Codex Arcana

Frequently Asked Questions During Mentorship Sessions

eldermael — Fri, 17 Sep 2021 01:54:00 GMT

During the past weeks I have spent about 2 hours per week on mentorship sessions with various developers from the Devz Community. I am really thankful for everyone that chose me among all the mentors, and I took notes on most of the questions.

I immediately found frequently asked questions for all the topics that I listed, so I decided to write a blog post with them. In the future I plan to update this post with more questions as they come.

Technical Leadership

I Feel I Am Programming Less And Less [As A Tech Lead], Is This Normal?

Yes. Technical leaders are moving to a path where you are no longer just producing software i.e. an individual contributor. This is probably the most asked question regarding transition from senior developers to tech leads.

What’s important here is a bit of time management skills. I suggest having a balanced schedule allowing new tech leads to still program while considering the other skills required. Here is an ideal example:

30% of your time could be spent on the mentorship of your team members,
30% could be spent on meetings/product development,
30% could be spent on coding,
10% can be spent on growing your own skills.

A good reference for this kind of transition for me has been the work of Patrick Kua on the topic. Here is the most influential talk I could find for this.

What Skills Do I Need to Be A Tech Lead?

I think there are fundamentally 4 skills that you need to develop:

Leadership skills, being technical or non-technical,
System Design and Architecture skills and,
Developer skills, which you may already have.
Time management skills to balance your time spent on these.

I Want To Keep Coding But Grow My Career. Is There A Way To Do That?

I think this entirely depends on your organization. If the only path for growth to happen is go into management, probably it will conflict with this particular interest of yours.

I have experienced this myself and usually Tech Leader positions conflict with time spent programming. If your particular organization has technical paths (such as Principal Engineer) you can try to move into that direction, but most companies do not have such paths.

You can always trailblaze the path by communicating clearly with your managers the pursuit of such goal. Some companies can accommodate you but others have different priorities thus they will conflict with yours.

Architecture

As An Architect, Should I Still Develop Software?

Yes. Undoubtedly you don’t want to become the proverbial Ivory Tower Architect. If you detach from programming completely, most probably your solutions will also be detached from the code teams produce and thus it becomes counterproductive because developers will be forced to retrofit your solution instead of fit it more organically.

What Coding Tasks An Architect Should Focus On?

In my experience, the best architects I have worked with usually spend time on proofs of concepts and foundational technology. I have worked with architects that usually pair program with developers to unravel solutions that can fit the actual working code instead of coming up with solutions that may or may not fit the current architecture.

I think this approach has the best results overall because it proofs that your architecture guidelines and implementations fit into the software other teams are developing.

How Can I Know If My Architecture Is Successful?

Fitness Functions can be used to measure architecture goals. They also can be used to drive evolution to certain parts of the overall system once you know what to aim to.

An example of this is a fitness function that returns either the time, or the number of commits between your production code and the latest commit in your development environments. This function will let you know if you are properly applying Continuous Delivery.

Another example is Dependency drift fitness function. It allows you to understand the Drift between microservices regarding libraries and dependencies which can be interpreted as an indicator of stagnation/ossification of services.

Microservices

What’s The Point Of Microservices?

This is a tough question, but I usually focus on these points that work well with the evolution analogy:

Microservices are about change independence. As an example of a evolutionary architecture, microservices allow evolution on different parts of your system quickly. Some services will be very stable once they reach a certain point but others need to often change to accommodate business needs. Again, some parts of the organism evolve while others remain stable.
Faster time to market. Following from the previous point, once you know that the microservice architecture style allows for faster change and independence you are able to quickly prototype new ideas because you can start new business lines from scratch quickly, with the right tools (spanish).
Making innovation cheaper. As a side effect of the previous point, microservices enable to quickly prototype new ideas because you can start new business lines from scratch quickly with the right tools.

Do You Think We Are Ready To Adopt Microservices?

Microservices are not a free meal. Conway’s law is an important concern if you plan to adopt this architecture style. This is because there is a social/organizational component to every software architecture style and having organizations simply jump into microservices without the proper mindset can be problematic.

If you use Conway’s law to your favor, service-based architectures can help move faster, but without organizational perspective it usually works against the adoption.

DevOps

What Are The Most Common Questions You Are Asked During Interviews?

After quite a bit of interviews I have seen common questions and follow-ups:

What is DevOps? The interviewer wants to know if you “get DevOps”. Focus on why DevOps is more of a practice and cultural mindset instead of titles.

What is SRE? Software Reliability Engineering is kind of defined as:

One could view DevOps as a generalization of several core SRE principles to a wider range of organizations, management structures, and personnel. One could equivalently view SRE as a specific implementation of DevOps with some idiosyncratic extensions.

Per Google’s own book on the matter.

What’s the difference between DevOps and SREs? Per the previous question, but paraphrasing here, I think of SRE as an implementation of DevOps practices done by Google.
Can you describe/document a pipeline to deliver code from scratch? This is a lengthy question that may deserve its own post! it gets asked often.
What are SLAs and SLOs?

I Want To Transition To A “DevOps”/SRE Position. What Should I Study?

Most “DevOps” positions are really infrastructure positions. Most SRE positions are SysAdmin positions. Having said this, if you target infrastructure positions you should focus on:

Learn how to work with a specific Cloud Provider. This implies learning how to manage and architect infrastructure on a specific provider. AWS has around 30% of the market share as of the time of this post, so it maximizes your opportunity to land a job. This implies Infrastructure as Code practices and tools to help you provision and manage such infrastructure.
Learn tools and practices regarding Continuous Integration and Continuous Delivery. Most interviews in the infrastructure space ask you to design a pipeline to deliver services. The goal would be to be able to design pipelines using Jenkins pipelines, Github actions, Gitlab pipelines. I recommend watching Ken Mugrage talk about modern CI/CD practices, then learn a specific tool.
Learn about Observability tools and practices. A good rule of thumb is to use tools from the Cloud Native Computing Foundation Observability And Analysis landscape. Most interviews, in my experience, will ask you to configure not only instrumentation but also alerts and dashboards for services and infrastructure.

If you are targeting sysadmin positions, they probably will overlap with the previous points but also require the following:

Networking fundamentals and Software Defined Networking.
Operating System maintenance and provisioning (package management, configuration).
Container/VM Orchestration Tools (Kubernetes is the most popular nowadays).

Building A Web Service For A CO2 Sensor With A Raspberry Pi

eldermael — Thu, 19 Nov 2020 00:00:00 GMT

I recently wanted to introduce my daughters to programming, so I decided to use some kind of sensor to prototype a small application and teach them how to make hardware and software work in tandem as I believe having something physical would be more interesting than me typing on a REPL.

Now, I knew a raspberry pi had a way to connect sensors using its General-purpose input/output pins, so I decided to build a non-trivial application to get used to the programming model and at the same time have experience to build something more complex later.

Hardware Required

To start the project I did some research for sensors and while there were quite a bit of choices, I got interested in the KeyEstudio CCS811 Carbon Dioxide/ Air Quality Sensor for Arduino which is compatible with Raspberry Pi 5V pins. It also works using the I²C communication bus which is also supported.

Now, in order to prototype faster, I got a T-type breakout, a solderless board, and rainbow cable, plus jump wires. With this at hand, I was able to start interfacing the GPIO with the sensor.

Wiring It All Together

Now, it was a while (since my college days) that I had work on a solderless board but fortunately there is a diagram to connect the sensor to an arduino board thus you can deduce how to wire it to the equivalent pins on a Raspberry Pi.

With this diagram, and the official Raspberry Pi documentation, I was able to find the correct pins without much issue. For reference, here is the Raspberry Pi GPIO pin diagram (this is for Raspberry Pi 4 Model B).

Finally, with the help of the T-type breakout, and the solderless board, here is a picture of the connections. Note that the breakout already labels the pins so is not hard to match them.

Validate Connections To Raspberry Pi with i2cdetect

Now, with everything wired, the fastest way to detect if the sensor is properly interfacing to the I²C bus is to run a utility which can be installed on the Raspberry Pi Os named i2cdetect. Here is the command:


pi@elderserver:~ $ i2cdetect -y 1
     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
00:          -- -- -- -- -- -- -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
50: -- -- -- -- -- -- -- -- -- -- 5a -- -- -- -- --
60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- --

The way to interpret the output of the command, and the parameters is the following:

i2cdetect takes a positional argument named I²C bus, in this case it maps to a linux device by number depending on your board. On the Raspberry Pi 4, it is the device number 1 located at /dev/i2c-1. The -y option is to disable the interactive mode.
The output of command represents the bus addresses in which the detected components can be found. In this case, the only address responding is 5a, which matches the vendor specified address for the CO2 sensor. You can find more details in the datasheet of the CCS811 sensor.

All I²C transactions must use the (7 bits) slave address 0x5A or 0x5B depending on status of ADDR pin when writing to and reading from the CCS811.

