Recent Posts (page 42 / 65)

Unintended Consequences

Remember when Slack went down a couple of months ago? That probably got your attention. And appropriately, it got the attention of everyone at Slack too. It turns out that the big outage was a delayed consequence of an earlier outage, and exacerbated by "what you know that just ain't so".

There's a bunch of good lessons in here, but two of the biggest are that monitoring is important, but you need to make sure that it really is monitoring what you think, and small bugs in one place can manifest themselves in completely different areas weeks/months later.

Target Fixation

I spent way too much time with fighter pilots early in my career and learned a lot about how they think. Yes, they're typically confident (arrogant actually) and maybe a little boastful, but they're also very disciplined, particularly when it comes to their craft. And one of the ways that manifests is their ability to focus on a target while maintaining enough situational awareness to respond to changes in the situation.

For a fighter pilot, failure to maintain situational awareness can manifest itself in several ways, the most common is when the pilot gets so fixated on the target that they miss the target's wingman getting behind them or, like Maverick did in Top Gun, breaking the hard deck to get the shot.

The same kind of thing can happen during development or debugging. You have a goal and an approach, and you're smart, so damn it, you're going to make it work. Sometimes, maybe even often, that's a good thing. But not always.

Just because you're sure you know what the problem is and how to fix it doesn't mean you're right. It's a great place to start, and usually you can avoid wasting time by going with it. When you run into a method that seems to be giving you the wrong answers all of a sudden the problem is probably in that method, so look there. But don't get so fixated that you ignore any new information.

Back when I was working with those fighter pilots we didn't have artists to build us fancy models of different aircraft, but we did have basic engineering drawings, so we'd just do the best we could from them. We were doing some F-22 simulations and we kept getting some flickering on the left stabilizer. I was convinced that it was a z-buffer issue. I fought it for days. Isolated it. Added z-bias. Changed draw order. Wound polygons in different directions. Nothing worked. The flickering was still there. It wasn't until I let go of my bias towards z-fighting that I was able to solve the problem.

It turned out that the problem was in the texture. Somehow, and we never did figure out how, there was an alpha mask on the texture and the texture was oversized. Since this was before mip-mapping the combination of the two caused the texture engine to have bands of transparency moving across the stabilizer as viewing angle changed.

But, because I was fixated on the z depth I didn't look into anything else for a few days. If I had been more open to possibilities I could have found and fixed the problem much sooner. So what assumptions are you making that might need to be re-evaluated?

Multi-Mon

I've been dealing with multi-monitor issues for 30+ years now. Back when I was working on flight simulators in the aerospace industry we needed multiple monitors because aircraft had multiple monitors and a HUD, and we needed to drive them all from a single computer. For that, we cheated. We had analog monitors, and by simply ORing into the framebuffer with separate red (left multi-function display), green (right multi-function display), and blue (HUD) images we could drive three monochrome displays. And that doesn't count the multiple computers driving multiple projectors for the outside world displayed on the dome.

After that, in the gaming world it was a little different. We supported, and folks used, multiple graphics cards in a single computer to drive multiple monitors. Here, the primary reason was coverage. If you had more screens you could have a wider field of view without having to distort/compress the image.

And through all of that I would regularly have a monitor dedicated to the visual display and another one for writing code, and that one would usually have 3 or 4 windows open. One or two windows with code, one for compiling/linking, and another for random things.

These days I don't do visual simulation, but I'm still running multi-mon. Why, you ask? Because screen space. Not pixels, square inches of screen. My phone has more pixels than the 25 in CRT I used 30 years ago, but it can't show me as much readable text. And that's important, because for the vast majority of what I do, text is the way I get my information.

One of the first things I did when we moved to WfH was grab my monitors from the office, because all that screen space makes me more effective. it's more effective because it gives me not just the things I'm looking at, but the context around it. One of my monitors is in portrait mode and I can see 100+ lines of my terminal. Another monitor has VSCode and it's windows, zoom in one corner, and some grafana dashboard in another. I can be referring to one file, typing in another, and see what's going on with the rest of the team.. And I've still got the screen on my Mac for distractions (mail, web searches, calendar, reactor idle, etc)

My current setup is a 21 inch monitor in portrait mode on the left, a 23 inch monitor in landscape on the right, and centered below them my Mac. The monitors are logically arranged so the mouse flows freely between them where they touch so it's easy to select the things I want. And the best part? Because most of the windows I want to look at are already on a screen somewhere I don't have to go searching for them. The info I want is right there. And that reduces context switch time and cognitive load, which, as I say, is always a good thing.

