Turns out, this is a lot simpler these days: more on this later.

TabMixPlus

Every now and then I experiment with “improved” tab managers. I never quite get on with any of them, I find. In the past I have occasionally used TabMixPlus; right now, I'm trying out TreeTabs. meh.

Stylish

Write your own custom CSS for various sites, or install custom CSS that others have written and shared via userstyles.org. Except these days that site seems to be a lot more geared towards “skinning” (“Facebook, but with Lionel Messi in the background”. I kid you not), and less towards what I'm after, which is UI tweaks, overriding things for improved accessibility, ad suppression, and so forth.

I've installed Custom Style Script but haven't started using it yet. Instead, I'm experimenting with doing without this functionality. I'll be interested to see how much I miss it.

Popup ALT Attribute

Good for accessibility awareness. Still works.

GreaseMonkey

Almost essential. Still works for now, even though it's “legacy”. Will have to keep a close eye on this one.

Flash Video Downloader

Sorry, YouTube.

userContext

But back to MultiFox. The use case, remember, was to be able to log into the same site more than once in the same browser (well, more than twice, in fact: you could sort of do two already: one in a main window, one in a “Private” window. But only two). But MultiFox used to be somewhat clunky and unreliable, and it always seemed daft that FF didn't natively support something like this.

Thankfully, it seems that it now does. But it's not enabled by default. Also, it's experimental.

Enter Containers aka contextual identities aka userContext (as I understand it). As far as I can tell it's built into Firefox, but hidden. But you can enable it: go to “about:config” and enable both privacy.userContext.enabled and privacy.userContext.ui.enabled.

This gives you a new preference section (Preferences > Privacy > Container Tabs), and a new menu entry (File > New Container Tab). But for a bit more slickness — new containers on the fly, what I really want — I'm trying out Containers On The Go, which seems to work well so far.

et voilà

So there we have it: check about:support for “Multiprocess windows” (multi-process is good); if it says “disabled by add-ons”, disable add-ons until you work out which ones are getting in the way. Enable privacy.userContext.ui.enabled then play with containers. Wheeee!

Not helpful, “aws s3 sync”

Rachel Evans — Mon, 24 Apr 2017 08:54:24 GMT

I have a requirement to change the Content-Type / Cache-Control headers of a load of objects in S3. At the API level, there's no way of modifying the metadata of an existing object — rather, you create a new object with the desired metadata. Of course, if this new object is in the same bucket and has the same key as the old object, it'll effectively overwrite it. You don't have to re-upload your data if you don't want to — you can copy the data from the old object to the new one.

Instead of using the API directly, various tools already exist which encapsulate this behaviour. For example, the aws command line offers “aws s3 sync”. So I'm wondering if “aws s3 sync” might be the tool for the job.

But then we come to this gem in the help text:

--metadata-directive (string) Specifies whether the metadata is copied from the source object or replaced with metadata provided when copying S3 objects. Note that if the object is copied over in parts, the source object's metadata will not be copied over, no matter the value for --metadata-directive, and instead the desired metadata values must be specified as parameters on the command line. Valid values are COPY and REPLACE. If this parameter is not specified, COPY will be used by default. If REPLACE is used, the copied object will only have the meta- data values that were specified by the CLI command. Note that if you are using any of the following parameters: --content-type, content-lan- guage, --content-encoding, --content-disposition, --cache-control, or --expires, you will need to specify --metadata-directive REPLACE for non-multipart copies if you want the copied objects to have the speci- fied metadata values.

Apart from being horrible to read, there's a big problem with this. Note the phrases “Note that if the object is copied over in parts” and “for non-multipart copies”: the behaviour varies depending on whether or not multipart copies are in use.

So, are multipart copies in use?

Well, we're not told. The S3 maximum size for non-multipart uploads is 5GB, so we know that for objects over 5GB, multipart uploads must be used, because that's the only option. But for smaller objects?

¯\_(ツ)_/¯

So the help text explaining --metadata-directive tells us that the behaviour of this option can vary, depending on an implementation detail which is not revealed to us.

Here's my attempt to reword that help text to be (a) clearer, and (b) more honest:

--metadata-directive (string)

Valid values are COPY (which is the default), and REPLACE. Specifies
whether the metadata is copied from the source object ("COPY"), or
replaced with metadata provided on the command line ("REPLACE") when
copying S3 objects.

Note that "COPY" does not work if multipart uploads are used, which is
definitely the case for objects larger than 5GB, and might be the case
for smaller objects too — good luck!

Not helpful.

The AWS S3 Inventory Service: don't end the destination prefix with “/”

Rachel Evans — Fri, 21 Apr 2017 10:00:16 GMT

This started out as a longer blog post, but then a lot of it boiled down to “read the fine documentation, Rachel”. So here's the short version.

Launched in December 2016, S3's Inventory Service is an alternative to using the ListObjects / ListObjectsV2 APIs for enumerating the objects in a bucket. You put an inventory configuration to your bucket (broadly speaking: which bit of S3 to list, where to put the results, and how often to do it), then sit back and wait for S3 itself to do all the hard work, so you don't have to. Great!

The documentation states where the inventory output goes:

destination-prefix/source-bucket/config-ID/YYYY-MM-DDTHH-MMZ/manifest.json
destination-prefix/source-bucket/config-ID/YYYY-MM-DDTHH-MMZ/manifest.checksum

And for the sake of brevity, let's cut to the chase: if you end your prefix with a “/” (either accidentally, or because like me you think you're being smart whereas in fact you simply haven't read the docs — good going, Rach), then due to a bug in the S3 Inventory service, your inventory will not be usable.

Specifically, I ended up with objects in S3 with keys like this:

s3-inventories//media/rachel-test-inventory/data/6eabc318-5ee0-41d9-b32b-a12b40a6f271.csv.gz
s3-inventories//media/rachel-test-inventory/data/b7dff5ea-c83d-4879-bc2a-0d0ced298356.csv.gz

whereas the manifest I got contained this (line breaks added for clarity):

{
  "files": [
    {
      "key": "s3-inventories/media/rachel-test-inventory/
                data/6eabc318-5ee0-41d9-b32b-a12b40a6f271.csv.gz",
      "size": 16486333,
      "MD5checksum": "3c94f6eed1fc3c2d057c098f355afffc"
    },
    {
      "key": "s3-inventories/media/rachel-test-inventory/
                data/b7dff5ea-c83d-4879-bc2a-0d0ced298356.csv.gz",
      "size": 20147436,
      "MD5checksum": "f0b39e0d85f0f5fb11bc5be73ecc26cf"
    }
  ]
}

The problem being that those double-slashes in the keys have become single slashes. On a Linux-ish filesystem, this would make no difference; on S3, it makes all the difference. The keys given in the manifest simply do not exist.

tl;dr: There's a bug in the S3 Inventory service which means that manifests are broken if the destination prefix ends with “/”. Solution: don't end your destination prefixes with “/”.