Read Data From The Sensor

This was the tricky part of the project as the documentation in the wiki of the seller had mostly C code which somehow was factually incorrect once I compared it to the official programming and interface guide. I struggled about a day using the wiki, so I finally started to search for the sensor documentation instead of Arduino IDE examples.

TypeScript, I²C And Prometheus

The full source code can be found in this Github repository.

In order to work with I²C sensor I decided to use the help of the Node ecosystem using a small library called raspi-i2c which allows sending and reading from devices attached to the bus in a very procedural way, with sync and async functions.

To build the web service itself I used Express to handle the HTTP requests coming from Prometheus and a small library called node-exporter-prometheus to generate the Gauge metric type to expose the sensor data.

Programming The Web Service

The Express Server

An Express web service is not really that difficult, the relevant part is here:

const app = express();

app.use(promExporter.middleware);
app.use(readSensorMiddleware(i2c));
app.get('/metrics', promExporter.metrics);

app.listen(serverPort, () => {
    initSensor(i2c);
    console.log(`server started at http://localhost:${serverPort}`);
});

We basically create an Express application, then register a middleware to gather the common metrics using node-exporter-prometheus and register our own middleware to read the sensor before finally exposing an endpoint under /metrics.

Initializing The Sensor, A Quick Premier Of I²C

The initSensor function will apply the initialization logic required for the sensor to start reading the environmental data. It follows the following diagram:

For this, the raspi-i2c library provides two basic methods to interact with the I²C sensor:

writeSync(address: int, register: int, buffer: Buffer): void this method allows writing to I²C devices by their addressed, to a specific register.
readSync(address: int, register: int, length: int): Buffer this method allows reading a specific register of I²C devices by their address.

These are the two methods required to initialize the sensor. As it can be inferred, the I²C sensor is very simple to interact with. As long as you have the sensor address (in our case 5a), and a register to read/write from, you will be able to initialize and read the required data.

This small snippet allows to read the hardware id from the sensor and check is the correct one:

// SENSOR_ADDRESS is 0x5a, HARDWARE_ID_REGISTER is 0x20
const hardwareIdBuffer = i2c.readSync(SENSOR_ADDRESS, HARDWARE_ID_REGISTER, 1);
const hardwareId = hardwareIdBuffer[0];

if (hardwareId !== SENSOR_HARDWARE_ID_MAGIC_NUMBER) { // This is 0x81
   console.log("Hardware ID did not match: ", hardwareId);
   // ... call error handler
}

As you can see, this is very straightforward. You choose either if you want to read or write from a sensor and how many bytes. You pass a Buffer or get one depending on the operation. After that is just a matter of inspecting the bytes returned according to the datasheet.

Read Data From The Sensor

Finally, the readSensorMiddleware will read both the CO2 and TVOC output from the sensor data address and set the Prometheus Gauges along any errors found. Here is the relevant snippet of code:

// SENSOR_ADDRESS is 0x5a, STATUS_REGISTER is 0x00
const statusRegisterReading = i2c.readSync(SENSOR_ADDRESS, STATUS_REGISTER, 1);
// bit at position 4 signals new data is ready
const isDataReady = bitwise.integer.getBit(statusRegisterReading[0], 4);

// If data is not ready check errors
if (isDataReady === 0) {
    checkErrorRegister(i2c);
    return;
}

// Read Data, 8 bytes, the first two bytes have the co2 reading
const buffer = i2c.readSync(SENSOR_ADDRESS, RESULT_DATA_REGISTER, 8);

// Convert the first two bytes to a 16 bit integer with big endianess
const co2Reading = buffer.readUInt16BE();

// Set the Prometheus Gauge to the result
co2Gauge.set(co2Reading);

Endpoint Result And Grafana

Now, with everything wired together, here is the resulting payload when sending an HTTP request (omitting comments and other metrics).

$ http --body GET http://192.168.1.20:8080/metrics
co2_ppm{appName="co2-sensor-pi"} 405
tvoc_ppb{appName="co2-sensor-pi"} 0
message_invalid_errors{appName="co2-sensor-pi"} 6
read_reg_invalid_errors{appName="co2-sensor-pi"} 0
meas_mode_invalid_errors{appName="co2-sensor-pi"} 0
max_resistance_errors{appName="co2-sensor-pi"} 1
heater_fault_errors{appName="co2-sensor-pi"} 1
heater_supply_errors{appName="co2-sensor-pi"} 2
unknown_errors{appName="co2-sensor-pi"} 2

Once we have Prometheus scrapping the metrics, here is the resulting Grafana dashboard:

Project Kickstarters for Microservices

eldermael — Thu, 01 Aug 2019 17:17:00 GMT

Previously in my post about Digital Platform Accelerators, I wrote about Project Kickstarters. In this post, I will try to get deep into the patterns I have seen and implemented.

In many companies I have worked we usually implement authentication and authorization, logging, telemetry, etc. I have implemented these in many project templates as a means of showing the capabilities of the platform on which the software runs and the fundamental structures that it provides to layout cross-cutting concerns. The idea behind project kickstarters is that they already give you an implementation of these concerns that is ready to be used and allows developers focusing into implementing business logic.

Reasoning: Reference Architecture

Many of the problems I have had with Software Architects is that whenever I have worked in a big company with many teams, architecture is usually retrofitted not implemented. The proverbial Ivory Tower Architect is one that gets a cross-cutting concern and then thinks of the solution without taking a look at the code that is already implemented. Thus their solutions mechanically clash with the existing interfaces.

Good reference architecture, on the other hand, starts with solutions and research. Proofs of concept are usually a good starting point to generate templates because they are necessarily implementing something that we want to reach. If by some reason we cannot implement a solution to a problem, it means that our architecture is not fitted for our context.

I have also met really good Software Architects and a common pattern I have seen is that they always say “let us prove that this is possible, that we can implement it” on one way or another. Good project templates serve as reference architecture because you can see them deployed and working on a Software Platform, visit their repositories and understand how they integrate to the platform.

Project Templates

Project templates are not a new concept but most probably they became more necessary with the advent of the microservices architecture. If you have a Digital Platform, good architecture mandates a series of cross-cutting concerns that conceptually can be grounded into templates that should require to do minimal customization to start the development of a new service.

I have seen many patterns for these but the most common is a single git repository in which architects and devs alike pour all the best practices they have learned for development along with sample integrations with technologies within the Digital Platform such as authentication or telemetry. These repositories usually are the product of spikes to know if certain technology can be a good fit for the projects or work that has been done previously.

Nonetheless, project templates are the lowest common denominator to use as Platform Accelerators because they require a lot of customizations to actually become an independent microservice. Cloning a project and do a lot of renaming is probably an error-prone task as the smart reader will notice.

Project Generators

Once you have achieved enough maturity regarding project templates, the next logical step is to create tooling that uses these templates and produces ready-to-use projects.

The focus of this post is to talk about them in the context of Digital Platforms so tools like Micronaut or Gradle initializers are not going to be described because, as far as I know, they do not allow you to customize the projects they already produce with features specific to your context.

Tooling available to create project generators is varied. I have used mostly Yeoman and Atomist. But there is also Maven Archetypes and Micronaut mn utility, Gradle init subcommand, etc. Because the focus of this article goes along the lines of Digital Platforms, tools that do not provide a way to integrate platform-specific features are not discussed e.g. Micronaut mn.

Yeoman

Yeoman is a project scaffolding tool similar to Maven archetypes or Rust Cargo. In principle Yeoman is really easy to use as it works with templates and an “in memory” file system that allows you to stream files from a predefined location and apply transformations to them.

Whatever you can do with memory-fs editors you can do with all the files using Yeoman. I have also used sub-generators as feature toggles to allow generation of code with specific features on them.

The drawback of using templates is that you will not have a good feedback cycle unless you generate a project from scratch and then run the generated project and hopefully run a good test suite contained within the project. For example, if Yeoman generates a front end application you will want yo run npm run buildor if you are generating a Gradle project then running ./gradlew build. These will allow you to know if your code compiles and their tests are running fine with the set of features you want. All of this takes time so I would not recommend templating files at all.

What has worked best for me is to download a repository into the directory where Yeoman is expecting the template files to be and then do the replacing and renaming. This ensures that at least the starting point of your code generation is a project that hopefully is already in a good state (by having this project have a pipeline and a battery of tests that actually work).

The following problem here is making sure that the generated project is not in a bad state and soon enough you will have to have a pipeline that generates and discards projects after running tests on them.

Finally, the tools Yeoman gives you are very basic. String replacing, file renaming and so forth are the bare minimum for project generators and soon enough I had found a lot of complexity while trying to make more sophisticated things such as properly remove/add features to a project depending on the user needs. You could theoretically create projects that have only the features some devs will need but this becomes a complex problem due to the number of permutations that happens with these projects.

Atomist

Atomist approach to code generation takes the idea of independent seed projects that you take and apply code transformations to them. This is no templating mechanism so Atomist proposes using Microgrammars and AST transformations to automate the changes to the project.

