Prioritizing Features

In building software, the actual coding is rarely the hardest part. Often deciding what features to build is very difficult. There is a huge wasteland full of code that never got to the point where it was actually usable before people gave up on creating it. Getting your code to the point where it is being used by real users clears a significant hurdle and gives you a much greater chance of success.

Arranging the order of your features so you can quickly get to a usable state with the smallest set of useful capabilities without building anything unnecessary may sound simple. It isn’t.

Continue reading “Prioritizing Features”

Chef Solo Demo Video

Chef is a tool that lets you manage your server infrastructure in a way that is similar to the way you manage your code using version control. You can even test your chef configuration using tools like Cucumber. In 6.5 minute demo, I’ll show you how to use chef solo (chef without a central server) to install and manage Tomcat 7 and Java 7 on an EC2 instance. The configuration files are stored in GitHub so you can look at them or clone them for your own use. Continue reading “Chef Solo Demo Video”

Connecting Visual VM to Tomcat 7

Connecting Visual VM to a remote instance of Tomcat 7 is surprisingly easy. All you have to do is add some options to JAVA_OPTS turning on JMX, specifying how you want to handle security and setting the hostname. While it is easy to get it up and running, there are quite a few steps to go through if you want to make it work with authentication and behind a firewall.

My goal with this post is to walk through the basics of getting it running and then modifying the installation to support common configuration needs.

Here are instructions for how to set it up using Ubuntu 11.10:

First lets install Tomcat 7 if you don’t have it.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install tomcat7

Now we need to set the JAVA_OPTS. We will do that by creating a setenv.sh file in /usr/share/tomcat7/bin/ and putting the options in there. setenv.sh gets called before Tomcat starts to set any environmental variables you may want.

export JAVA_OPTS="-Dcom.sun.management.jmxremote=true \
                  -Dcom.sun.management.jmxremote.port=9090 \
                  -Dcom.sun.management.jmxremote.ssl=false \
                  -Dcom.sun.management.jmxremote.authenticate=false \
                  -Djava.rmi.server.hostname=50.112.22.47"

Line 1 enables jmxremote. Line 2 specifies the port. Line 3 says that we don’t need to use ssl. Line 4 says to leave it wide open and not use any type of authentication. Line 5 specifies the ip address of the server where you are running Tomcat. (Don’t use my ip address of 50.112.22.47, substitute your own.) This is left out of many instructions on the web, so it might work in some circumstances without it, but I wasn’t able to connect with VisualVM unless this configuration points to itself.

I believe this has to do with the fact that JMX is going to open another connection on a random port (discussed below). If you don’t tell it what its hostname (or ip) is, JMX doesn’t know how to tell the client how to connect back to that other port.

Now open VisualVM. On OS X you just run:

jvisualvm

Add the connection by clicking on File > Add JMX Connection… and fill out the dialog box as shown (but using the ip address of your server).

Once you add it, you should see the server in the list on the left hand side. Double click on the JMX connection to the server. (The JMX connection has a JMX icon and should show port 9090.)

You should then be able to view the following screens of information showing what is going on inside of Tomcat.

Firewall

One problem people run into in getting this to work is that they open port 9090 (or whatever they have specified) and VisualVM is unable to connect. This is because JMX appears to accept connections port 9090, but then opens at least one other random port and instructs the client to connect to this port as well.

If we run

sudo netstat -ntlp

We should see something like this:

ubuntu@ip-10-252-22-93:~$ sudo netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      494/sshd        
tcp6       0      0 :::8080                 :::*                    LISTEN      2650/java       
tcp6       0      0 :::36851                :::*                    LISTEN      2650/java       
tcp6       0      0 :::22                   :::*                    LISTEN      494/sshd        
tcp6       0      0 :::35543                :::*                    LISTEN      2650/java       
tcp6       0      0 :::9090                 :::*                    LISTEN      2650/java 

Line 4 shows ssh running on port 22. 5 is where Tomcat is serving HTTP. 9 shows the JMX connection. However 6 & 8 appear to be part of the JMX process. If you have firewall that is blocking access to these ports, VisualVM won’t be able to connect. You can’t just add those specific ports because they are random and can change every time Tomcat is restarted. So you have to leave your machine wide open to connect or use the Listener that will be explained a few sections below.

Authentication

Now lets look at how to secure the connection a bit and require a username and password. We can change the settings we put into setenv.sh to tell it to require authentication by changing false to true.

export JAVA_OPTS="-Dcom.sun.management.jmxremote=true \
                  -Dcom.sun.management.jmxremote.port=9090 \
                  -Dcom.sun.management.jmxremote.ssl=false \
                  -Dcom.sun.management.jmxremote.authenticate=true \
                  -Djava.rmi.server.hostname=50.112.22.47"

By default this should look for two files. One is called jmxremote.access and the other is jmxremote.password. It will probably look for the files in /usr/lib/jvm/java-6-openjdk/jre/lib/management/ but this may be different depending on which JDK you have installed and in some cases it will look for the files in the CATALINA_HOME directory.

