On Elastic Beanstalk, Docker and CircleCI
I joined ticketea's engineering team last month, and apart from learning how things work and doing some bugfixing weeks (to get comfortable with the code and peek at some of the projects), I also got assigned to one of the new projects. There are three projects that we have started from scratch, allowing us to decide if to keep or change the current platform (which could be more automated). In order to take decisions, we did some research and proofs of concept.
The main goal of the research was to setup a basic AWS Elastic Beanstalk orchestation system, to allow us to perform deploys, local runs, etc. without needing to manually handle EC2 instances and build the corresponding toolset, as we don't have any systems team.
Our results are mixed but still subject to change as we haven't yet discarded or decided for a certain route, we keep exploring multiple paths with the projects to decide later. Despite that, I'll leave here some notes and references. Don't expect great notes as this is more of a cleanup of a worklog/checklist (actually, it was a simple Github issue).
Update: I wrote this blog post which might be of interest as shows how to access an EC2 service from a docker container running with Elastic Beanstalk: Securely access AWS Parameter Store from your Elastic Beanstalk Docker containers
CircleCI
We'll stick with CircleCI as our test runner, builder and probably continuous deployment tool for staging. Version 2.0 works nicely with containers and, despite being heavily modified from v1.0, modifications were quick to perform.
- Some caching resources:
- Automatic deploys of
devbranch was easy to implement - If you plant ot use Docker, forget about 1.0, it implements and old version that gives headaches. With 2.0 you can install latest one in the "Virtual Machine" configuration and have no issues.
Elastic Beanstalk
EB has been relegated to staging/production deployment. For that, the cluster features (load balancing, rolling deploys, etcetera) are great and very easy to use. Instead, for local development it is between painful and directly impossible without hacks to work decently. The reasons are multiple, primarly being:
- You cannot use docker-compose as EB internally uses it and forces you to use their YML config files or rely on fully manual Makefiles + raw Docker
eb localworks only on pretty much factory-default scenarios. As soon as you start working on real services, it just doesn't works- EB works using environments, but it is configured so one "folder" is the equivalent to one environment. So having
dev,staging,productionetc. means one of the two following hacks:- Have a single root
dockerrun.aws.jsonwith placeholder variables that you replace by the appropiate enviroment values - Have multiple
dockerrun.aws.jsonat subfolders (one per environment) and move them via Makefile or similar to the root depending on where you run it
- Have a single root
- We've become more proficient on using "raw" docker, but in the end we decided to still use docker-compose, even if only for development. It saves you a lot of command line writing and is quick to change.
Resources:
- http://www.glynjackson.org/weblog/tutorial-deploying-django-app-aws-elastic-beanstalk-using-docker/
- http://www.glynjackson.org/weblog/django-aws-elastic-beanstalk-docker-2/
- http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/docker-singlecontainer-deploy.html
- http://docs.amazonaws.cn/en_us/elasticbeanstalk/latest/dg/create_deploy_docker.html
- http://cloudacademy.com/blog/how-to-deploy-docker-containers-on-aws-elastic-beanstalk/ <- Nice high level summary of what EBS provides
- https://medium.com/@grudelsud/continuous-integration-with-docker-on-amazon-elastic-beanstalk-44fa89024502 <- Very similar to our desired setup: Circle CI, Docker, Python,... Uses images instead of local Dockerfile
- http://abhipandey.com/2015/09/elastic-beanstalk-deployment-automation/
- https://medium.com/@0xadada/development-lifecycle-with-docker-and-elastic-beanstalk-47f7ac603e9f
- https://github.com/0xadada/dockdj
- http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/ebextensions.html (sample: https://s3.amazonaws.com/elasticbeanstalk/extensions/ElastiCache.config)
- Task definitions (for
Dockerrun.aws.json): http://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definitions.html - http://www.eq8.eu/blogs/29-aws-elasticbeanstalk-deployment-hooks
- http://stackoverflow.com/questions/39083768/aws-docker-deployment <- to fix permission issues
- https://medium.com/learnings-in-and-around-sharetribe/using-aws-ec2-container-registry-to-host-docker-images-for-deployment-with-elastic-beanstalk-b5f21c3c8e21 <- deprecated
EB Configuration files
- https://medium.com/trisfera/getting-to-know-and-love-aws-elastic-beanstalk-configuration-files-ebextensions-9a4502a26e3c
- http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/ebcli-compose.html
Alternatives to EB
One of the teams, after asking for some feedback to friends and colleages is testing Terraform. It looks promising and is working fine for them but also needs maintenance, so there is no firm decision yet regarding if to use it or stick to Elastic Beanstalk and Makefiles (at least for now).