So what's your setup, and why?

Inconsistent Consistencies

ACID is Atomic, Consistent, Isolated, and Durable. CAP is Consistent, Available, and Partition Tolerant.

According to the definition, both ACID and CAP have consistency. But English is a slippery language, and often, as in this case, the context of a word is important. ACID and CAP use consistency very differently.

ACID consistency means that if a transaction completes then it has fully completed and that *all* of the rules in place for the dB are met. Unique things are unique and foreign key constraints are met.

CAP consistency, on the other hand, is about the data stored on the various distributed nodes, and what logical guarantees you can make about it. It also lets you know what the system designers expect you to be able to count on. That's a much lower bar than the consistency of ACID.

That's why most high throughput systems are only key-value stores. It's relatively easy to provide high availability to eventually consistent data in the presence of a network partition. It's also easy to let you know that you're in a potentially stale state. And if that's all your database promises then that's all it has to do.

And in many cases, that's enough. If you're building an online store then your inventory should be close, but if it's not exact that's bad, but not fatal. Consider the airline purchase process. It might be very reasonable to choose to display an approximation of what's available quickly and be able to show the same set of empty seats to 100s of people at once (CAP consistency). On the other hand, when you actually sell the seat, you need to be sure to only sell it to one person (ACID consistency).

So if you ask me which consistency you need, the answer is, it depends. It depends on your particular use case and what's important to you for a specific query/transaction. 

Chaos

Distributed systems are hard. And they're hard in lots of ways. One of them is emergent behaviour, or the idea that simple rule changes can have big impacts. Sometimes good, sometimes bad, but often surprising.

Consider the simple Nginx load balancer. Let's say you've got 5 stateless backends behind a single address. By default Nginx does round-robin load balancing, passing the same number of requests to each backend. Great. You'll end up with consistent, even load. Or not. You only have consistent, even load when all of the requests are consistent. If 20% of your load takes 3x the time to handle then what happens? Well, if that ⅕ of your requests are evenly distributed and you have 5 servers then 1 server is going to get most of them, become overloaded, and fall over. Now you only have 4 servers, which may not be enough to handle the load, so they start failing and suddenly you have users at the gate with pitchforks and torches.

But you can't think of everything. So what can you do? That's where chaos engineering comes in. Chaos engineering is the idea that instead of waiting until oh-dark-30 and for something weird to happen you build systems that cause those weird things to happen while you're awake and watching. Then you notice them, figure out how to mitigate and prevent them, and then don't worry about them happening in the middle of the night.

There are lots of things that your chaos injector can do. It can add latency, remove instances, fuzz data, increase load, eat memory or disk, fail a sensor or otherwise muck with inputs and capacity. And it might do them one at a time, or it might do them in combination, because if you run low on memory you can just swap to disk, unless the disk is also full. Then what? It falls over.

For us it's software, but really it's just another application of failure analysis of systems. In aerospace we had the "iron-bird" Hook up as many real parts as you can. Simulate/work around the rest and add an external environment. Then break something and see what happens. More advanced systems break things with switches and valves, but I've talked to people who have simulated failures of hydraulic systems by taking an axe to a hydraulic line. Kind of messy, but very realistic.

About 10 years ago Netflix popularized the concept in the software world. Things have come a long way since the original chaos monkey turned off a server just to see what would happen. So think about what adding that kind of testing to your systems might show you.

And in case you were wondering, the solution to the Nginx problem we came up with was to change the distribution police from round-robin to least-used. It's a little bit harder for Nginx to keep track of, but it does a better job of balancing time spent handling requests instead of balancing the count of requests handled. In our case that made a big difference. YMMV

Capabilities

Back in the days of PCs and "PC Clones" Flight Simulator was the defacto standard for compatibility. If your clone ran FlightSim it was golden and everything would work. The FS team took compatibility seriously, and we worked really hard to work on as much hardware as possible, from a sales perspective (the bigger the addressable market the more sales) and from a brand marketing standpoint.