While I agree that you could use other AST transformations using Yeoman directly using Vynil streams ASTs, I do think that the API Atomist provides, along Microgrammars are more simple and powerful to use as they provide really good abstractions over code projects and code transformations.

Using a Software Delivery Machine, you can use Git repositories as the starting point for a new project. By applying code transformations to the source code, you will produce a fresh project. The SDM will orchestrate the transformations and produce a new Git repository and also can push it to a service such as Github or Bitbucket ready to be used.

In a later post, I will discuss approaches to code project generators and probably code examples to create feature toggles using them.

Fighting Microservices Drift On Digital Platforms

eldermael — Thu, 01 Aug 2019 01:57:00 GMT

Previously in my post about Digital Platform Accelerators, I wrote about Distributed Refactoring Tools. In this post, I will try to describe the different tools I have used and the circumstances that lead me to use them. Also, why they are necessary.

I have worked on four microservice projects on different roles. From front-end and backend developer, tester, infrastructure developer, and a mix of all of them. While I worked on three different companies during those projects, I almost always found the same problems appearing.

The need to share code between services using platform libraries and the consequent maintenance that comes with them. The need to create policy through pipelines that evolve constantly and end up breaking project builds due to backward-incompatible changes. And finally, the need to update configurations for both pipelines and microlibs on several projects at a time.

In hindsight, all these problems mostly come from the same source: drift. Be it configuration drift due to a myriad of properties files or configuration sources; dependency hell due to library version drift; or delivery drift caused by feature parity between projects and the pipelines required to deliver them.

Driftwood, Wikimedia Commons.

Why Does This Kind Of Drift Happen?

It’s because you share code and settings. Configuration drift happens when you have different settings or initialization data for your services or infrastructure. Dependency drift evolves to dependency hell when you have different versions of the same library and you share those versions on other software projects. Finally, delivery drift happens when your services cannot be delivered with the same pipeline definition over time.

The organic nature of software is what is causing drift. At some point, we have created strategies for conveying meaning on change e.g. versioning and more specifically semantic versioning. With these versions, the goal is to keep up to date with the latest release because it should be the most stable or has the latest features that help us evolve our platform.

The problem with semantic versioning is very misleading regarding two things: it’s not always the most stable and in most programming languages there is no way to enforce it. Even Joe Armstrong, of Erlang fame, tried to find ways to enforce that even a function was exactly the same as other function to enforce compatibility.

Two functions f and g might be the same
if [f(1),f(2),f(3),...f(100)] is the same as [g(1).g(2),g(3),...,g(100)]

If f and g are of type int -> int then we can reduce the inputs and output lists to SHAs and easily check if f and g might be the same https://t.co/rrgY0TuqUP
— Joe Armstrong (@joeerl) November 18, 2017

The latest release of a library is not always the most stable due to the nature of modifying software itself. Regressions happen, not breaking compatibility with previous releases is a goal but there are no guarantees.

What I think is that semantic version, even if well-intentioned, is not sufficient if you want to avoid drift on your dependencies or configuration. The smart reader has probably also thought about dependency locking. Some tools have already integrated this feature so that every time you build a software project it will always resolve the same dependencies. The problem with version locking is that it poses the problem of maintenance.

Version locking and the organic nature of software conflict with each other. If you lock dependencies, sooner or later you need to upgrade them or they will become obsolete. It’s on your best interest to not be out of date with security patches and bug fixes.

Distributed Refactoring As Means To Ease Drift

Unless you are on a monorepo (which has different challenges, out of the scope of this post), there are many constraints to evolve your software and keep up to date in a Microservices architecture.

The first problem with Microservices is that, unlike the monolith, you need to have platform libraries. The share-nothing approach could be useful but leads to a lot of duplicated efforts and even more drift because everyone will be tempted to solve the same problems with different strategies.

Platform libraries are implementations of cross-cutting concerns at a platform level. With a monolith, AOP used to be the way to achieve this, but you cannot intercept microservice calls without adding more overhead between services. Examples of this are authentication implementations, logging, monitoring, telemetry, etc. Even the pipeline definitions of build servers such as Jenkins are a way of policy enforcing and they require updates.

Now that you have implemented cross-cutting concerns using those libraries, keeping them up to date will be the next challenge. This is where distributed refactoring comes into play.

If you are into a monorepo, refactoring can be a single commit and it’s atomic. Updating libraries in different repositories will not be atomic and it will be difficult to do by hand if you have more than a few microservices to update. Even if updating different repositories is not atomic, automating these updates as much as possible will save a lot of developer hours.

I remember working on a single pipeline to deploy only a certain type of microservices. Every time I had to add a feature, it required modifying at least a dozen of services of that type. That could take anything from a couple of hours to an entire day depending on the definition and the size of the change. Even with shared pipeline libraries, updating the versions used is still a task that requires effort per microservice.

The Tools I Have Used To Execute Distributed Refactoring

Atomist

I have used Atomist at very early stages in my second microservices project. At that time I worked as a tester and we needed to use clients for a huge amount of SOAP services that provided auto-generated code.

Unfortunately, while we could generate code from those services because I was working as a tester, I knew that the service contract was going to change eventually and I did not want to create builders by hand for the myriad of objects that represented the response and request for those services.

Then I found Atomist and I found that I could create software that transforms software, I created a small program that added the required annotations to the generated code.

While this approach helped me a lot, on the way I discovered many other features that Atomist has that have helped me resolve all the problems that I have faced always during the development of microservices.

Atomist fingerprints allow you to keep track of the different versions of the platform libraries being used and with this drive updates. Configuration drift can also be tracked with Atomist. But Atomist goes beyond just tracking, you can create Code Transformations to keep projects from drifting if required with pull requests that developers can accept when ready (or just apply them if you feel empowered to do the change yourself).

Generating pull requests to update libraries using microgrammars to look for specific parts of Gradle build files or NPM package.json files is possible and is very simple to do.

Delivery drift can also be tackled by having Atomist fix/add step definitions and Jenkins pipeline versions to keep projects up to date with the latest policy in your platform.

Finally, I have been experimenting on creating backward compatibility with project kickstarters by annotating new platform features and make Atomist copy such features from seed/reference architecture projects.

This is important because project kickstarters and reference architecture start to drift the moment that you used them to start a new microservice. If users want to use new platform features, in most of the projects we have to do this manually with migration guides and manual steps. If you can automate adding new features, for example, the use of a secret registry such as Hashicorp Vault, you could save a lot of developer hours invested into integrating that feature from reference architecture services.

I have been in only one project where they used Snyk and it solves the problem of dependency version drift but with an approach focused on security. I really do not have much experience using the tool but I can vouch that it helped many other developers to keep dependencies up to date when critical security issues arrive.

Just recently we have had a huge amount of pipelines failing due to security scans made by OWASP and keeping the relevant libraries can consume a lot of time. While most of the time we need to ignore the problem because even the newest version does not resolve it, Snyk is capable of fixing them automatically with patches later on.

I became aware of rewrite only a few days ago and it looks very powerful. But it only works on Java projects. Its API looks fantastic for distributed refactoring and I have seen presentations were it could refactor all the Guava references of a method on GitHub!

I am researching this project for future use as one of my current project goals is to provide compatibility with other projects thus I can see the potential of rewrite to refactor calls to microlibraries we use to provide platform features.

Conclusion

Fighting microservices drift is a daunting task and while I have seen and implemented various approaches to this and it is still very difficult. I believe that keeping team independence is great, automated refactoring possibly could be better.

I remember in the first project I had to go and review all the front-end code of various codebases and create comments for developers to update their dependencies to introduce some features dictated by the platform. My surprise is that while some teams fixed the issue right away, others did not. In this case, I lacked the authority to enforce or apply the changes myself so that went on for a while until things started to fail.

In further projects, I had more power to do this but I still find that going to each repository and apply the fixes by hand is very error-prone and this is not the ideal scenario because drift happens in many places at a time and all of a sudden. That moment was when I started to look for tools that allowed me to refactor code automatically or allow me to speed the process.

My point is that even if you could keep things up to date for a while yourself, the scale of a microservice architecture will reach such a mass that doing things automatically is a better alternative than putting the effort to do it and feel the pain.

Shared Pipeline Libraries To Deploy Microservices

eldermael — Fri, 12 Jul 2019 17:21:00 GMT

Interesting interview. But often a "CI/CD pipeline" actually means 100 or 1000 separate pipelines. So the oil needs to be applied in many places. Hence we need to be able to express team-wide policy https://t.co/PlDFIVmmIj
— Rod Johnson (@springrod) April 9, 2019

Previously in my post about Digital Platform Accelerators, I wrote about Delivery Workflow Tools. A pattern within these tools was Shared Pipeline Libraries.

So far I have implemented pipelines on three different microservice platforms for three different companies and I intend to explain my experience in this post.