SQL report fun

Rachel Evans — Wed, 09 Dec 2015 23:55:54 GMT

This is just a little anecdote. Don't expect it to be deep or meaningful. I don't know, maybe there's something in here about feedback loops or focussing development effort in the right place, whatever.

Way back when, when I was just about fresh out of university and in my first programming job (1996), I got a bit of a reputation at being quite good at making our database and its applications go fast, including SQL query optimisation. This was using Ingres databases, hosted on VMS.

One day I was asked to investigate this particular stock report (I even remember the report id, “AGR48”, though I confess I have no idea now what the report was actually for). The report was too slow, I was told.

So I dug.

The report consisted essentially of a sequence of 8 giant SQL statements, each of which was quite slow. Lots of creation of temporary tables and the like. I think I rewrote the report and did make it faster, but that's not the point.

The point is: the report took about 4 hours; but due to a bug in the eighth and final SQL statement, the report output was always empty.

This report was effectively a four-hour no-op.

Unsurprisingly, the users didn't use that report.

Save money and be tidy with s3-upload-cleaner

Rachel Evans — Tue, 01 Dec 2015 12:56:02 GMT

Amazon Web Services (AWS) S3 is a popular, highly-scalable object storage service. It's used by a lot of big companies, including the one I work for.

Getting data — especially large files — into S3 uses a mechanism called Multipart Uploads. For example, to upload a multi-gigabyte file to S3, you might make a sequence of calls like so:

CreateMultipartUpload
UploadPart (1 .. n times)
CompleteMultipartUpload

On the “complete” call, S3 assembles your parts together to form a single object, that then appears in the bucket. Or, you can call “AbortMultipartUpload” to abandon it, and throw away the parts.

So what's the catch?

The catch is that it's very easy to forget to ever call either CompleteMultipartUpload or AbortMultipartUpload. And if you neither complete nor abort the upload, then any parts you have uploaded just sit around in S3, waiting. Forever. It's relatively hard to see those parts, mind — they don't show up in the regular bucket listing. But they are there, and they are costing you money.

So what's the solution?

Enter s3-upload-cleaner. Simply put, it scans your buckets looking for stale (that is, started a long time ago) incomplete multipart uploads — the premise being, if you haven't completed an upload after, say, a week, then you never will — and aborts them. Thus, periodically running s3-upload-cleaner keeps your account's multipart uploads under control, and helps keep your bill down.

(I'm a little surprised that this isn't a native feature of S3, and to be honest, I expect that one day, it will be.)

Here it is running for a single bucket, and finding nothing to clean:

$ sudo apt-get install nodejs npm
$ npm install s3-upload-cleaner aws-sdk
$ export AWS_ACCESS_KEY_ID=…
$ export AWS_SECRET_ACCESS_KEY=…
$ nodejs ./node_modules/s3-upload-cleaner/example/minimal.js
Running cleaner
Clean bucket my-bucket-name
Bucket my-bucket-name is in location eu-west-1
Bucket my-bucket-name is in region eu-west-1
Running cleaner for bucket my-bucket-name
$

The code comes with a minimal bootstrap script, though you are encouraged to use your own if you wish.

To call out of a few of its features:

it's multi-region aware (it will attempt to process all of your buckets, no matter what region they are in);
it can be configured to process only some buckets, or only some regions, or only some keys;
the threshold for what counts as “stale” is configurable — the minimal bootstrap script uses 1 week as the cutoff age;
when a stale upload is found, it emits logging data in json form;
it can be run in “dry run” mode, where all the scanning and logging is performed, but the abort itself is not.

Finally, here's an example of one of its log entries:

[
  {
    "event_name": "s3uploadcleaner.clean",
    "event_timestamp": "1448495889.529",
    "bucket_name": "my-bucket-name",
    "upload_key": "bigfile.mpg",
    "upload_initiated": "1447888220000",
    "upload_storage_class": "STANDARD",
    "upload_initiator_id": "arn:aws:iam::123456789012:user/SomeUser",
    "upload_initiator_display": "SomeUser",
    "part_count": "135",
    "total_size": "2831189760",
    "dry_run": "true"
  }
]

s3-upload-cleaner typically only takes a few seconds to run, and doesn't need to be run very often, so this makes it perfect to run via a scheduled AWS Lambda function.

You can find the code on github and the package on npm.

Cisco and their IPv6 DNS

Rachel Evans — Sat, 14 Mar 2015 12:12:22 GMT

Following on from “On DNS and IPv6” I happened to check up on cisco.com's setup again.

$ dig @$( dig +short ns com. | head -n1 ) aaaa cisco.com.
; <<>> DiG 9.8.3-P1 <<>> @k.gtld-servers.net. aaaa cisco.com.
;; AUTHORITY SECTION:
cisco.com. 172800 IN NS ns1.cisco.com.
cisco.com. 172800 IN NS ns2.cisco.com.
cisco.com. 172800 IN NS ns3.cisco.com.
;; ADDITIONAL SECTION:
ns1.cisco.com. 172800 IN A 72.163.5.201
ns2.cisco.com. 172800 IN A 64.102.255.44
ns3.cisco.com. 172800 IN A 173.37.146.41
ns3.cisco.com. 172800 IN AAAA 2001:420:1101:6::a
ns3.cisco.com. 172800 IN AAAA 2001:420:1201:7::a
ns3.cisco.com. 172800 IN AAAA 2001:420:2041:5000::a

Since last time, Cisco have added a third nameserver, “ns3.cisco.com”, and this server has three IPv6 addresses (and an IPv4 address). So cisco.com is now resolvable to IPv6-only clients, via this nameserver. Hooray!

But hang on. Those IPv6 addresses look familiar. Two of them are the same addresses as we saw back in January, in the earlier article.

Identity ambiguity

For the IPv4 setup, everything matches as you'd expect: the glue records name the three nameservers, and each nameserver has an IPv4 address, and if you do a reverse lookup on those addresses (PTR), you get the names again:

$ dig +short -x 72.163.5.201
ns1.cisco.com.
$ dig +short -x 64.102.255.44
ns2.cisco.com.
$ dig +short -x 173.37.146.41
ns3.cisco.com.

However for the IPv6 setup, ns1 and ns2 don't have an IPv6 address (according to the glue records), but according to the nameservers they do, and six nameservers (three IPv4, three IPv6) all agree that ns1 is 2001:420:1101:6::a, ns2 is 2001:420:2041:5000::a, and ns3 is 2001:420:1201:7::a.

Reverse lookups of the three IPv6 addresses show that the three IPv6 addresses are ns1, ns2, and ns3 also:

$ for a in $( dig @$( dig +short ns com. | head -n1 ) ns cisco.com. | egrep -w 'A|AAAA' | awk ‘{print $5}' ) ; do echo $( dig +short -x $a ) $a ; done
ns1.cisco.com. 72.163.5.201
ns2.cisco.com. 64.102.255.44
ns3.cisco.com. 173.37.146.41
ns1.cisco.com. 2001:420:1101:6::a
ns3.cisco.com. 2001:420:1201:7::a
ns2.cisco.com. 2001:420:2041:5000::a

So, basically Cisco have accidentally named all three nameservers in the glue records as ns3.