ECS + ECR
We setup a registry and pushed both development and production images after successful builds. It works quite nicely and the only reason we are not using them actively is to try to avoid the permissions hell you enter once you want to share images between different Amazon accounts (not just IAM users on the same account, but fully separate ones).
- https://circleci.com/docs/1.0/continuous-deployment-with-aws-ec2-container-service/ + https://github.com/circleci/go-ecs-ecr <- What we wanted
- https://blog.codeship.com/aws-registry/: Not exactly our CI system, but generally interesting regarding how to setup credentials, what to do at CI system, etc.
- CircleCI + AWS ECR/ECS: Indicates which env vars to setup for AWS credentials
- ECR CLI <- discarded/not needed
Redis
We are using Redis for our project, a docker image for development and Elasticache for staging and production.
- http://stackoverflow.com/questions/26528395/how-to-install-and-configure-redis-on-elasticbeanstalk
- http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-environment-resources-elasticache.html
Tools/extensions to check and add if interesting
- https://joeferner.github.io/redis-commander/ + https://hub.docker.com/r/tenstartups/redis-commander/ <- Didn't end up testing it as current usage of Redis is quite simple, might be of use in the future
- dockercfg file format
- aws worker python example <- Deprecated
Pelican Publisher Script
When kartones.net was a blogging community and not my current personal minimalistic landing page, one of the blogs that my friend Lobo666 and I maintained was Uncut. With the change to BlogEngine.Net it kept working easily, with a combination of a WYSIWYG editor (or Windows Live Writer) and uploading post images via FTP (minor manual step). But when I recently moved everything to static sites, as Pelican not only doesn't provides any editor but forces you to build the site to preview the changes, my friend was quite impeded to keep posting at the blog.
On the other hand, I already had some post-processing scripts, to cleanup some files that were always copied to the output folder (and thus, uploaded to the site) and to do other tiny tasks like duplicating files (I want to maintain backwards compatibility with the original RSS feed addresses of the old blogs). They were ad-hoc, but after showing them to my friend he just asked me "if I could just make those scripts also upload automatically the modified files". And indeed, making some changes to pass by command line optionally some post identifier (I decided to use the slug) would help. As would too ease things just removing all the "full indexed pages" that Pelican builds (index<zero-to-almost-infinite>.html pages), and just leaving 10 pages and a link to the full archives page:
This way, and removing the tags, categories and authors subfolders as I don't use them, the number of modified files to upload on a mere new blog post action is around a dozen, making it blazing fast to "deploy" with some Python code. In the end, generalizing the script for the three blogs that I still write and/or maintain, by specifying a few configuration parameters you can specify folders to create or delete, files to copy, remove, duplicate, truncating the index files... and of course upload a post or just build without uploading.
I don't want to extend myself much more as the utility of this tool is limited and very specific, getting to the point, I uploaded the script files to my Python assorted GitHub repo. The direct url of the publisher files is: https://github.com/Kartones/PythonAssorted/tree/master/pelican/publisher.
Usage is quite simple:
python3 publisher.py your-great-post-slug
And to only build:
python3 publisher.py
And that's all. Until next time :)
Recommended Articles - 2017/04/01
As I recently switched job and took a few days of vacations in between, not much relevant to write about on the personal side, so another bunch of relevant articles I've read recently.
- Why Gitlab is not leaving the cloud: Interesting summary of feedback received, seems that predominant point is hidden costs and maintenance requirements that you have with a datacenter and not with the cloud.
- Another chapter in Uber's evil march to hell: This time a tool to evade authorities. Good summary of incidents at Wired
- The Uber Bombshell About to Drop: And continuing with Uber (I'll stop after this because I dislike them but don't wish to spend "bad energies"), good and detailed timeline of the Otto now apparently fake subcompany scandal.
- Wikileaks publishes CIA Hacking Tools: Scary stuff inside, like lots of unknown zero day exploits, malware for remote control and "covert microphones"...
- Firefox 52 released: I mention it because is the latest release with support for Windows XP and Windows Vista, and old plugins (using NPAPI). In exchange, is the first version to come with WebAssembly.