Reasoning: Do Not Repeat Yourself And Avoid A Death By A Thousand Cuts

About three years ago I was working on a project that had started with relatively few services, only five of them and three front end applications. By instructions of the CTO at the time, I was assigned to the testing team as a quality engineer in charge of writing Cucumber tests for a series of Web Services made using JAX-WS that were going to be “refactored” into modern technologies.

So, had an interview once with a CIO of a company a couple of years back for a DevOps position.

He decided I was not good enough because I did not write a Dockerfile by hand on a whiteboard so he sent me to the testing team.

1/?
— Mael 🇲🇽 (@eldermael) March 2, 2019

I am glad to say that I proved my CTO wrong because I wanted to go to the team in charge of building the tooling that these new services were going to use. This team was branded the DevOps team and they were going to be in charge of provisioning the infrastructure and maintain a single Jenkins server that will be used for all of this. By implementing the pipeline for running my own tests against the web services I was able to ask for a chance to work on that team because they were understaffed at the moment.

I was very new to Jenkins so the first thing that we tried to do was to program the Jenkinsfiles for each project ourselves in the eight repositories that were available.

Soon I found that I had a lot of repetition on these files. I mostly had copy-pasted the code there and changed a few things such as project names and other parameters.

As you can see this was not good but at the time the idea was that the teams in charge of those projects were going to write themselves those files once we had set up the patterns to deploy to the infrastructure we provided. Of course, software is organic and more requirements come and pipelines need to evolve thus we had to oil those Jenkinsfiles many times to add new features such as security scans, SonarQube quality gates, etc.

Our developers were busy delivering value features so the work of our team was to introduce patterns for these features and hopefully they will implement them in their Jenkinsfiles. Alright? For the clever reader, yes, we had to also write these in each repository Jenkinsfile.

Jenkins Shared Libraries

Updating every repository with these new features implied that we first worked on one repository at a time by modifying the Jenkinsfile by hand and then run the pipeline to see if it worked. Remember, I was very new to Jenkins and the rest of my team was very much understaffed so they were busy gathering requirements and trying to get order out of the chaos.

I started to research Jenkins shared libraries that will allow me to define the common steps and encapsulate them into a single parameterizable abstraction.

We started to replace many stages in our Jenkinsfiles with a single line of code with the new custom steps. This development outcome was that we finally started to remove duplication from our Jenkinsfiles but our pipelines still look very much alike.

During my last two weeks at that company, I started to implement the whole pipeline as a single step. This required to standardize the projects running such pipeline definitions to use the same tooling and define the same build system tasks.

Testing Steps And Definitions

My next project had Jenkins up and running already and it had a really nice shared library but in hindsight, testing by triggering the pipeline time and time again is not very efficient because you will be waiting a lot of time for the pipeline to reach the steps that you are interested.

What we found is that testing Jenkins shared libraries is a very complex matter because from the beginning Jenkins introduced this feature without any mechanism to test them in isolation. Having to use Groovy is also a challenge as the dynamic nature of the language makes you test double on finger errors such as the number of parameters and their types.

Fortunately, this is not a new problem thus there are projects that ease these steps.

jenkinsci/JenkinsPipelineUnit

Framework for unit testing Jenkins pipelines . Contribute to jenkinsci/JenkinsPipelineUnit development by creating an…

github.com

We extensively used jenkinsPipelineUnit to test our workflows and it helped us mainly to avoid regression bugs but testing the integration with external systems (such as SonarQube, Fortify, Terraform, AWS) still was very time-consuming.

Convention Over Configuration Plus Flexible DSLs

Once I experienced a somewhat mature shared library, I started a new project which required to scale things to a new level as the number of microservices was many times more than I had seen so far. When this situation happens there are always going to be edge cases.

These can be in the form of projects that require to skip steps, projects that require a slightly different task order and various other changes. When you start to see this problem emerging a useful pattern is creating your DSL for pipelines within the Digital Platform of your company.

This means that instead of defining steps with pipeline definitions, you will define a DSL that will be focused on the Platform and following Convention over Configuration to detect the needs of a project.

openshiftPipeline.groovy – Medium

GitHub Gist: instantly share code, notes, and snippets.

This is also a highly conceptual task but I can enumerate a few things that we have had implemented:

Detect project types and configure the steps that run depending on the type
Detect requirements of the project from its structure e.g. if you have a file with a database definition, apply automatically a step to provision it within your orchestrator
Inspect for tasks and skip if they are not found, for example, check if there is a Gradle task for checking style and execute it if needed
Apply fixes to common mistakes within projects and alert developers early of this problem through notifications. For example, fail/touch files required for the pipeline to run properly like required manifests

All these integrations are very context-dependent thus they will change with your platform. It is important to keep backward compatibility through the support of older models as you evolve the pipeline DSL.

Again, the important part here is that the DSL reflects the standardized way you want application pipelines to behave to support your organization workflow i.e. they become Delivery Workflow Tools.

Digital Platform Accelerators

eldermael — Fri, 17 May 2019 17:24:00 GMT

A Digital Platform is described as the set technologies that function as the context in which the company applications run. A combination of middleware that serves as the foundation for the different products and APIs that are part of an organization.

We have had Platforms as a Service (PaaS) for a while and I have worked on three digital transformations whose objective is to deliver applications and the platform to sustain them.

During those transformations, I have observed Digital Platform Accelerators emerging as patterns and tools that help you to reduce the friction created by deploying and managing many new services into a Digital Platform. The objective is clear: they provide faster access to use the platform itself.

Here are some types of accelerators I have implemented and used many times during these projects.

Project Kickstarters

In order to create services fast, enterprises have created mechanisms to build software applications using conceptual templates that can be deployed to a platform. Such templates are the aggregate of the technologies, best practices, and integrations required to run inside the Digital Platform.

I have implemented a few Project Kickstarters using different mechanisms and patterns and here are some of those:

Project Templates

The idea is to have a project that serves as a blueprint of the typical application deployed in your platform. This project is cloned and after some modifications by hand, you get a repository that can be used to create new services in your platform.

Many times these templates are divided by technology stack. Maven archetypes are a good example of this pattern but a significant difference is that the project templates contain integrations that are required for the application to run inside the platform.

These integrations differ from company to company but the usual cases are authentication, authorization, database integrations, caching. As you can deduce from these, we are talking about cross-cutting concerns that a Digital Platform should provide.

Project Generators

Eventually, you will have as many templates as technology stacks. And these templates will evolve as the platform starts to change to integrate more cross-cutting concerns. The logical next step is to provide platform users with a way to generate applications without the error-prone task of modifying a Project Template by hand.

Enter Project Generators. These applications will take a set of parameters that change between applications in your Platform and produce a repository ready for deployment.

Another benefit is that a generator is software too so it can be used to remove or add features from the generated projects. For example, if the new application does not require a database, the generator can remove the code that provides database access from the codebase.

Feature generation is a complex topic and it’s very hard to implement. Generators tend to grow complex if many features are provided thus is always better to keep them simple or have template projects to pull code from and transform them.

My dislike for tools such as Yeoman is that they work on a very low level by mostly manipulating text files as templates or low-level string replacement. This had lead to many bugs in which replacing a string in many files and over many layers can lead to very nasty bugs that are hard to resolve.

Atomist provides the next step of this kind of tooling in my opinion as it allows you to use AST transformations for code and also string replacements if your needs are not that sophisticated.

Examples of this are Yeoman, Atomist, JHipster, https://start.spring.io/.

Delivery Workflow Tools

In order to be deployed, generators need also a standardized pipeline from your lower environments to production. A typical problem in Digital Platforms is trying to establish this pipeline as your projects may differ in very little details that need to be captured by your delivery pipeline. Here are some useful patterns for achieving this:

Custom Build System Integrations And Tasks

You may have tasks small enough that can be integrated into your build automation tools such as Gradle/NPM. You encapsulate your steps in the tool instead of the pipeline and it gets executed by calling a task defined there.

These tasks usually conform to mandated designs in order to progress the applications through the platform. Examples of these tasks are running isolation and API tests, OWASP dependency checks, publishing to different platform environments, packaging the application in the preferred format for the servers/containers, etc.

A possible example of this tooling is implemented in Netflix Nebula. I also have created custom Gradle plugins that encapsulate many steps required to build applications and deploy them to a platform such as Kubernetes/Openshift.

Shared Pipeline Libraries

CI/CD tools such as Jenkins provide you with mechanisms to create shared libraries that can store common steps required to deploy applications. These libraries are pulled from your CI/CD server such as Jenkins and have definitions of shared steps that are used across your applications. They also can provide templates of fully-fledged pipelines that can consume your source code repositories and deliver artifacts up to production.

Unfortunately, shared pipeline libraries can sometimes be very complex and many developers I know think these are against the DevOps way of thinking as the platform is somehow mandating the structure of your pipeline.