So what?

Is that a problem? Well, a tiny one. It does mean there are differing opinions out there on the net as to what the addresses of the three servers are, which could cause confusion, especially when debugging problems. In theory, ns1 and ns2 could appear to have an IPv6 address one moment, and not the next; and ns3 could sometimes have three addresses, and sometimes only one.

The worst case is that Cisco might find that most DNS lookups (over IPv6) for cisco.com end up going to 2001:420:1201:7::a (ns3).

(A resolver might find that the only nameserver is “ns3”, find “all three” IPv6 addresses of the of ns3, then ask the cisco nameservers the same question (“what is the IPv6 address of ns3?”) and then get only one result; thus, there's only one nameserver, and it has only one IPv6 address).

It'll probably work. It might compromise resiliency.

Of course, the fix is easy: just fix the glue records to read “ns1, ns2, ns3” instead of “ns3” three times.

Lesson: remember to take care when changing DNS setting, everyone :-)

Diversity at QCon London 2015

Rachel Evans — Sun, 08 Mar 2015 11:20:45 GMT

Last week I attended QCon London, a “Conference for Professional Software Developers” run by InfoQ. Three days of keynotes, presentations, facilitated discussion, and general open mingling with other delegates and and speakers.

It's the first time I've been to this conference. I went because last year my colleague Stephen went, and I could tell from his experience there, and from the online videos of the talks published later, that this was worth going to. So I signed up for this year at the earliest opportunity.

It's well known that the technology sector has a diversity problem. Go to almost any technology event in Europe / North America, and you'll see overwhelmingly white male faces.

Today is International Women's Day 2015: so what have I learnt of the diversity aspect of QCon, and about the inclusion of women in particular?

Do I expect I'll go again next year?

The speakers

For those used to technical conferences, you might be interested in taking a quick look at the diversity on show amongst the speakers at QCon London this week.

A randomly-chosen subset of the speakers from the 2015 QCon speaker list

When I checked and did a rough count, there were 123 speakers listed, and quite a range of faces.

Or, so it might appear at first glance.

I very roughly counted males and females, white and non-white. By my count, this year's QCon speaker line-up included:

3 (2.4%) non-white women;
5 (4.1%) non-white men;
24 (19.5%) white women;
91 (74.0%) white men.

Only 74% white men? For the technology sector, that's actually pretty good! So, that's like, 26% of “doing diversity”!

Make no mistake: it's a lot better than most conferences, by which I mean that it's closer to being more representative of the population as a whole.

But that's still 78% male, and the world simply isn't like that. (In case it needs saying: it is, of course, 50% female, 50% male, give or take). And this lineup, while being more diverse than we've come to expect, is still 93.5% white, compared to 87% in the UK population as a whole.

Which doesn't sound so bad, but does mean that if you're attending QCon, and you're non-white, and hoping to see non-white speakers, then instead of the 16-ish speakers you should expect to see, you in fact see only 8; only half of what it should be.

78% male. 93.5% white.

In this sector, however, 22% female counts as so far above the norm that it won't have happened by accident, which implies that the organisers took deliberate steps to include more women, which implies that they care about diversity — which is great. But at the same time we all need to recognise that it's still not enough, and we should demand more.

The audience

The organisers don't collect the diversity profile of the audience, so that information is harder to assess quantitatively.

I tried two different (but similar) ways of measuring the audience diversity, and I admit, both methods are highly unscientific. Firstly, as I sat waiting for the keynote, I just looked around at the people sat nearest to me. Secondly, I took a photo of a larger area of the audience, and counted faces later.

(Partial) QCon keynote audience. Red dot = white male, white dot = anyone else.

Doing a quick sample of the 50 people sat around me while we waited for Friday's keynote, it looks like about 16% female, 84% male. Which again, is a long way away from 50/50, and it's notably even more skewed than the speaker line-up.

As for white / non-white: again, based on the people sat around me: roughly 88% white, 12% non-white. So actually, on this highly unscientific sample, this one's pretty much on-target, matching the figures for the UK population as a whole.

The count of faces in the photo came to 82 white male, 5 non-white male, 2 white female, 3 non-white female. That is, 95% male, 91% white.

On inclusion

I noticed before the conference started that QCon publishes a code of conduct, and it's nice and clear, concise, and good to see. And with one exception, I neither witnessed nor heard of any harassment or anything else that would violate the code of conduct.

We'll come to the exception later.

People with special mobility requirements were pretty well catered for (but it was hard to work out how to get to the 6th floor). Several people noted how the speakers would be using “she” or “her” more, to refer to actors in their stories (such as: “Your CTO says and she knows what she's talking about…”), instead of just thoughtlessly going with male as the default. Speakers' slides would include little stick figures to represent people — and those stick figures were often women.

All in all, a huge step (compared to tech industry norms) in the right direction. Sadly, the free tee-shirts being given away by the sponsors were obviously not made for women.

And, then… the exception.

On-stage transphobia and its effects

Just before the keynote on the last day, one of the track hosts, John T Davies, made transphobic remarks whilst on stage. It only took a few seconds, but in that moment, much of the good work that QCon had done was very quickly undone: I no longer felt completely welcome, or safe, or included. I felt threatened. At risk.

Steve Marshall

Incredibly disappointing to hear a track host (@jtdavies) be transphobic on stage at #qconlondon. +@qconlondon

During the next presentation, I saw the official twitter account post an apology.

QCon London

qconlondon

We officially apologize that our code of conduct was violated this morning on stage. #qconlondon #qcon

In the mid-morning break, I went to speak to the organisers on a different matter, but ended up talking to them about the on-stage comment. I spoke to Silke D'Alessandro, and we were joined by Floyd and Roxanne, founders of InfoQ, and Nitin Bharti; and it was very reassuring to see their obvious concern over the incident, and to see their commitment to diversity and inclusion. They said that they'd spoken to Mr Davies about the incident, and that ahead of his own talk this afternoon, he'd make an on-stage apology.

This conversation was great to have, but at the same time, it's not why I came to QCon: I was here for the conference. So I felt frustrated that, because of what was said on stage, I felt unable to participate in this part of the conference, because of this unwanted distraction.

I joined the next session late (having missed the first half); had lunch, ate alone, my head still full of these distractions. I went for a walk outside, just to forget this, to be an anonymous tourist for half an hour.

Back at the conference for the afternoon, and the next two talks went well. For the third afternoon slot, I popped along to see Mr Davies give his on-stage apology (before I would then quickly switch rooms to go to the talk I actually wanted to hear). Unfortunately, for whatever reason, his apology came across as diminishing and insincere.