We need to specify where the files should be found with the following options. Here we specify the files will be in the tomcat7/conf directories. So now our /usr/share/tomcat7/setenv.sh file should look like:

export JAVA_OPTS="-Dcom.sun.management.jmxremote=true \
 -Dcom.sun.management.jmxremote.port=9090 \
 -Dcom.sun.management.jmxremote.ssl=false \
 -Dcom.sun.management.jmxremote.authenticate=true \
 -Djava.rmi.server.hostname=50.112.22.47 \
 -Dcom.sun.management.jmxremote.password.file=/var/lib/tomcat7/conf/jmxremote.password \
 -Dcom.sun.management.jmxremote.access.file=/var/lib/tomcat7/conf/jmxremote.access"

jmxremote.password should look something like:

jmxadmin mysecretpassword

and jmxremote.access should have something like:

jmxadmin readwrite

Our user is jmxadmin, but could be any username. jmxremote.password tells what password is assigned to each user and jmxremote.access tells what access rights each user has. For a user to have access, they need to have an entry in both files.

Now if you try to run this setup, you will probably see something like this error in your catalina.out file:

Error: Password file read access must be restricted: /var/lib/tomcat7/conf/jmxremote.password

To fix this we need to make sure that both files are owned by the tomcat7 user:

sudo chown tomcat7:tomcat7 /var/lib/tomcat7/conf/jmxremote.*

Then we need to make sure that the tomcat7 user is the only user who has read access.

sudo chmod 0600 /var/lib/tomcat7/conf/jmxremote.*

Now you should be able to create a new connection to the server as before, but this time specifying the username and password you wish to use to connect. VisualVM wouldn’t let me just modify an existing JMX connection, so I had to create a new one rather than just adding the username and password to the existing connection.

Controlling the Ports

The only remaining inconvenience is the fact that JMX is going to choose a random port. If you aren’t dealing with a firewall this might not be a big deal, but if you are dealing with a remote server in a data center or in the cloud, it becomes more problematic. We need some way to tell Tomcat to bind the other JMX ports to a specific port number rather than choosing something at random.

We can do this by adding a listener to the /var/lib/tomcat7/conf/server.xml file like this:

<Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener"
  rmiRegistryPortPlatform="9090" rmiServerPortPlatform="9091" />

Just put it below the other Listeners in server.xml. Notice the rmiRegistryPortPlatform is the 9090 that we previously specified in setenv.sh. The rmiServerPortPlatform allows us to bind the process to 9091 instead of a random port number.

Note: You can now remove the line that specifies port 9090 in setenv.sh.

In addition to adding the Listener we need to put the jar in /usr/share/tomcat7/lib/. The jar we are looking for is called catalina-jmx-remote.jar.

To locate this jar, first determine what version of Tomcat you are using by running the version script which will give us the output as shown.

ubuntu@ip-10-252-22-93:$ /usr/share/tomcat7/bin/version.sh 
Using CATALINA_BASE:   /usr/share/tomcat7
Using CATALINA_HOME:   /usr/share/tomcat7
Using CATALINA_TMPDIR: /usr/share/tomcat7/temp
Using JRE_HOME:        /usr
Using CLASSPATH:       /usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar
Server version: Apache Tomcat/7.0.21
Server built:   Sep 8 2011 01:23:08
Server number:  ...0
OS Name:        Linux
OS Version:     3.0.0-14-virtual
Architecture:   amd64
JVM Version:    1.6.0_23-b23
JVM Vendor:     Sun Microsystems Inc.

In our case we are using Tomcat/7.0.21, so we want to go to http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.21/bin/extras/. You can substitute your own version number in the URL to find the file.

Once the file is in /usr/share/tomcat7/lib/, restart your tomcat server and create a new JMX connection as specified above using VisualVM. You should now have a server that requires authenticated access for JMX and where you don’t have to leave all of the ports open.

There is also a way to tunnel VisualVM over an SSH connection for people who want even stronger security, but we aren’t going to address that in this post.

Other Notes

I have seen cases where VisualVM stops showing the Monitor and Threads tabs. If you delete the connection and add it again, they come back. I’m not sure why, but it is worth trying if you aren’t seeing all the data you expect.

Visual VM allows you to add plugins. They can be found under the Tools > Plugin menu option. They are supposed to download when you select them, but I kept getting a failure when trying to install the Visual GC garbage connection plugin.

I was able to get it to install by switching to JDK 1.6 (from Apple) instead of OpenJDK 1.7 on the client. However, when I tried to use Visual GC it said “Not supported for this JVM”. I wasn’t clear if that meant that the client or the server wasn’t supported, but I think it was complaining because the server is using OpenJDK 1.6 instead of the Oracle JDK.