On the bright side, Shared Pipeline Libraries avoid the problem of distributed refactoring inside applications within a Digital Platform. Imagine having to modify the pipeline definitions of every application if you introduce a new stage required for all of them. An example of this is security scanners mandated by your security engineers.

Unfortunately, creating these shared steps and pipelines requires a lot of effort because they need to be as general as possible but eventually you will have small edge cases. Maybe you need a different database in one project. Maybe you need to skip certain stages in another project.

Most sophisticated Shared Pipeline Libraries I have coded use Convention Over Configuration and small DSLs to build standardized projects. This removes the friction from deploying as new teams can have a newly generated project delivered into production in minutes.

Delivery Workflow CLIs

Over time, delivery steps in a pipeline start to get more complex as bash commands/scripts are being abused. In order to use a fully fledged programming language, a CLI tool is created that is called from the pipeline instead to execute more complicated stages.

The workflow of the application delivery and integration is captured in these CLIs and they sometimes mirror the stages of the pipeline. The benefit of this is that you are decoupling your delivery process from the CI/CD thus you could potentially run the CLI locally and achieve the same result, helping you with debugging and get faster feedback than waiting for the pipeline to run.

Another benefit is that the CLI can accommodate different technology stacks while keeping the complexity low because you are not tied to shell scripts.

NEWT (Netflix Workflow Toolkit) is a possible example of this pattern.

Shared Build Images

If you have created a standardized pipeline or workflow CLI chances are that all the required tooling is scattered in different places. For example, if you are using Jenkins you will have Jenkins agents for each technology stack or even for each tool.

This becomes a maintenance burden sooner or later for your DevOps/Infrastructure team thus a pattern I have seen emerging is to accommodate the bulk of your tools into a single Docker image/VM Template. If you only have a single place to add tooling and a single image to use in your CI/CD server you only will have a place to modify to add tooling required for new platform features.

This is important as many tools such as security scanners and tools to deploy applications such as kubectl are required regardless of the technology stack. You only pay the price of building this tool once (even if it is a lot of time) but you can easily update agent definitions and orchestrate pipeline changes that use the required tooling.

Distributed Refactoring Tools

Unless you are working with a monorepo, if you introduce a feature to your Digital Platform you will have to look for their dependents and update them accordingly to use your new features.

An example of this is typically when there is a need to introduce new stages in your delivery pipelines such as security scans. If you have a shared pipeline library or a CLI you might only need to update their versions but this has to be done across all the projects that use your pipeline and/or CLI.

Project Generators and Templates also only provide the first steps for your project. As they are updated with new features, projects that are already live won’t benefit from these features.

This implies touching several repositories and creating the commits to update existing projects with new cross-cutting concerts and platform features.

In the worst case scenario, this process has to be done manually by someone. Once a new feature is available in the underlying platform, many projects are mandated to use this feature thus their respective developers are tasked to do the required refactoring. If you have Workflow CLIs or Shared Pipeline Libraries it may only require you to update to the latest version.

There are a few tools that provide distributed refactoring:

Atomist

Atomist has the concept of editors which are pieces of code that transform code. While an oversimplification, these editors can produce pull requests to the required projects thus solving the distributed refactoring problem.

I have been working with Atomist for around three years and during this time the tool has been rewritten a couple of times. That kept me from adopting it for some projects but currently, the documentation and the tool are very powerful and complete.

Snyk

Snyk has auto fixes for security vulnerabilities in the Java ecosystem. This is a more focused type of refactoring but Snyk also manages multiple projects. The need to fix vulnerabilities is something obliged in an enterprise setting and Snyk has been my tool of choice for such requirements.

The Many Problems Of Jenkins, Reloaded

eldermael — Sat, 25 Aug 2018 00:00:00 GMT

Having worked with different automation servers for the past 3 years, specifically Jenkins during the last one, I have come to realize several problems with Jenkins coming from experience in the trenches. In this article, I explain some of them.

Steep Learning Curve and Frustrating Documentation

I honestly think that Jenkins is hard to learn. Part of this is that the documentation is hard to grasp from a beginner perspective. I attempted to learn Jenkins using the official documentation. I found that it lacked a coherent structure and the examples leave many of details outside. I decided that I was not making any progress trying to follow it after a month reading it.

Finally, I decided to read a book about Jenkins and ditch the documentation for a while. While the book helped me with a structure that I couldn’t find in the docs, my surprise is that even relatively new books leave many features outside while only touching some of them. With this I mean essential features such as how to not stop executors while waiting for user input! I also had the problem of having my Jenkins up to date and finding that the book won’t always match the current documentation or that the documentation has been adding new ways to do the same thing.

How Do You Automate Jenkins Setup, Seriously?

Working in a cloud-like environment means that I need to create templates/golden images of the software that we use. Remember the whole cattle versus pets concept? How do you do this with Jenkins? Being as old as it is, Jenkins suffers from the design problems of the software designed before the cloud era. By this, I mean that it’s designed for manual installation and you can see for all the quirks that you have to go through when installing it with an automated script.

Creating a Salt Stack state for it was such a nightmare that ended giving up. On my own time, I tried to create first a Vagrantfile and then a Dockerfile to automate this. It is an awful process that involves things such as writing a file with a specific version number to disk so that Jenkins can skip its initial setup wizard altogether (later versions also require running a groovy script at startup to set the correct state). This is crazy, just looks at all the answers that you get in sites such as StackOverflow or Server Fault! I probably have read dozens of questions and articles with the same question.

Another problem is setting up credentials, configurations, and jobs themselves. Even if you have a Jenkinsfile helping you to define the structure of the job, you still need a way to recreate the jobs from scratch. Fortunately, I found that Jenkins has a CLI but the documentation about it hides several details. The CLI itself requires knowledge of how Jenkins stores its configuration (tip, it’s XML) and I would say that is pretty bad itself because there is no documentation about the XML structure of many settings in Jenkins. I also had to read the source code to find the Javaclasses that mapped to it.

Being disappointed by the CLI, I found an OpenStack plugin to create what I needed: job configuration outside Jenkins in source control and that could be automated. However, doing this was not an easy task, and sometimes I thought that it was too difficult to provide this using Jenkins.

I could continue on and on but I think the point is clear: a Jenkins setup is hard to create, maintain and automate. Even with CloudBees support you still have many problems ahead of you.

In conclusion, Jenkins is not built with automation for itself in mind. I hate namedropping so I will mention that there are automation servers that require a single configuration file in YAML to store their configuration (even with secret backends). Others will simply need to backup a directory.

Jenkins Blue Ocean is Great but Not There Yet

I liked the interface provided by Blue Ocean and the visibility it gives you in contrast of just watching walls of text over and over. However, that is it, if you want to do something else you need to go back to the old UI which is terrible until you get used to it, again, coming fresh to Jenkins does not help, and nothing is intuitive or easy to discover.

I think this contrast with the overall Jenkins experience for beginners and here is my case: I had coworkers that had years of experience with Jenkins, and they all hated Blue Ocean. My opinion is that because they were already used to all the quirks I am talking about, they saw it as a dumbed down version of what they had. While I agree with them on this, this is a testament to how Jenkins was never designed with simplicity in mind.

The Never-Ending Scripted Versus Declarative Pipeline Problems

Writing this is kind of thematic, old versus new. If you, like me, came to Jenkins just recently, you will find that there are two ways of writing the same pipeline. As with programming languages, the price of freedom is complexity. The freedom that comes with two ways of doing the same thing are many and here are some of them.

Having a mix of engineers with previous experience with Jenkins and people coming fresh to it is a tricky situation, to say the least. The scripted pipeline is full of idiosyncrasies and quirks that do not translate well to the new declarative pipeline. Concepts change names (e.g., Node and Agent), plugins do not have support for the declarative way.

For complex tasks, I had to create blocks of scripts that then we refactored later to pipeline libraries, but we used many plugins created before the new syntax, so there was no way out of script blocks because we created Groovy objects that were needed between stages. It is a hard pill to swallow because there is no clear, intended way to build Jenkinsfiles consistently and the documentation sometimes won’t tell you which syntax they are using and the examples many times do not translate well between them.

Yes, The Plugin Ecosystem is Awful

Plugins for authentication, locking resources, tooling, Docker (it has many of them), SSH, et. al. You name it and Jenkins will have a plugin for it. Then you find that many plugins do not work well with each other or are complete abandonware.

Is the documentation any better? No, many plugins have only an example or two and many of my coworkers and I had to read the source code (fortunately we were well versed in Java, but other coworkers weren’t).

With the advent of CloudBees and the concept of blessed plugins I think that we are solving this problem but there is a lot of time until Jenkins works smoothly.

At the end of the day we could just replace many plugins with shell scripts but this comes with the penalty of using too much time for something that was promised to work.

CI/CD Concepts Are Missing

I remember having a project before this one in which one of our principal DevOps engineer convinced managers of using other automation server because Jenkins did not provide concepts such as fan-in and fan-out out of the box.