Nov 19th, actually

Very disappointing non-apology from @jtdavies at #qconlondon: "a little joke can offend people". Frankly you might as well not > #qconlondon

Nov 19th, actually

have apologised at all. Listen, understand *why* you need apologise, then be sincere. I think @jtdavies just failed on all 3 #qconlondon

I went to talk to the organisers again, to point out that the apology was not good enough. In fact, the apology itself was harmful. And all credit to them: once again, Floyd, Roxanne and Silke said all the right things, completely understood the problem, and said that they'd be taking further action.

I thanked them, and left. But by this point I was furious. I went to hide, to vent, to calm down. As a result of just a few seconds of offensive content on stage this morning, I was missing a significant proportion of the conference.

I managed to catch to the last talk of the day, and then, there was just one more item on the schedule: “Meet the speakers”, where the conference hosts and speakers are encouraged to mingle with the other delegates, and chat, share ideas, be creative. And it occurs to me: one of those other speakers is Mr Davies. Am I ready for that?

I seriously consider just going home. After all, there are no more talks. I could just slip away: many other people are doing so. I could too.

But I shouldn't have to. I came for the conference. This is why I'm here.

Meeting the speakers — and more

So I went. I grabbed a beer. I mingled.

Unlike the other “networking opportunities” — the coffee breaks, lunch, and so forth — where the mingling seems quite random, here it seemed far from random.

A lovely lady named Vanessa came up to me, to talk about this morning's incident. We compared notes about this conference, and past conferences, and how women are treated in the industry.

Then Roy Rapoport (of Netflix; this morning's keynote speaker) found me, and again, we're talking about the transphobia, comparing notes. About how he heard the comments, just before he was due to go on stage, so has to choose: make reference to it on stage, or act as if nothing happened? (He chose the latter, and I don't blame him). About he felt offended by the remarks too.

Then Floyd Marinescu (InfoQ) again, this time asking if I'm prepared to meet with Mr Davies. I know it could well be constructive to do so; and I know it's also fine if I say no. Even as I weigh up the decision, right there and then, I can feel the emotion, the anger, the frustration, the fear welling up in me: I'm still far too emotional about it, and so I decline.

Then I do some proper mingling: back to what the conference is meant to be about. At last.

As things are thinning out, I met with someone — who I shan't name — involved with organising the conference, who offered an opinion on Mr Davies' prospects of being invited back again. Enough said.

Then, finally, just as I'm leaving, another lady (whose name I didn't get) comes up to me, and again, it's to ask about the incident this morning. So we chat, I do my best to explain what happened, and about some of the following chain of events.

And then, the conference is over. Finally, it's time to go home.

Fallout

InfoQ's commitment to diversity at QCon is clear, and is to be congratulated. I wish that more conferences and events were like this.

But, transphobia was on stage. On show.

Make no mistake: incidents like this are exactly why diversity struggles in STEM fields. It drives people away.

What frustrates me so much about this is the uneven effect that such incidents have: I'm assuming that of the 1400 or so people attending, approximately 1399 of them didn't then spend a significant proportion of the day not focusing on the conference because of this.

Straight White Male is the lowest difficulty setting there is.

The closer you are to being a cis straight white male — the more the existing biases of the technology sector pander to you — then the less likely you are to find something that offends you, the more likely you can just get on with your job.

So the transphobia, on the whole, won't have upset non-trans people, and they'd have been able to get on with their day as normal. In fact, they might not have even noticed that there was a problem.

In contrast, as a direct result of the incident on stage, I missed a huge chunk of two talks, was greatly distracted from the others, missed several of the breaks and other opportunities to network, and even the “meet the speakers” mostly consisted of people wanting to talk to me about the transphobia — not about technology, which is nominally what we're all there for.

What next?

The diversity at QCon, compared to the industry as a whole, was good, so it's clear that InfoQ are trying. At the same time, I believe they can try harder: 78% male is still too high, and they are in a position to change that.

I'll admit, I was disappointed to see so few people speak up about the transphobia. If you see it, call it out. Speak up. Take action. Even if the offence isn't directly at you, it affects you, because it negatively affects diversity, and we all know that diversity — that is, having the make-up of the people in the industry reflect the make-up of the population as a whole — is a good thing.

Will I go back to QCon in future? Probably. The conference was well-run, with good content, and InfoQ's commitment to diversity is clear to see, not only from the speaker line-up, but also from their reaction to the unfortunate event of Friday morning.

But in future, can we get women's tee-shirts too? That'd be just great :-)

Update, Monday 9th March: On Friday, Floyd sent me Mr Davies' written apology, asking for my thoughts. I'm sad to say that this written apology was deeply troubling in its tone — "completely unacceptable" is I think also accurate.

March 8th is International Women's Day, celebrating the achievements of all women and calling for greater equality. Together we can make it happen.

Source for the speaker list: the QCon web site

On DNS and IPv6

Rachel Evans — Wed, 14 Jan 2015 20:23:32 GMT

Recently I've been repaying some tech debt that I had built up at home. I've been sorting out old files, arranging automated off-site backups, committing uncommitted files to git (including finally getting myself some private git hosting), simplifying config, upgrading Debian, upgrading my Internet connection, and adding IPv6 support to my home network. It's been a fun few weeks, actually.

The last one is interesting: adding IPv6. What does “add IPv6” really mean, and why should we do it?

Say “AAAA”

Assuming you've already got a working IPv4 setup, then adding IPv6, at its simplest level, is:

ensure each host or service has an IPv6 address;
ensure those IPv6 addresses are discoverable via DNS, by adding “AAAA” records.

Back in January 2011, there was “World IPv6 Day”: some big names (Google, Facebook, and quite a few others) temporarily added IPv6 addresses to their systems, and added “AAAA” records to DNS: just for a day, to see what happened. In essence, it was successful: some of their visitor traffic was carried over IPv6, and nothing broke. Then, in June 2012, there was “World IPv6 Launch Day”: basically the same again, but with more participants (e.g. Wikipedia), and this time the configuration wasn't removed afterwards: it was left in for good.

Because I've recently been adding IPv6 to my little part of the Internet, I've been repeating the exercise myself. Once I'd got myself an IPv6 allocation, and my home network was handing out IPv6 addresses, I could “ping6 google.com”, for example. I'd solved the first part: adding addresses. Now for the second: discoverability in DNS.

Servers and Nameservers

First, the easy part: each of my servers has an “A” (IPv4) record in my DNS records, so that the server can be found without having to remember IPv4 addresses. So all I had to do was add corresponding “AAAA” (IPv6) records. One quick visit to my provider's DNS control panel later, and that's that job done: I can now resolve my server name to an IPv6 address, and thus connect to it. So, for example, “ssh -6 myserver.rachelevans.org.uk.” now works.

This is where things start to go downhill a bit.

What did we just do here? I allowed my server to be addressed via IPv6, and I added its IPv6 address to DNS.

Does that mean that, if had an IPv6 Internet connection and didn't have an IPv4 connection, I could connect to my server? No, it doesn't. At this point, I'm still dependent on IPv4.

To understand why, we need to understand a little more about how DNS works.