Simple Made Easy – Rich Hickey

Notes from Rich Hickey’s talk on simplicity at Strangeloop 2011.

The video is now available here.

Word origins:

  • Simple  = sim – plex = one braid
  • Easy = adjacent = lie near
Simple:
  • Simple means having one of something, one braid, one fold, one role, one concept, one task, one dimension.
  • Simple can involve many things, but not having interleaving.
  • Simple is an objective notion.
Easy:
  • Near, at hand.
  • Near to our understanding–being familiar.
  • Near to our capabilities. We don’t like to talk about this because it tramples on our egos.
  • We are far to interested in things being easy. This is to our detriment.
  • Easy is relative (unlike “simple”). Music and German are hard from some and easy for others.
Construct vs Artifact
  • We become to infatuated with things being easy  instead of being simple.
  • Long term use is a better indication of simplicity and helps keep use from focusing on things being easy.

We can only hope to make reliable those things we can understand. There is a limit to how much we can keep in our mind at the same time. Intertwined things have to be considered together and this taxes our brains. Fewer “braids” means less complexity and less complexity means we can hold it in our minds better.

To change software requires analysis and decisions. You must be able to reason about your program to be able to reliably change it.

We say, “I can make a change because I have tests.” Who does that? Who drives their car around banging into the guard rails!?

Easy things make us feel like we are fast.

What type of runner can run full speed from the very start of the race? Thats right. Someone who runs very short distances. But as programmers, we are smarter than that. We just fire the starter pistol again every 100 yards.  I don’t know why runners haven’t figured that out.

Ignoring complexity will slow you down if you aren’t just doing a very small project.
There are many constructs that are easy to use, but are very complex.

Benefits of Simplicity:

  • Ease of understanding
  • Ease of change
  • Easier debugging
  • Flexibility
  • More independence for change.

Making Things Easy:

  • Making it “at hand” by bringing it into our environment–installing it.
  • Become familiar with it by learning it.
  • There is a mental barrier. We can’t really get much smaller.

We are all very limited compared to the complexity we create. The difference between a really smart programmer and an average programmer is minimal–no one can really understand all of the complexity we can create.  A juggler can juggle 3 balls. A really good juggler can juggle 9. No juggler can juggle 90 or 900.

Everyone has seen parenthesis, but they haven’t seen it on THAT SIDE of the method. Thats crazy!

Parenthesis are overloaded in lisp. They do several different things so they are complex. By removing this complexity the ease problem is back in the domain of what we can change.

Everyone is happy to grab benefits of new tools, but no one takes the time to see if there are any trade offs.

  • Complect = braid together.
  • Compose = place together.

We can write modules that are completely complected. What are your modules allowed to “think” about. Just partitioning doesn’t give you simplicity.

Having state is never simple because it complects value and time. It is easy, familiar, at hand, etc. The only way to get rid of state is to put it in a box that gives you a functional interface where you always get the same output with the same input.

Simplicity is a choice. It is your fault if you don’t have a simple system.

BitCoin Talk at Strangeloop

My notes from a talk by Eric Brigham from TruCoin talking about BitCoin.

  • BitCoin is “digital cash” — you can lose it just like you can lose a $100 bill and there isn’t a central source.
  • Digicash (1990 – 1998) focused on security.
  • Paypal (1998 – ) focused on convenience.
  • Both required centralize servers to solve double spending problem.
  • BitCoin solves the double spending problem without needing a centralized server. The transaction log is handled via P2P.
  • BitCoin was created by Satoshi Nakamoto – it is unclear to who he actually is or even if he is a single person.
  • A look at the code reveals that Satoshi is not a professional developer.
  • BitCoin is the worlds first cryptographically secure distributed digital notary service.
  • The number of BitCoins should level off to about 21,000,000 over the next 50 years.
  • BitCoins are created via computational effort so they represent “computer work”.
  • Cheating isn’t prevented, it is just made very expensive.
  • A BitCoin address is a base 58 encoded public key.
  • A transaction is simply a digitally signed message.
  • It is theoretically possible to rewrite the transaction history, but it is very computationally expensive and is getting exponentially more expensive.
  • If two separate people find the next coin at the same time, the chain that wins is the one that gets the next coin found on top of it.
  • Most of the security issues have nothing to do with BitCoin, but they can be stolen in the same way that cash can be stolen.
  • DOS attack are possible, but haven’t been much of an issue.
  • Biggest known attack is if someone possesses >50% of the total network computational power you can double spend coins.
  • It is very difficult to operate anonymously with BitCoin.
  • People are working on a multi-signature transaction that would allow e-wallet type transactions similar to Paypal where a central site would keep part of your signature.