At first I was skeptical but having worked in a project with a microservice-like architecture I can say that this is a real problem that will cause you headaches. We have to create independent architecture guidelines and tooling to deal with fan-in. This is the reason of projects such as Jenkins Docker and Spinnaker. I remember the now defunct page of Concourse CI comparing the design of servers which had pipelines as first class citizens and the state of Jenkins a year ago (when I started using it). It makes so much sense now because it described it as an afterthought, something that Jenkins was never planed to do but they ended up retrofitting it without thinking that the problem was bigger than that.

The Conclusion

I wish that in my next project I won’t use Jenkins. Having spent a year doing CI/CD with it I can say that I am tired. Now my coworkers know that I can take any task and do it using Jenkins with success but this was a year long process that was full of frustration and hard lessons. I look forward for the competition to finally be as popular as Jenkins and force it to improve more than just changing its syntax for jobs. I want a Jenkins that does not have all the problems that I mentioned.

DevOps Against The Tide

eldermael — Thu, 16 Aug 2018 17:27:00 GMT

In retrospect, I can say that I have worked on only one software development project that was successful. Only once have I tasted the victory of deploying code to production (and it was excellent code!). Most of my career consists of working for different consulting companies of different sizes, and most of my work has been in software delivery contracts, i.e., coding software for clients of different sizes and cultures.

Many things have happened in those projects. One project ran out of budget. Another one was shut down after a year of development because it had constant delays and had 300 people working on it. On another occasion we had an excellent project that was doing very well, but the client decided to change from creating a new platform to “refactoring” (not really) the existing project.

Nonetheless, the defeat that has weighed on me the most was a recent project in which we had to swim against the tide in a DevOps team.

The thing with experience is that it teaches you many things that you shouldn’t do. Moreover, having worked with many different people as a consultant, I have also learned behaviors in people and teams that lead to disaster, antipatterns in social interaction and problems that arise between teams inside the same organization.

In this particular project, I could identify early on many things that immediately raised the red alert.

Having Separate Teams for Infrastructure and Development

Infrastructure development and DevOps are tightly coupled. I would like to say that DevOps is a philosophy and we need to create a term for infrastructure development, i.e., creating servers, managing clouds, all those things. However, I like to be pragmatic, and most DevOps roles in the industry are seen as infrastructure development first with a touch of tooling for delivering software pipelines.

I think that the worst problem of them all was that the team in charge of the infrastructure and its tooling was a separate team. That team also had very strict idiosyncracies about virtual machines that I can only attribute to a very systemic, operational way of thinking.

For example, as ridiculous as it sounds, we did not have access to create virtual machines ourselves. We were the team in charge of creating and provisioning the infrastructure and platform for several applications yet restricted to the most bureaucratic system I have seen. We had to create tickets for creating servers in bulk. However, even calling this creating them in bulk would be generous, as those servers were snowflakes created manually with very particular and irreproducible processes that were unknown to us.

Because of all of this, reverting the state of those virtual machines was also very challenging. Handoffs and updates of those servers frequently broke functionality.

I have seen the benefits of immutable servers and phoenix servers, but these practices simply eroded under the control of the team in charge of the infrastructure.

Too Many Chefs in the Kitchen and the Lack of Accountability

The role of Architect in this project lead to many problems during our development. As the team in charge of software delivery pipelines and platform development, we were the glue among teams requiring consensus for delivering working software. There is no way to achieve such a thing with more than 17 software architects with clashing decisions.

We had fruitless, long lasting meetings that lead nowhere. For a place where they value authority so much as to have so many architects, it was impossible to have them accountable for working software.

Conway’s Law applies once more to this project. Most software produced by this organization was a chain of delegation from the top of the hierarchy, in which nothing is achieved, to finally realize the functionality hidden by layers upon layers of indirection and senseless delegation created by developers. This hierarchy is the most rigid pyramid of bureaucracy that I have seen in all my years of software development.

One more thing that I would like to describe is how many architects became the proverbial “Ivory Tower Architect.” They have been away from coding so long that things such as git were alien to them. I also can attest that some of them are the classic example of the Peter principle: promoted not because of software development and architecture proficiency, but because they have been in the same place for years.

Tools Considered Harmful

Imagine that you are a carpenter. To work efficiently, you need to use specific tools that are intrinsic to your trade. Can you imagine being hired to do some work in a house, arrive and then being stripped of these tools because they are considered harmful by the owners of the house? It sounds ridiculous, but these kinds of policies were in place due to security constraints and some architectural decisions of the software development practice in place.

Many of us know the corporate IT world where the git protocol is considered harmful, so we have to rewrite our URLs to use HTTP instead. However, this is not even the tip of the iceberg; access to Github also was banned because it could contain malicious software. You had to do everything behind the software repository server, so we had to proxy several things such as the central Maven repo, the NPM registry, and Red Hat repositories. We also had to store binaries of different projects for provisioning our CI/CD server with those tools.

More extreme cases required us to repackage software ourselves so we could install it, ask vendors to customize installers for other software so it could be proxied through our repository server. Many packages also had to download binaries from the internet, requiring us to spend several weeks looking for workarounds to download those dependencies, rewrite the software hardcoded URLs, updating them to binaries in the repository server.

I can say with confidence that we spent several weeks customizing software for the sake of security. Unfortunately, most software assumes that the internet is available to download dependencies, but this was not the case in this organization.

Certificates and PKI, Done Poorly

If there is something that almost any tool uses universally nowadays is Public Key Infrastructure. If you go back to the previous section, you can see that most tools I mentioned require valid certificates to work correctly.

Would you like to make almost everything fail while trying to create a software pipeline or an infrastructure platform? Simply deploy your own PKI, using your own Certificate Authority and require every connection to use an intermediate certificate.

The problem is not PKI itself, the problem is that if you enforce connections to go through this intermediate certificate, you need to have an excellent automated process to provide such certificates. We did not have such nicety. We had to create certificates manually for each server created.

To make things worse, at least in Red Hat, even if you provide certificates in the system-wide repository, some software rolls its own repository or ignores it altogether. For example, we have Java and its Key and Certificate Management Tool. Python also has the certifi bundle of certificates. Jenkins may install its own versions of the JRE (again, Java). You also have the quirks of Red Hat and install certificates. HashiCorp Consul and much other software require certificates from the same CA explicitly set in the configuration.

I think we wasted much time provisioning certificates for every new tool in our hands. I cannot even recount how many times we first had to configure our tools to bypass SSL and then figure a way to provide the required certificate to connect to whatever you needed.

Finally, we had a tool to generate those certificates automatically but we did not use it: HashiCorp Vault. The problem was that it was not under our control, but I will address why this is a problem later.

The Result Is Low Quality

Software development and the DevOps practice require effort to be successful but when you have all of these technical and organizational problems you are doomed to fail.

One thing that keeps bothering me is that I never had the authority to push best practices and technical decisions forward. Even if I know better, places with such strict hierarchies are impossible to navigate if you are seen as a resource, awaiting orders.

The low quality of the software I had to write, full of workarounds, visibly counterintuitive desitions, is laughable at best. I can only end this saying that technical debt as this, which is not paid in time, is not technical debt at all. It’s low-quality software.

Notes On Mental Overhead And Build “Heroes”

eldermael — Tue, 28 Nov 2017 00:00:00 GMT

Previously I wrote about problems presented due to a lack of trust between software developers, giving some examples of complex build systems. One topic I did mention is that having a complicated build process can create unbearable mental overhead for the programmers working on such a project.

So, what is mental overhead in software development? Simplifying the meaning a bit: it’s the amount of effort you have to put in order to hold the mental model of a software system in your working memory. We also call it cognitive load.

This load is the reason we use such things as abstractions in software: they allow us to offload entire parts of a system of our working memory. It’s also the reason we, as programmers, value simplicity.

The Heroes

Going back to my comment about the build process in the previous article, it became so complicated over time, that they had to separate two programmers from the rest to maintain it. Now, I could only deduce those programmers were very good at offloading that problem from others, and they eventually became the“heroes” of the build system. The problem here is not trying to make things simpler but keep things the way they are for the sake of stability; they became so accustomed to such complexity that they started to see it as something ordinary.

I honestly think such thing is never going to be good. This kind of environment makes people very much stubborn due to the perceived stability because when people do not know how to lead, they try to control.

The second problem is that because heroes are mostly regarded in such high esteem, contradicting their opinions is something seen as heretical. While I agree on being opinionated about software development practices, being opinionated while appealing to fear is something I think it’s not productive or useful because it will probably stop disruption and innovation and it’s not the right reason at all.

The Two Real Problems: Complexity and Fear

I have seen that complexity becomes fear eventually. These heroes are there to make things safe and stable at the cost of flexibility. I do agree that stability is a good thing, but I also argue that to move forward you must make the trade-off between this and flexibility.
Recently I had to retract the use of a tool that generated code for our project. This particular CLI became a fantastic accelerator to our team, but unfortunately, the CLI is retired because the company behind it decided to move to a SaaS model. That model did not fit our client’s needs.