Zones and Referrals

To resolve a computer name to an IP address, we use DNS. It's a distributed system, whereby lookups start at the “root” zone, and each zone can delegate authority to sub-zones. For example, “.com” is a sub-zone of the root, and “example.com” is a sub-zone of “.com”. Each zone has a set of nameservers.

Fundamentally, the problem is this: for DNS lookups over IPv6 to be successful, each zone has to provide at least one nameserver with an IPv6 address, and those IPv6 addresses have to be in DNS — otherwise that zone will be inaccessible to the IPv6 Internet.

(Exactly the same thing is true of IPv4, by the way: if none of a zone's nameservers have IPv4 addresses, that zone won't be accessible to the IPv4 Internet. However, so far everyone seems to get it right for IPv4, so it's less interesting).

So for our web site to be reachable to clients purely via IPv6, what do we have to do?

Say our web site is www.example.com, and our DNS zone is example.com. So we have to:

give our server an IPv6 address;
add an entry mapping its name to its IPv6 address as an “AAAA” record, in our DNS zone;
ensure our nameservers are reachable via IPv6.

How exactly do we do the last step? Simple: we repeat the whole process again. Say for example the nameservers of the example.com zone are ns1.big.hosting.co and ns2.big.hosting.co — we repeat the process for those two servers (or, more typically, we have to talk to the bighosting.co in question to check that they have already done this).

And then, in turn, bighosting.co itself has nameservers, and the whole process repeats.

An example

Back to what I was doing over Christmas: I was adding IPv6 support to my network, and then adding the IPv6 “AAAA” records to DNS. But, there's no point doing that unless the nameservers are also reachable via IPv6, which got me to thinking about this whole area.

So I wrote a tool I called “dns-dependency-walker”: it analyses the DNS hosting of a given domain, and finds its dependencies, and analyses, them, and so forth. It then draws a directed acyclic graph illustrating the relationships between the various zones and nameservers involved.

For example, here's the picture for rachelevans.org.uk:

(Nameservers or zones that are not reachable by IPv6 are shaded in grey. See my note to the side of the diagram for a detailed explanation.)

My domain is rachelevans.org.uk, so I depend upon the parent zones, org.uk, uk, and the root. The nameservers of my zone are in the domain buddyns.com, so I'm dependent upon that zone too. In turn, buddyns.com is dependent upon the .com zone. And so forth.

The moral of the story is: the success of your IPv6 support could depend on more than you might expect.

Let's do this!

So back to World IPv6 Launch Day. Their web site lists the companies that participated, adding support for IPv6.

Let's pick a few of the big names and see how they're doing.

Akamai

Not all of akamai.com's nameservers support IPv6, but overall, it's reachable. So far so good.

Microsoft

Slightly better for microsoft.com: all of that zone's nameservers support IPv6. It doesn't matter that some of the zones that they depend on have some IPv4-only nameservers, because they also have IPv6-capable nameservers. So again, the result is: it's reachable.

Facebook

Here's where it starts to go wrong. Although www.facebook.com does indeed have an IPv6 address, the facebook.com zone's nameservers don't. So if you, or more specifically your DNS resolver, don't have an an IPv4 address, then you can't find out what www.facebook.com's IPv6 address is — therefore you can't connect.

Google

Exactly the same situation at Google: www.google.com does indeed have an IPv6 address, but you can't find it without an IPv4 address, because none of the google.com nameservers have IPv6 addresses.

Cisco

At first glance, Cisco appears to have the same problem as Facebook and Google — lack of IPv6 addresses on the nameservers. But actually, it's a bit more complicated.

The nameservers do have IPv6 addresses, as we can see from this query:

rachel@dudley ~$ dig +short aaaa ns1.cisco.com
2001:420:1101:6::a
rachel@dudley ~$ dig +short aaaa ns2.cisco.com
2001:420:2041:5000::a

So what have Cisco got wrong, exactly?

The answer lies in DNS “glue” records: whenever the name of a DNS server (“ns1.cisco.com”) lies within the zone that that same server is trying to serve (“cisco.com”), you have to add the nameserver's IP addresses — the “A” and “AAAA” records — to the parent zone. These are called “glue” records.

Here's microsoft, getting it right (for the domain where their nameservers live, msft.net):

rachel@dudley ~$ dig @a.gtld-servers.net. a www.msft.net.
;; QUESTION SECTION:
;www.msft.net. IN A
;; AUTHORITY SECTION:
msft.net. 172800 IN NS ns3.msft.net.
msft.net. 172800 IN NS ns1.msft.net.
msft.net. 172800 IN NS ns2.msft.net.
msft.net. 172800 IN NS ns4.msft.net.
;; ADDITIONAL SECTION:
ns3.msft.net. 172800 IN A 193.221.113.53
ns3.msft.net. 172800 IN AAAA 2620:0:34::53
ns1.msft.net. 172800 IN A 208.84.0.53
ns1.msft.net. 172800 IN AAAA 2620:0:30::53
ns2.msft.net. 172800 IN A 208.84.2.53
ns2.msft.net. 172800 IN AAAA 2620:0:32::53
ns4.msft.net. 172800 IN A 208.76.45.53
ns4.msft.net. 172800 IN AAAA 2620:0:37::53

The response tells us which servers handle the zone msft.net, and then also tells us their IPv4 and IPv6 addresses.

By way of contrast, here's Cisco getting it wrong:

rachel@dudley ~$ dig @a.gtld-servers.net. a www.cisco.com.
;; QUESTION SECTION:
;www.cisco.com. IN A
;; AUTHORITY SECTION:
cisco.com. 172800 IN NS ns1.cisco.com.
cisco.com. 172800 IN NS ns2.cisco.com.
;; ADDITIONAL SECTION:
ns1.cisco.com. 172800 IN A 72.163.5.201
ns2.cisco.com. 172800 IN A 64.102.255.44

The response includes the IPv4 addresses of the nameservers, but not the IPv6 addresses. (The cisco.com zone does contain the nameservers' IPv6 addresses, but that's no use unless you can find the nameservers in the first place).

Why have these big companies not got it right yet?

So with all of this — multiple dependencies between zones and nameservers, referrals, glue records — does that mean that adding IPv6 support in DNS is somehow hard? That is, harder than IPv4?

Not at all —when it comes to DNS, the rules for IPv6 are exactly the same as they are for IPv4.

So why do so many companies — even the ones who promoted World IPv6 Launch Day, back in 2012 — get it wrong? What exactly was the point of it all?

To answer that, let's consider the following scenarios:

If everyone on the Internet has an IPv4 address already, is there any benefit to me if I add IPv6? Well, a little: addressability without NAT, for example.

But, what if not everyone on the Internet has an IPv4 address — what if some only have an IPv6 address? Is the result just that they can't find a lot of sites (including Google, Facebook, etc) because they can't get the DNS lookups to work?

Maybe. But there is a mitigating factor.