- @_ericelliott: How to speed up developers:
- Give them one task at a time to focus on
- Avoid context switches
- Cut meetings
- Avoid interruptions
- Helpful(?) coding tips from the CIA’s school of hacks: Some obvious, others interesting. And mostly it showcases how their it folks are just humans like everyone else.
- Microsoft is putting OneDrive ads in Windows 10’s File Explorer: It's their operating system but... this is ugly and paves a road to darker destinations.
- Living without expectations: Good advice, but hard to accomplish, at least in the short term.
- Seneca on The Shortness of Time: Of course, with the mandatory mention of not wasting time on useless meetings, but in general advice of making your time count.
- A Software Developer’s Guide to Dealing With Coworkers: Really good advices inside.
- Google, Facebook, Twitter must comply with EU consumer law—or face fines: Good but slow advancements. It is ironic that justice now acknowledges "the growing importance of online social networks" When since around 10 years they boomed and this unilateral power and privacy violations have always happened.
- A Career Retrospective—10 years working in tech: Equal parts sad and great, a tale about sexism and harassment, but also about following your dreams and being creative.
- Forget Feature Requests: Small article but quikcly summarized as:
- Let your customers remind you what's important
- How do you manage them [requests]? You don't. Just read them and then throw them away
- What happened to tablet sales?: Interesting because around me I felt exactly the same that article points out: once you have a tablet, you stick with it as long as possible, like with a computer and unlike with an smartphone.
- Should I stay or should I go? How to decide when it’s time to switch jobs: Great article summarizing main reasons. Identified myself in some of them.
- For sale (in the US): Your private browsing history: USA, "the nation of freedom" (although we could discuss it), but definetly not "the nation of privacy". Another step in losing our rights to our "data" and habits.
- @rbranson: [...] Production software tends to be ugly because production is ugly. The ugliness outpaces our ability to abstract it.
- @codemanship: Don't explain code quality to execs. Explain high cost of change. Explain slowing down of innovation. Explain longer cycle times
- @KentBeck: First you learn the value of abstraction, then you learn the cost of abstraction, then you are ready to engineer
- lobster_johnson: Interesting advice from a company having used microservices for 6+ years: Different services yes, but with a centralized data store to avoid synchronization issues (of local "data silos").
Recommended Articles - 2017/03/05
Had a bunch of links pending but past weeks have been quite busy. It's so sad that unethical and directly wrong company behaviours have been dominating the news ecosystem lately...
- Understanding the GitHub Flow: A quite simple and intuitive way of working with branches with GitHub (but applicable everywhere).
- Trunk Based Development: And the opposite to the previous point, how to work directly with trunk, not using branches. While it requires training, more care and probably some experience, I've been working in the previous step (only
devbranch and then merge totrunk/master) and it speeds up a lot the flow, especially if you do TDD or pair programming. - Adding Community & Safety checks to new features: Really interesting post from GitHub about non-functional requirements related to community and user safety. Must read as we usually don't take this points into account.
- Trump may sign executive order re-vamping USA’s foreign worker visas: Going to work at USA is getting uglier and harder... If this order passes, H-1B visas could cost way more and be harder to obtain.
- GitLab.com Database Incident + Postmortem of database outage of January 31: Transparency first. A GitLab engineer made a mistake and production data was lost (and in the end couldn't recover around 6h of gitlab.com data), but the exercise of a public incident report, streaming of the ongoing fix and sincere communication is what I really like. After all, we're human and everybody makes mistakes.
- Announcing GVFS (Git Virtual File System): Microsoft is changing so much that is now even working on a special Git version that allows them to work with huge repos (million files and hundreds of GigaBytes). Interesting although only seems to work with the latest Windows 10 builds.
- The Dark Standup: Good example of why forcing working your 40 weekly hours and not more makes you more efficient.
- Getting out of the startup rat race: Couldn't agree more with the article, but it's such a common scenario...
- Report: Pokémon Go has now crossed $1 billion in revenue: It's curious that media was quick to forget it and label it a failure when the growth decelerated, but the income numbers are still great.
- A future without browsers, February 2017: Nice slides about how in a few years the concept of web browser will probably dissapear. Also a quick but nice recap of how we came to the present regarding internet browsing.
- How to be an effective early stage employee. Hint: be helpful: Hint #2: Try to follow the advice whenever early stage employee or "late" one ;)
- The Power of Big Data and Psychographics: "4,000-5,000: collected data points per adult in the US". 12 minutes long talk about big data applied to US elections a few weeks before they ended. Interesting and scary once more.