Back to when I added this to our project, I also had this fear that the tool was still in milestone phase, but I had to make the trade-off between stability and making our team go fast in a critical moment.
While now I have to look for a replacement for this tool.

To me, the fact that it allowed us to deliver more quickly on our project at a critical moment, says that it’s worth the trade-off while it lasted.

The problem is that if you focus only on stability and error prevention, acceleration and velocity are not something you give enough credit. Do you remember when DevOps did not exist and now everyone thinks they are the best thing in the world? We as industry realized that DevOps teams are accelerators; they may not be productive in the sense that they do not deliver the product per se, but they do make things happen faster.

Now, if you compare these build hero and DevOps you can see that the first ones have stability as a priority and the later are all about moving forward faster but with the trade-offs in mind so you can get the best of both worlds.

Values

In chapter four of “Extreme Programming Explained,” Kent Beck covers the following values: communication, simplicity, feedback, and courage. I believe that If you apply those, you will regularly avoid the problems described in this text. I hopefully will write about those later.

Is Your IDE Limiting Your Company Technology Choices? Or Is It Trust?

eldermael — Sun, 08 Oct 2017 00:00:00 GMT

So far, I have worked in two places where I have found a sad problem that I think it’s more common than I thought: having your codebase tightly coupled to your IDE.

I remember the first time I found this, I just had my first job as a tech lead for a team of Java developers. I remember that after the first day that mostly was paperwork, they showed me the place where I would sit and my machine. After that, someone sent me an email with the Standard Operation Procedure (SOP) to set up your environment.

Now, does having a SOP for something that I think should be trivial such as setting up your development environment triggers an alarm to you? At that time, with my experience at that point, it didn’t. But if I remember correctly, that document was 9 to 10 pages long removing parts like the title, table of contents and version tracking (yeah, at that time nobody used wikis to version their documents!). After reading it from top to bottom I just shook my head in disbelief.

They were running an ancient version of Eclipse at the time. And they also were tied to another very old version of Maven. They also had instructions to set up a few plugins that they had in zip format to import directly because they were discontinued. I also remember that you had to put a lot of stuff in your maven settings file in order to be able to download the dependencies of our only project… and a long list of etc.

The second time I had this problem was pretty recent, but I dare to say ten times worst. They had scripts that created the Eclipse configuration files and they saved those files to SCM. Now, of all the problems that you can imagine being the result of this, I can tell you a few:

Hardcoded paths: because you have to save your IDE configuration to SCM, you have to explicitly setup paths in special directories or your whole project won’t work.
Vendor Lock-in: The project won’t work on other IDEs because the configuration files are tied to the version of Eclipse that they were using, and because the version was provided by a vendor of a JEE server, the plugins also generate specific configurations that are not compatible with other versions of Eclipse.
Developer images of the operating system: the project won’t work at all if you use other than the specific image that they provide to developers because they need special directory structures for the project to work and special network drives setup for this.

Imagine working in such a project? I can tell you that it took me at least one week to have the applications working locally. Imagine the mental overhead that a build system like this is. From time to time I still get emails from other software developers asking how I managed to have my local environment working.

The consequences of this are that in both projects were stuck in this situation and if you wanted to upgrade, let’s say, your Java version, you were stuck to what the IDE supports. Quoting one of my coworkers, it’s a sad situation that your entire team or organization is limited to what your current IDE can do.

The problem with this kind of mistakes is that they force you to take more bad decisions. I can tell you that those developer images are the symptom of a deeply broken build process.

In my opinion, if you cannot build your entire application and run it with a single command I dare to say that you have problems.

The Underlying Problem

An IDE/Text editor is something personal, we as programmers do care about efficiency and our text editors or IDEs are personal choices that allow us to become more productive in our work. Some of us pick one because we see it as a bragging right.

To the point of this article, in both these projects, someone decided that developers should use the same IDE all the time and dictated what they should do every step of the build process. This may look a logical choice for many reasons such as consistency but the underlying problem is about trust. If you do not trust your programmers to take trivial decisions such as use their own IDE I would dare to say that your organization has problems beyond these technical details.

Both projects had technical leaders that came to the wrong conclusions (that everyone should use the same IDE) with the proper reasoning (that consistency is good). The problem here is that their process focuses on preventing errors because that sounds so good when you think about it. But this kind of process “cripples innovation because it tries to prevent small mistakes” and it becomes a burden that does not prevent or even generates big mistakes (such as having a complex build process).

A Working Ceylon + Spring Boot Environment in macOS

eldermael — Sat, 12 Nov 2016 00:00:00 GMT

The first pain you feel when starting a new project, of course, is setting up your environment. In my case, I also had to learn a new operating system because I never had an Apple computer before.

Now, many things change between Linux and macOS but I still had a lot of things to learn before setting up a Ceylon + Spring Boot environment correctly. In the following paragraphs, I will explain you what I did and I hope you can reproduce it on your own to work with these two awesome technologies.

iTerm2, replacement terminal for macOS

By recommendation I started downloading iTerm2. The installation is very straightforward: click in the download button to get the zip file, then double click it in your Finder to extract the content, a single .app file (that is a “Package bundle”) and execute it.

One good thing that I found from iTerm2 is the so called “Unyxness” i.e. it has a lot of shortcuts to avoid using my mouse while in the console. I also enjoyed the Material Design theme that matches my other application themes (I will talk about those later).

Homebrew, because you need a package manager

Marcos Besteiro on Twitter – Medium

What’s bower?” “A package manager, install it with npm.” “What’s npm?” “A package manager, you can install it with brew” “What’s brew?” ...

Having a good terminal emulator will allow you to install Homebrew. Homebrew is a package manager for macOS that will allow you to install third party packages from the console. Among the packages needed will be Java but I will talk about that later.

To install Homebrew just insert this command in iTerm2 and follow the instructions:

$ /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Now, Homebrew has a plethora of software that you can install but first you should check that everything is running fine and you have the package definitions up to date. You can do that with the following commands:

$ brew update
$ brew doctor

Once you see if everything is working fine, you can continue with installing Java.

Tooling Needed: Java 8, SDKMAN!, Ceylon and Gradle

To install Java 8 you need to run the following command:

$ brew cask install java

And to make sure that you have it up and running just run a command to get the version you are running currently:

$ java -version
java version "1.8.0_112"Java(TM) SE Runtime Environment (build 1.8.0_112-b16)Java HotSpot(TM) 64-Bit Server VM (build 25.112-b16, mixed mode)

Now, before you install Ceylon you will need to install yet another tool called SDKMAN!. It will allow to install and manage different versions of Ceylon (among other things!).

The setup is pretty straightforward, just type this in your terminal and follow the instructions:

$ curl -s "https://get.sdkman.io" | bash

You will have to close the current terminal session and then you will have SDKMAN! working properly.

To know that you have it working correctly, check the list of candidates that you can install, among those you will see Ceylon:

$ sdk list

As you can see in the image, you have a list of candidates that you can install and SDKMAN! will show you the way to install those and the latest version. In this case, to install Ceylon, you have to type the following command:

$ sdk install ceylon

If you have to install a specific version of any candidate, just add the version as another parameter to the command e.g. sdk install ceylon 1.2.2 . To see the list of available versions you can type sdk list ceylon

How to check that Ceylon is working fine? Just check the current version:

$ ceylon --versionceylon version 1.3.0 49375fd (Total Internal Reflection)

Now that you have Ceylon, you will want to install Gradle (I will tell you why in the next section) using SDKMAN!. You also want to check that everything works as expected.

$ sdk install gradle...$ gradle --version------------------------------------------------------------Gradle 3.1------------------------------------------------------------Build time:   2016-09-19 10:53:53 UTCRevision:     13f38ba699afd86d7cdc4ed8fd7dd3960c0b1f97Groovy:       2.4.7Ant:          Apache Ant(TM) version 1.9.6 compiled on June 29 2015JVM:          1.8.0_112 (Oracle Corporation 25.112-b16)OS:           Mac OS X 10.12.1 x86_64

Gradle, Ceylon and Managing Transitive Depedencies

Let me explain something here. I have been working in two Ceylon projects so far. One of those projects is very small and does not depend much on external libraries. On the other hand, I have an application that started just like that and I had to add different features until I finally decided to add Spring to it.

Because Ceylon modules do not handle transitive dependencies, I had to create a module descriptor with all the dependencies needed. It looked like this:

module.ceylon – Medium

As you can see, managing all the dependencies like this will be a burden if you start adding more libraries/modules like I had to. This is why you need Gradle and Renato Athaydes’ Ceylon plugin for Gradle.

renatoathaydes/ceylon-gradle-plugin

ceylon-gradle-plugin - A simple Gradle plugin to manage Ceylon projects.

github.com

What this plugin will do is to manage your module transitive dependencies by creating an overrides.xml file that will tell Ceylon that you will also need more dependencies than the ones declared in your module (to know how this file works, refer to the Ceylon help located here).