Often, if your computer (PC/laptop/phone) needs to do a DNS lookup, it won't do the full lookup itself — rather, it'll ask another computer to do it. Internet Service Providers will often provide such a service, technically called a Recursive Resolver or Full Resolver (but often lazily, and confusingly, called just a DNS Server). As long as your computer can reach that one using IPv6, and as long the Resolver does have an IPv4 address, then that also works. In other words: your computer might be able to manage without an IPv4 address, as long as it can reach a Resolver that does have one. But that's a hack.

But what if even the DNS Resolver doesn't have an IPv4 address? Well, then you're out of luck: you'll only be able to find those servers whose DNS zones are reachable via IPv6; and additionally, you'll only be able to see those web sites where the web site itself also has IPv6.

If either piece of the puzzle is missing, you miss out.

Why IPv6?

So back to my original questions: What does “add IPv6” really mean, and why should we do it?

Adding IPv6 isn't just assigning an IPv6 address, then bunging that it DNS.

It is ensuring that you support IPv6 at least to parity with IPv4, and ensuring that all the services that you depend on (usually provided by other companies and vendors) do the same.

Adding IPv6 in parallel with IPv4 does add some value in and of itself; but as you'll probably have heard, one of the big selling points behind IPv6 is that IPv4 addresses have run out (or “will soon run out”, depending on your definition), and when we're out of IPv4 address, newcomers to the Internet will only get IPv6.

The key reason therefore to add IPv6 support is for the benefit of people in the future. Increasingly, the IPv6 Internet will be the Internet, and as more and more of the people that you want to talk to are on IPv6, you'll be cutting yourself out of the picture if you haven't joined the party yet.

Some of the efforts so far to encourage IPv6 adoption have, perhaps necessarily, omitted some of the technical details. Companies have declared “We're on IPv6,” without really telling us what they mean — perhaps because they themselves didn't know.

Testing, Testing, I P 6

As you add IPv6 support to your Internet presence — your web site, email systems, and so forth — it's highly advisable to check that it's reachable even to people without IPv4.

Set yourself up a test area, on its own Internet connection, only with IPv6. Make sure you don't use your ISP's (or corporate) DNS Resolver service – because if you do, you might accidentally be depending on IPv4 without realising it. Reboot all the devices in the test area, to clear any DNS caches.

Congratulations: you've weaned yourself off of IPv4. Now, can you still access your web site? Can you still communicate with your company via email?

If you can, you're way ahead of the curve. Welcome to the future.

openssl and the default cert file

Rachel Evans — Wed, 10 Dec 2014 23:44:06 GMT

Here's a thing I came across today that confused me. openssl s_clientappeared to be claiming that a certificate was expired, when it wasn't.

(For reference, this is “OpenSSL 1.0.1j 15 Oct 2014″ on OSX Yosemite, as installed by Homebrew).

$ openssl s_client -connect ssl.bbc.co.uk:443
…
Verify return code: 20 (unable to get local issuer certificate)

So far so good. Let's see the certificate chain:

$ openssl s_client -connect ssl.bbc.co.uk:443 -showcerts
…
0 s:/C=GB/ST=London/L=London/O=British Broadcasting Corporation/CN=*.bbc.co.uk
  i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA — SHA256 — G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA — SHA256 — G2
  i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

This chain leads back to the “GlobalSign Root CA” cert, which I've already got downloaded as it happens:

$ openssl s_client -connect ssl.bbc.co.uk:443 -showcerts -CAfile ~/GlobalSignRootCA.pem
…
Verify return code: 10 (certificate has expired)

Expired? Hmm. Let's dig into that.

depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify error:num=10:certificate has expired
notAfter=Jan 28 12:00:00 2014 GMT

Today is December 10th 2014, so yes that's in the past. So which cert is it claiming is expired?

Let's inspect each cert in turn using openssl x509 -noout -subject -issuer -startdate -enddate — the first two using the output ofs_client, and the last using the cert I already have a local copy of:

subject= /C=GB/ST=London/L=London/O=British Broadcasting Corporation/CN=*.bbc.co.uk
issuer= /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA — SHA256 — G2
notBefore=Jun 2 09:56:02 2014 GMT
notAfter=Aug 19 13:50:57 2015 GMT

subject= /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA — SHA256 — G2
issuer= /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
notBefore=Feb 20 10:00:00 2014 GMT
notAfter=Feb 20 10:00:00 2024 GMT

subject= /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
issuer= /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
notBefore=Sep 1 12:00:00 1998 GMT
notAfter=Jan 28 12:00:00 2028 GMT

None of those are expired. None of those have an expiry date of “Jan 28 12:00:00 2014 GMT”, as claimed by s_client.

Several hours and some digging into the openssl source code later, I think that what's going on is this:

In certain circumstances (but not always), openssl will try to perform certificate verification. For example, when you specify the -CApath and/or -CAfile options to s_client.

When you do this, openssl can also load the certificates given by $SSL_CERT_FILE (default: OPENSSLDIR + “/cert.pem”, which for me means “/usr/local/etc/openssl/cert.pem”); and I think also those given by $SSL_CERT_DIR (default: OPENSSLDIR + “/certs”, which for me means “/usr/local/etc/openssl/certs”).

Therefore, even though I've explicitly told openssl only one extra cert to use, it's also using the certs in the default cert.pem file.

So what's in that file? For me, 229 certs, that's what. Including this one:

subject= /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
issuer= /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
notBefore=Sep 1 12:00:00 1998 GMT
notAfter=Jan 28 12:00:00 2014 GMT

The GlobalSign Root CA, which expired back in January. Bingo.

As a workaround, we can use the SSL_CERT_FILE environment variable to suppress loading of the default cert bundle:

$ env SSL_CERT_FILE=/dev/null openssl s_client -connect ssl.bbc.co.uk:443 \
  -CAfile ~/GlobalSignRootCA.pem
…
Verify return code: 0 (ok)

Managing AWS CloudFormation templates using stack-fetcher

Rachel Evans — Tue, 28 Oct 2014 17:14:47 GMT

Last month at the AWSUKUG meetup I talked about Video Factory, and there was a little section there where I spoke aboutthe tooling that we use to manage all of our components. One of the tools, “stack-fetcher”, generated quite a bit of interest from the audience, and there was interest in open-sourcing it. I definitely want to do this — but we're not quite there yet.

For now, though, I can talk about where stack-fetcher is right now, and what direction I want to take it in.

The problem space

“AWS CloudFormation gives developers and systems administrators an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion,” says the documentation. As a developer, you do this by creating a template (JSON which defines one or more desired resources), then submitting that template to CloudFormation — either via the API, or via something which wraps the API (e.g. the web console). Then CloudFormation goes and creates or updates your stack to match your template.

As a developer who loves automation and consistency, this leaves you with several problems:

How do I generate the template JSON?
How do I generate the other JSON required by the stack (e.g. parameter values)?
If I was to push that JSON to CloudFormation — i.e. apply the change — how do I know what changes I'm actually pushing?
Can I push some changes but not others?
Once I know what I want to push, how do I do so?