Being compatible with lots of different hardware got much easier when DirectX rolled out. First was DirectDraw for video cards, then DirectSound for audio and DirectPlay for input devices. It became Windows problem, and as long as the Windows hardware folks did their job it was much easier for us game developers. Now just because all video cards responded to the same API didn't mean they were all the same. They had different amounts of memory, different processors, and generally speaking, different capabilities. And of course as developers we were supposed to take advantage of all of them AND give the user the ability to turn things on/off iif they wanted to trade visual realism for frame rate.

DirectX had a feature that helped us out, the CapabilityBits. Basically you could query the driver and it would return a list of things it could do and features it supported. Great idea, right? Check what you can do, then only do those things. Simple.

Or not. Every bit of information in that structure was true. The OEM support team made sure of that. But they didn't validate all the possible combinations. On some cards you could have stencil buffers and you could have depth buffers, but you couldn't have both. Maximum texture memory was accurately reported, but only achievable if you didn't use a depth buffer. Double buffering rarely caused any other degradations, but if you wanted to triple buffer then all bets were off.

So what did we do? We built our own compatibility lab and started to document the interactions between the capability bits. And then we used that matrix to define recommended and possible settings for different graphics cards.

So in the words of the old Russian proverb, Trust, but verify. Just because you know something is true in isolation doesn't mean it's true in combination with other things.

Vorlons vs. Shadows

It was the dawn of the third age of mankind, ten years after the Earth/Minbari war. The Babylon Project was a dream given form. Its goal: to prevent another war by creating a place where humans and aliens could work out their differences peacefully. It's a port of call, home away from home for diplomats, hustlers, entrepreneurs, and wanderers. Humans and aliens wrapped in two million, five hundred thousand tons of spinning metal, all alone in the night. It can be a dangerous place, but it's our last best hope for peace. This is the story of the last of the Babylon stations. The year is 2258. The name of the place is Babylon 5.

Over 25 years ago JMS gave us Babylon 5. One of the first, if not the first, TV series with a pre-plotted beginning, middle, and end. There were lots of low-budget special effects, extensive use of CGI, cheesy costumes and some really interesting haircuts. There was also some pretty deep introspection.

At its heart, B5 was about a group of races coming of age together and telling the previous generation to get out of the way. In the show the old generation was primarily represented by two races, the Vorlons and the Shadows. The Vorlons framed the world in terms of "Who are you?" A place for everything and everything in its place. The Shadows on the other hand framed things around "What do you want?" If you wanted something then just do it. Do whatever you want and let the chips fall where they may.

The thing is, you can't have a sustainable system with either one of those frameworks. You need both, working in concert, to create a dynamic, evolving system. But what does a 25+ year old space opera have to tell us about software development?

One place where you can see the interdependence of those frameworks is in security. You'll often hear security folks talking about AuthN and AuthZ but what are they and what is the difference? AuthN is authentication, or "Who Are You?". AuthZ is authorization, or "What do you want (to do)?". And it's the interplay of those two things that gets challenging.

Consider the Hadoop ecosystem, HDFS in particular. The HDFS folks did a really good job of separating the two. A flag in a config file on the namenode enables authentication, and a separate flag enables authorization. HDFS authorization is modeled after traditional Unix file perms, and HDFS authentication is Kerberos based. What this means in practice is that almost every HDFS cluster you encounter has AuthZ, but no AuthN. And mostly you never know.

Because as long as everyone is honest and never lies about who they are things work fine. You can only read/write/modify the things your user has access to. It's easy for frameworks and middleware to act on behalf of the user with the authorization of the user. You get a lot of the benefits of security, or at least you think you do. Because with a little bit of research you can pretend to be anyone and do anything you want.

The opposite is AuthN without AuthZ. In that case, again, if your users are trustworthy and never make a mistake you're golden. Plus, you get a reliable audit trail. So when someone makes a mistake you know exactly who did it. You just have no way to prevent it, because everyone can do everything.

If you want real security you need both. AuthN and AuthZ. And I'll contend that AuthN is harder and more important. Because if you can't be sure who you're talking to, and the other side can't be sure who they're listening to, it doesn't matter how carefully you've checked to make sure the caller really can do what it wants.