Creating a Ceylon Project and Building with Gradle

To create a Ceylon project you can use the command line to create the files for a new Ceylon module. You only have to type the following command and enter the required parameters so the Ceylon command line tool can generate the project structure for you.

$ ceylon new simple

And this is where Gradle comes into play. First you will need to create a file named build.gradle and provide the contents needed to work with your module so the Ceylon plugin can create the overrides.xml file.

Here is how my build.gradle file looks like for the module I created with the command line:

build.gradle – Medium

This is pretty simple, you just declare the plugin for Gradle to use. Afterwards you need to make sure that the ceylon groovy closure contains the module that you specified in the command line and finally you provide the repository from which the dependencies will be retrieved (in this case, jcenter).

NOTE: The dependency block is to exclude logback from your dependencies as it is already contained within Ceylon. If you do not exclude this, you will get an error when trying to run the spring boot application.

For Spring Boot, you will need to declare only the starter poms as dependencies and then the plugin will take care of the rest. Here is how my modules.ceylon and run.ceylon files look like:

module.ceylon – Medium

With this project structure, you have all you need to let Gradle build and run your application. Execute the following command:

The first time you can see that Gradle will download all the direct and transitive dependencies for your project and finally it will run our application embedded server listening to the port 8080.

$ gradle runCeylon':resolveCeylonDependencies:createDependenciesPoms UP-TO-DATE:createMavenRepo UP-TO-DATE:generateOverridesFile UP-TO-DATE:createModuleDescriptors UP-TO-DATE:importJars UP-TO-DATE:compileCeylon UP-TO-DATE:runCeylon.   ____          _            __ _ _ /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \ \\/  ___)| |_)| | | | | || (_| |  ) ) ) )  '  |____| .__|_| |_|_| |_\__, | / / / / =========|_|==============|___/=/_/_/_/ :: Spring Boot ::        (v1.3.0.RELEASE)1012 [main] INFO io.eldermael.ceylon.boot.run_ - Starting run_ on twmac.local with PID 70615 ...3628 [main] INFO org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer - Tomcat started on port(s): 8080 (http)3634 [main] INFO io.eldermael.ceylon.boot.run_ - Started run_ in 2.99 seconds (JVM running for 4.104)> Building 87% > :runCeylon

Now, you can always stop the execution by pressing Ctrl + C but unfortunately this won’t stop the servlet container thus you will need to kill the process using the PID manually, e.g.

$ kill -9 70615

Import to Intellij IDEA

Because I do not expect you to edit more files in the command line with nano (worst, Vim), you will need to download Intellij Idea and get the Ceylon plugin that will help you to edit Ceylon files with nice features such as autocompletion and refactoring.

First, you need to download any version of Intellij Idea (I use the community edition):

IntelliJ IDEA the Java IDE

Code-centric IDE, focused on your productivity. Full Java EE support, deep code understanding, best debugger…

www.jetbrains.com

Once you have installed it by double clicking in the file, you have to run the IDE for the first time. What you need to do to get the Ceylon plugin is to select the plugin option in the Configure menu at the welcome screeen.

Select the Plugins option to install the Ceylon IDE plugin.

Afterwards, in the next dialog, you have to click in the Browse repositories button and it will show you a dialog box where you can search for the Ceylon IDE plugin and install it.

Search for the “Ceylon IDE” plugin

Once you have downloaded the plugin and restarted the IDE you can now import the project we created beforehand.

Note that it is important that you “import” import the project from the Welcome screen instead of selecting “Open” or “Create New Project” otherwise the project dependencies and autocompletion won’t work (in my experience).

To import the project you need to select the root folder as shown in the image.

Then you will be prompted with a dialog to import the project and you have to select the option “Import project from existing sources”. Following that you will have a screen where most of the options by default are OK unless you want to customize how the gradle project will be imported (I recommend to use the default gradle wrapper here).

Also you will be prompted to select the options for the “Project structure” and thus the Ceylon compiler options. You will se a tab called “Repositores”. There you have to select the overrides.xml file that Gradle creates in the building process so Ceylon can import the libraries that you specify and detect the transitory dependencies. You also have to check both options “Use a flat classpath” (unless you have specified otherwise in the Gradle plugin) and “Automatically export Maven dependencies”. This is very important, this way the IDE can autocomplete

You will know that your project is correctly imported once you can see that the transitive dependencies are shown in “External libraries” node of the project toolbar.

Unfortunately at this point, Gradle will crash if you do not have tests. Until you write tests your only option will be to run every Gradle command skipping tests using the option -x test e.g. gradle runCeylon -x test

To see a proper way to test your Ceylon modules, you can follow this guide. The recommendation is that you create a module prefixed with test that will contain the tests of the module with production code. E.g., if you have a module named foo.bar then your test module will be named test.foo.bar

Wrapping up

I document this because it was a lengthy back and forth to setup this environment but it was worth as now I have all what I need to continue with this project. I hope this will be useful in the future but I am more interested in the future Spring Boot integration promised by Gavin King.

Gavin King 🐘 on Twitter – Medium

Let’s see if we have time to slip #springboot support into Ceylon 1.3.1. https://t.co/JqmDLEEkTe

A (Very) Tiny HTTP Server With Ceylon

eldermael — Fri, 13 Nov 2015 00:00:00 GMT

Finally Ceylon 1.2 has been released and I am pleased to start coding more and more with it. If you have not take a look at Ceylon, let me tell you that it is one of best designed programming language that I have seen. The type system is simply unmatched by any contemporaneous programming language.

Now, as a web developer on both the front end and backend I really was expecting an easy way to create a web server to return files and JSON data to create a little web application for fun and starting to learn more of the language. And also use Ceylon on the client side because it is not just targeting the JVM in the backend but it also transpiles to JavaScript.

Fortunately, Ceylon 1.2 comes with different modules and one of them is ceylon.net.http.server which uses JBoss Undertow behind the scenes. For now I was trying to make a quick program to return a single string by HTTP, afterwards I will build on top of this to create what I want.

The Server And The Endpoints, First Glance At The Code

Code is king, so let’s start, here is a three file gist of a HTTP Server with only one endpoint:

Medium

If this code looks familiar to you, it is because it is a version of the current code snippet that is shown on the official Ceylon web site. But let’s analyze it:

The first two files are self explanatory, one is a Ceylon module definition. Here you can see that our module will import the module ceylon.net to the specific version.The second file is a Ceylon package descriptor telling that our package will be shared i.e. visible to other modules if they import our own

How to create a server

Next is the juicy code, here you can see various lines that do the following:

First, we import the factory function newServer which will help us to create a HTTP Server that is defined by the interface ceylon.net.http.server.Server. This interface, as you expect it, handles the lifecycle of our HTTP server and allow us to define Endpoints.

Now, all this function needs is a stream (list, sort of) of ceylon.net.http.server.Endpoint instances that will define what your server will respond to.

Endpoints

Now, to create an Endpoint you need three parameters:

A path defined by a ceylon.net.http.server.Matcher, i.e. the URIs that the endpoint will handle. For simplicity I am using the factory function called equals that will return me a Matcher that will make the endpoint respond to only URIs that match exactly the string I am using. You can compose these Matchers for greater flexibility.
An acceptMethod that is an stream of ceylon.net.http.Method instances. These translate into HTTP verbs, and as you can see I only needed a single instance for the verb GET.
A service function, this will be the code that will be executed when a request to our server is matched by the path we specified and the verb(s) that we passed in the parameter acceptMethod. It takes as arguments a ceylon.net.http.server.Request and ceylon.net.http.server.Reponse. These interfaces allow you to obtain data from and send data to the client respectively. This through HTTP specific things such as parameters, cookies, headers, etc. I will talk about these later.

It’s Running!

Now, if you execute the code (I am using Ceylon IDE to execute the run function) you will have a running HTTP server that will listen to requests to http://localhost:8080/. That was easy!

Now, talking about the language itself, I want you to take note of the named parameters that we are using all over the place (endpoints, path, acceptMethod, service). They make our code very explicit and readable without the caveats of other languages like passing objects/hashes of options that will not be checked by the compiler (here it does!).

Also note that the endpoints parameter in the function newServer: it is an iterable. This means that if you add a comma after the Endpoint instance that we are creating, you can add more Endpoints.

What I will do next

Currently I am working to make this server respond files, afterwards I really need to start working to respond with JSON and finally I will try to use Ceylon on the browser putting it all together (remember, Ceylon does transpiles to JavaScript). I hope you can read the coming posts about this.

Notes for the experienced Java programmer

Yes, I almost can see the grin in your face while reading the code. If you are like me and you have been using Java and the Servlet API for a long time, I think you get the idea behind the ceylon.net.http.server API. And if you compare this code, you can see that it allows you to define things very quickly and concisely with no unneeded verbosity. This somehow reminds me of Spring Boot but here you use less annotations and more code.