A little BBC Media Services history

To put all of the above into a specific story: in BBC Media Services, we found during the development of Video Factory that we were managing more and more stacks, and by the start of this year we had something like 100 stacks to manage in each of our three environments.

By January 2014, we had a system for generating the JSON, but different people ran the relevant tools in different ways, therefore sometimes yielding differing results. And once the JSON had been generated, we had no way of knowing in what way it was different from the stack's existing template, so we didn't know what we were actually changing. And finally, we had no consistent approach for actually updating the stacks with the new template — mostly we were using the web console, but not always in the same way. And even then: it's a web console, so that's just awful from a productivity and automation point of view.

Thus, stack-fetcher was created, to address all of the above problems.

The workflow

Once you've updated your source files, the workflow to update a stack consists of three steps:

Run “stack-fetcher”. This generates a set of three files: current, generated, and next.
Use your favourite diff/merge tool to compare the current, generated and next files, making whatever changes you wish to next.
Run “stack-updater” to push next into CloudFormation.

The workflow in action

Here's a demo of a simple change, illustrating the basic workflow, and some of stack-fetcher's strengths.

Before running stack-fetcher, We have two stacks, “resource” and “component”. The first diff has already been applied: a queue was added to the resource stack. These screenshots show the second diff being applied: to modify the IAM policy defined in the “component” stack, such that access is granted to the queue in the resource stack.

Before running stack-fetcher

We then run stack-fetcher (in this example, “int” is the environment in question — integration). stack-fetcher retrieves the existing stack, generates the desired template, and compares the two. The summary shows “resource: same” (all in sync), and “component: DIFFERENT (20 lines)” (there are 20 lines of differences).

The output of stack-fetcher

stack-fetcher has generated three template files per stack: current, generated, and next. Here we see the three files compared, using vimdiff:

and the bottom half of the same files:

You can see that “generated” (in the middle column) has some sections that “current” doesn't — these is for the policy change we're trying to make. But you can also see that “current” has some lines that “generated” doesn't. This is because in this example, the stack in CloudFormation started off not in sync with our local copy (for example, maybe someone applied a change but neglected to commit the corresponding source).

So now we modify “next” (the right-hand file) to match whatever changes we want to apply. In this example we choose to pull in the new lines, but elect not to remove the extra, unexpected ones:

Merging the desired template into “next”, in the right-hand column

After saving these changes (remember, we didn't modify “current” or “generated” — only “next”), we run stack-updater:

Running stack-updater (first time)

stack-updater now warns us that it has detected a new parameter on the template (“MattressFailQueueArn” in this example): it adds this parameter, with the default value from the template, to the description file; then invites us to check this and edit the description file if we wish.

In this case the default is fine, so we just run stack-updater again:

Running stack-updater (second time)

Now stack-updater very clearly shows us the diffs between current and next: that is, if we elect to proceed, these are the changes that we're actually about to make.

After confirming that we're OK with this, stack-updater applies these changes, using the CloudFormation UpdateStack API:

Applying the changes using stack-updater

stack-updater polls the stack's status, waiting for it to reach a terminal state (i.e. not “in progress”). The stack events are displayed as they occur.

In this case the stack update completes successfully, and stack-updater's work is done.

In more detail

stack-fetcher is a name given to a collection of scripts, one of which is itself called “stack-fetcher”. The other script that is intended to be manually invoked is “stack-updater”. There are other scripts, but one of the goals of stack-fetcher is to invoke and orchestrate those other scripts so that the user doesn't generally have to think about them.

stack-fetcher

stack-fetcher's job is to generate a set of three outputs:

current is the existing stack, fetched from CloudFormation
generated is the stack that you want, generated from your codebase
next is what you're going to push back to CloudFormation using “stack-updater”

When stack-fetcher runs, next is generated simply as a copy of current — that is, if you don't edit the next file, then you won't push any changes.

To make generated, stack-fetcher runs a series of scripts. Currently, this step is rather BBC-specific: we invoke ./generate-templates with PYTHON_LIB set to point to part of the stack-fetcher codebase; if there's a transform script, then the json is then filtered through this; then there's a cosmos-cloudformation-postproc script which post-processes the json in various ways — primarily, providing defaults for the stack's parameters.

To make current, stack-fetcher needs to know what stack name it should work with — and again, currently calculating this stack name is fairly BBC-specific. Once entered, the stack name is remembered via the ./stack_names.json file, so you don't have to calculate or enter it again. Once the stack name is known, the existing stack template and descriptor are fetched, and saved as current.

After this, stack-fetcher normalises both current and generated. The purpose of the normalisation is partly to make the files more readable, but also to get rid of differences that are meaningless. As well as whitespace reformatting and sorting object keys, the normalisation also includes CloudFormation-specific elements, such as sorting parameters, tags and outputs; removing empty arrays, if that would mean the same thing; and even re-ordering statements within IAM Policies.

next always starts off as a copy of current, so that by default no changes are pushed.

Finally, stack-fetcher compares current and generated and shows a simple summary: they're either the “SAME” or “DIFFERENT” (or, if the stack doesn't exist yet, “NEW”); then shows some help text describing what to do next.

diff/merge

The help text displayed by stack-fetcher suggests using vimdiff to compare and edit the files, but of course you can use whatever tools you wish. The goal of this step is to update next to reflect what you want pushed back into CloudFormation (whilst leaving the current and generated files unchanged).

You may wish to simply review that generated is exactly what you want, then copy generated over next (this is probably what you want, ideally); or, you can cherry-pick, and perform more complex merges.

stack-updater

Once you've updated next to be as desired, you invoke stack-updater, with exactly the same arguments as you did for stack-fetcher.

If there are any differences between the set of parameters declared in the stack template, and the set of parameters passed in the stack descriptor, then stack-updater shows those differences (e.g. “You're passing a parameter called X but it doesn't exist”), automatically applies corrections (e.g. removing the no-longer-existent parameter), then stops, so that you can check its changes before re-running stack-updater.

Assuming the stack already exists, then stack-updater now diffs current against next — that is, it shows you the changes you're about to push. It also displays the differences between the stack's parameter defaults, and the actual parameter values you're passing, so you can check which ones you're overriding. (If the stack doesn't currently exist, then this step is skipped, and the confirmation step up next reminds you that you're about to create the stack).

It then asks for confirmation to proceed, and if you say yes, then the change is pushed using the CloudFormation “update stack” (or “create stack”) API, and then stack-updater polls the stack status, waiting for completion.

Finally there's another BBC-specific step, wherein the stack can be registered in Cosmos, our deployment manager.

Dependencies

stack-fetcher is written in ruby, and uses the aws-sdk gem.

Benefits

By using this tool, we have realised several benefits:

speed: Using this tool is much quicker than using the other (several) tools that we used before. There are fewer commands to type, with fewer options to remember. And probably most importantly, you never have to leave your terminal.
consistency: By automating more of the process, and by normalising the output, we now achieve more consistency: by which I mean between developers, between environments, and between components.
understanding: This tool makes it very obvious what changes you're about to apply to live (or whatever environment you're updating) — no more blind pasting of a load of json and hoping for the best — which means fewer mistakes.