- Reflecting on one very, very strange year at Uber: Sad story, good advice from DHH (hint: delete your uber account then delete the app).
- Culture is the Behavior You Reward and Punish: Another article about company culture, what you say it is versus what actions actually define it as.
- The 100% correct way to validate email addresses: Great way of explaining that sometimes taking the simple path saves you effort and works almost as good as the perfect path.
- Exponential growth devours and corrupts: DHH is on fire these days attacking the unicorn world of startups! Long essay of how corrupted the ecosystem of startups becomes when all that matters is money made and the final goal is to sell the company.
- The mythical 10x programmer: Redis creator opinion on the subject. Quick read but good lessons inside.
- Summary of the Amazon S3 Service Disruption in the Northern Virginia (US-EAST-1) Region: Interesting because, as happened recently with Gitlab's Database deletion, a small human mistake caused a big problem. We all make mistakes, but this events demonstrate how in an age of automation and complex tooling, we have to be as careful as ever doing any dangerous operation.
- Insomniac’s Web Tools Postmortem: Very interesting regarding hardcore Javascript usage, tells about what happens when a game dev company makes their tools web-based. Without spoiling the content, among other things they recommend using TypeScript.
- The Story of Firefox OS: Long but worthwile tale of this great idea that didn't worked well.
Hacking Flash Games Example: Clicker Heroes
Note: I reported this technique to the company behind the game back at august 2015. Never got a reply.
Introduction
I like videogames, so when I read about some "clickers" genre, I wanted to check how they played. Setting aside the mechanics themselves and my personal feelings regarding this kind of games, one title that caught my attention for being better than the average was Clicker Heroes. After playing a while it looked to me as if the difficulty curve was quite exponential, requiring either lots of patience or spending money at in-app purchases, so I wanted to confirm my suspicions.
The process
Checking the game binaries I saw that there was a HeroClicker.swf, so it was a Flash game. I've already peeked inside and even dissasembled SWFs with Sothink SWF Decompiler, so was my chosen tool.
I started peeking at the insides, and by mere luck I ended peeking the ImportScreen class. It had a constant called SALT just below the variable _userData, so it caught my eye. I ran the game and saw that in the options you can export your data to an apparently encrypted TXT file, and then import it back... hacking my data was way more appealing, and by chance I had a possible attack vector with the import logic.
There was another constant with a maybe too descriptive name, TEXT_SPLITTER, and scrolling down I found toAntiCheatFormat and fromAntiCheatFormat methods, performing MD5 hashes with the salt of contents retrieved from sprinkle and unSprinkle methods.
The sprinkling or scattering algorithm was not hard to read:
- Get user data json and base64 encode it
- Prepare a new array twice the original size of the base64 encoded string
- Place one by one all base64 encoded characters at even positions
- Randomly put an alphanumeric character at odd positions
And then when writing the content of the "encrypted" data to the file:
- Write the new sprinkled array
- Write the
TEXT_SPLITTERconstant as it is - Generate an MD5 of the original JSON data with the
SALTconstant and write it
And of course, the inverse process to import the data.
I built a small tool to apply this algorithm using Ruby, and after saving/exporting my character, it did work and I had access to shiny data like the following:
"soulsSpent": "0",
"primalSouls": "34152",
"mercenaryCount": 5,
"gold": "1.244277239155236e135",
"baseClickDamage": 15,
"transcendent": false,
"epicHeroReceivedUpTo": 1660,
"rubies": 7165,
Writing the inverse was easy, and confirmed me that everything worked fine.
The results
This is how the end of an original encrypted file looks:
And this is how a (valid) file encrypted with my tool/script looks. As you can see instead of randoms I just enter blank spaces at odd positions:
The truth is that even cheating, the game gets to some insane levels that you have to either wait a lot or do level grinding (by restarting via "trascending"), so I got bored too quickly. As often happens, tweaking or hacking a game becomes more fun than playing the game itself.
You can get the tool (needs Ruby) from my GitHub and easily see a simplified version of the algorithm.
Final note
Even if the code were didn't had so obvious names, as the text splitter fragment can be easily spotted at the end of the file (Look for Fe12NAfA3R6z4k0z at both screenshots), just doing a classic saved game deltas diff would have raised awareness (whole content of the file would have changed except for that fragment) and made me search the SWF for that splitter string.
Previous entries