POC vs MVP

So what's the difference between a POC and an MVP? Let's start with definitions. POC is proof of concept, while MVP is minimum viable product. A POC is something you show your boss or PM to demonstrate that something is possible, while an MVP is something the business team thinks should be put in front of customers.

A POC could be lots of things. It could be a technology demonstrator. It could be re-running a log with a new model, or it could be doing A/B testing with FLAGR. The important thing to remember is that the goal of a POC is to prove that something works or at least  has the potential to.

An MVP, on the other hand, is a product. It's fully supported. It has monitoring and alerting. It has a deployment process, a scale up/out plan, on-call support, and an SLO/SLA

The trick is to keep them separate. There's always a push to turn a POC into an MVP. After all, you got something that works, how hard can it be to give it to customers? It turns out that it can be very hard, but there are things you can do to make it easier.

The first thing is to make your POC less. The less it looks like and MVP the less pressure you'll get to release it. CLIs are great ways to drive a POC and make it clear that it's not a product.

The other thing to do is to think about what you really need to do to turn your POC into a product. You shouldn't do them as part of the POC, but think about it  and have an idea of how to do it. What kinds of metrics do you want to monitor and alert on? What will need to change for scale? What tests/gates would the CI/CD pipeline need?

Even if you don't get a lot of pressure to turn your POC into MVP having a plan will help you move faster and add more business value

Under Construction

A couple of months ago I talked about the builder pattern for object instantiation. Another option is the factory pattern. It certainly has its place. Factories let you isolate the logic and flow of construction from both your code and the thing being constructed. Factories can also give you a kind of dependency injection, which can make testing easier.

The ability to isolate and extend leads me to an article I ran across a couple of weeks ago. In the article the author talks about a Score class that initially can be Low, Medium, or High, and takes an int as the parameter to the constructor. As the author notes, there are oh so many problems with that. What's the high score? What if you try an invalid number? How do you know what number to use? So the author suggests a factory with three methods, CreateHighScore, CreateMediumScore, and CreateLowScore. That certainly solves the "What number should I pass?" problem, but that's about it.

The extensible option adds an enum to the factory and then uses that to create a Score with the right value. Better, but still, WAT? There's got to be a better way.

What I would have done is skipped the factory, and switched the Score class from using an int to use an enum. Then there's never any question about what value to use. You just use the enum with the name you want. Of course, over time more and more enums get added and pretty soon you end up with Low, Medium, High, MediumHigh, VeryHigh, ExtremelyHigh, Highest, and everyone's favorite, EvenHigher.

Of course, that brings up its own set of issues. What's higher, VeryHigh or ExtremelyHigher? How do you deal with that? By making Score comparable (or the equivalent in your language of choice) you can then find the highest of a set or sort by Score as needed.

Doing it that way brings intent to the foreground and reduces cognitive load, which, as I've said before, is always a good thing.

https://uberatg.slack.com/archives/CLVTB4W20/p1586442600018500

https://t.co/jaESC9MurT?amp=1

One Step At A Time

You've probably heard of The Phoenix Project. Considered as a novel it's boringly one-dimensional to almost OK. Considered as allegory though, it's got a lot going for it. Archetypes, broad statements, and simply worded lessons.

One of the simplest of those lessons is Kaizen, or continuous improvement. The idea that most efficient things you can do is the thing that makes your daily work more efficient. That's kind of circular, and deserves to be unpacked. At its core Kaizen takes the long view. Do the right thing now to make things work better in the future. The challenge is how to balance the present and the future.

As an infrastructure team we could take all the lessons we've learned over the years and interactions and do a green-field build of the perfect system for our needs. Toil away in the back room for a couple of years and then emerge with a fully functional system that scales to meet all of today's current and expected needs. The big bang approach. You can probably guess what the result of that would be. By the time it was released the world would have changed enough that it didn't meet the actual needs and we'd spend more time trying to get it right. At best we'd eventually get there. And over the preceding 2+ years would have delivered no value.

Or, kaizen. Make it better every day. Work towards the end goal of a system that does exactly what we need the way we want it. Take feedback along the way, adjusting the goal to meet customer needs. And add a little value every week or so. And it doesn't have to be a big thing. Even the smallest step along the way will help. Automate something. Make it easier to mark a task as done. 

Unlike technical  debt, where compound interest hurts, adding value early lets it compound over time, and ends up making a big difference. So take that small step when you see it.