All of which means: this tool has helped us to be more productive.

Next steps

We need to separate out the BBC-specific parts from the rest, so that we can offer this tool out to a wider audience.

I'd like to make the “generation” phase more uniform: run a series of executables (bash, ruby, whatever — the tool should not care), where the first executable receives null input, and each subsequent tool filters the output of the previous one. So for example you might have filters which do: make the basic template; customise it for this environment; fill in parameter defaults.

I don't have any news yet of when this might happen, but I certainly want it to happen. Please drop me a line via a comment or on twitter if you have thoughts on this — I'd love to hear your feedback.

Personal highlights from the AWS Enterprise Summit

Rachel Evans — Wed, 22 Oct 2014 22:32:59 GMT

Yesterday I attended the AWS Enterprise Summit in London. I've already written about how it was very poor, from a diversity perspective. But, it wasn't all bad: some of the content was rather good...

All hail the snail

The first customer presentation was given by John O'Donovan of the Financial Times. He told a fascinating and engaging story of the changing world in which they found themselves: with print distribution in decline, they needed to refocus on the net — and on future platforms and devices yet to come, whatever they are. John's presentation was had a great balance of information, insight, and humour.

A particular highlight for me — and by the reaction from the audience, I'm going to guess for many other engineers in the audience — was Chaos Snail. “Like Chaos Monkey, but more chilled”, its job is to slow down I/O on certain instances, to test how software reacts to such degraded conditions. I asked John later if this tool has already been, or will be, open sourced — he says they've had a few requests for this, so yes they will. Good news!

John also talked about Tagbot, which locates and terminates untagged instances (“My team loves turning stuff off”, he said). Sounds like a blend between Chaos Monkey and Conformity Monkey.

Maximum support

After lunch we heard from Brent Jaye, VP of AWS Support. He emphasised the value of Trusted Advisor as a way of identifying problems, and how they're keen on building quick fix facilities into the web console. (For example: if a volume hasn't been backed up for a long time, then highlight this as a potential problem, and show a “backup” button right there).

“We're in the business of you spending less money with us”, he said — which has a nice ring to it.

Brent also spoke of the value of integrating AWS and the customer's support system together; and of using Trusted Advisor and AWS Support not just via the console, but by their respective APIs. (John O'Donovan would I'm sure agree: earlier on he said “We don't buy a product unless it has an API”. +1 on that).

Finally Brent spoke of the importance of engaging with AWS Support early, not just when there's a problem.

Auntie adapts

Next up, Robert Shield from BBC iPlayer spoke about Video Factory: how it uses AWS, the benefits realised over the previous platform, and how the BBC's Operations function has adapted with the use of the cloud.

(I work with Robert, on the same team — I presented the Video Factory story to the AWS UK User Group last month. So of course it should be assumed that I'm biased :-) )

However, it was obvious that the audience enjoyed it: Rob talked of the benefits of smaller, simpler components; of how much data Video Factory shifts into S3 every day; and on the importance of automation and consistency.

By re-architecting for smaller, simpler, more easily understandable components, he said, each part also became more reliable, and thus people were more willing to look after the system.

News from the cloud

The last customer presentation was from Chris Birch of News UK. Like John and Robert before him, Chris told an entertaining and engaging story.

Much of News UK's business is about Sunday publications, and combined with their “paywall” (he didn't call it that, but that's what the rest of us know it as), this meant that their traffic is highly spiked around Sunday mornings. And the old system could handle only 17 transactions per second! But of course things were much faster on the cloud.

Part of Chris' talk was about the importance and the difficulty of assessing the Total Cost of Ownership — needed to be able to make the business case for moving to the cloud. One thing I found very interesting was the idea that an application's “App Book” (documentation on what it is, etc) should also document the app's TCO.

There was also a nice section where Chris said that 48% of their instances had no tags, so it wasn't clear what the instances were doing. However Chris also said that “It's really boring switching stuff off”, which I have to say I completely disagree with!

The two-pizza team

Two of the speakers (sorry, I forget which ones exactly) mentioned the idea of the “two-pizza team”. Basically: a team which requires more than two pizzas will have communication problems. I like this concept — it's a good rule of thumb that definitely matches my own experience.

And the others…

You may notice that I only wrote about four of the ten speakers. That's because the other speakers very much failed to hold my attention. I enjoyed the customer talks, all of which were interesting, and engaging, and got a great reaction from the audience; but the talks from the partners, and from Amazon themselves (with the exception of Brent), seemed to be aimed very much at CxO level — at “suits”, one might say — and as such really weren't my thing at all.

So I saw it as a summit of two opposing audiences: CxO versus techies. If the event was larger, then it would make more sense to split into two events, or two tracks in one event.

As it is, it seems to me that most people would have found half of the talks less than engaging — but, it's only a one-day event, so that's not such a burden.

Wrapping up

Overall I really enjoyed the day — the CxO-style talks weren't for me, and I didn't explore the partner and sponsor stands; but the customer presentations were great, and I had a good chat or two with AWS staff, and I loved swapping stories with the other attendees.

Oh, and there was highly practical swag!

I think I'll be back — maybe not every time, but it was a good day, and I'd be happy to do it again sometime. See you there!

Amazon Web Services fails at diversity

Rachel Evans — Wed, 22 Oct 2014 11:22:28 GMT

Yesterday I went to the Amazon Web Services Enterprise Summit, in London. I listened to this man first, then this man; then this guy, this one, and then after lunch these six men all spoke too. And throughout all of it, another man acted as compère.

Nine of the eleven Chosen Ones

Eleven. White. Males. (I couldn't find a picture of the other two, but trust me: the other two were white and male too). Not exactly a shining example of diversity, is it? And I fear that the speaker line-up at AWS re:Invent won't exactly be that much better.

This is is no way a criticism of the eleven men in question: it's a criticism of the industry in general, and Amazon Web Services in particular.

Diversity helps us all. It encourages everyone to participate. For example, having women on stage will help other women to feel like they're represented, welcome, and included. And with that inclusion comes a greater array of ideas and perspectives. Surely you want the best people, whatever their gender, race, sexuality? Lack of diversity means that you're risking excluding some of the best people who would otherwise feel included.

So, AWS: just how hard did you try to bring in non-white-male speakers? I find it hard to believe that you tried, but were unable, to find any speakers who were female and/or non-white. Call me cynical, but what I find much easier to believe is that either you couldn't be bothered, or that the concept of ensuring diversity in your speakers just didn't even occur to you (and straight white non-disabled male is the default state for humans, amirite?).

Come on Amazon. I love your products, but on the diversity front you're setting a bad example. A company of your size, influence and reach is in a fantastic position to lead by example: just as your services help your customers (and, some would say, lead the way), please use your influence to help the industry improve in diversity too, so we can all feel included.

Thank you.

Headshot images from their various public profiles.