Upload
ron-perlmuter
View
576
Download
2
Embed Size (px)
Citation preview
Node.js - concurrency, microservices, docker
Dreaming on a job at Palo Alto? Get a real one in Palo Alto Networks
Palo Alto Networks TLV is hiring experienced Node.js developers!
Send your CV to: [email protected]
&
Yaron Biton Oleg Verhovsky Amir Jerbi
Yaron Biton, CTOmisterBIT.co.il
… and then there was Javascripteverywhere …
Concurrency
My Technology Journey
1986Commodore 64
Basic
1995
JCL, PL/I
1998PC
Main Frame C++ & Java
2003Apps Servers
JEE Architect
2007Open Source
PHP
2009Everywhere Javascript
What do I do?
Focused onJavascript Everywhere
12 weeks bootcamp that qualifies Full-stack Javascript developers.
• Professional developers training• High End Consulting• Outsourcing
Its Javascript all the wayJavascript is becomingan end to end choice for companies
ebay: Why we chose node.js? (for a project)
• excellent support for async I/O• Low per-connection memory overhead
– “We were able to tune a regular developer-quality Ubuntu workstation to handle more than 120,000 active connections per node.js process, with each connection consuming about 2k memory”
• The full story: http://www.ebaytechblog.com/2011/11/30/announcing-ql-io/
Linkedin: Why we switched from Ruby to node.js?
• Node is optimized for JSON, which was what our backend wasgiving us,as well as what our front end was looking to consume.
• In our use cases, Node was roughly 20 times faster• Memory footprint is also a factor. We looked at how well VMs
(virtual machines) worked in several languages, and the V8 JavaScript Engine just blew everything else away.
• The extent of code reduction proved to be huge — from 60,000 lines down to 2000.
• Node is getting a lot of hype, that made it easier for me torecruit.
Need for Speed: Groupon Migrated to Node.js
“We’re able to serve much higher traffic,” McCullough said. Before the change to Node, a Starbucks deal was so popular that it brought the site down. “The next time, that didn’t happen,” McCullough said. On top of that, he said, pages now take less time to load for end users.http://www.datacenterknowledge.com/archives/2013/12/06/need-speed-groupon-migrated-node-js/
Node.js• Node.js is an open source platform built on Chrome's
JavaScript runtime (V8) for easily building fast, scalable network applications.
• Node.js uses an event-driven, non-blocking I/Omodel that makes it lightweight and efficient,
• Suitable for data-intensive real-time applications thatrun across distributed devices.
Node.js
A Simple Node Server• In this basic web server example, many client connections can
be handled concurrently.• Node (libuv C module) tells the operating system
that it should be notified when a new connection is made.• When someone connects, then it executes the callback - Each
connection is only a small heap allocation.
var http = require('http');http.createServer(function (req, res) { res.writeHead(200, {'Content-Type': 'text/plain'}); res.end('Hello misterBIT\n');
}).listen(1337, "127.0.0.1");console.log('Server running at http://127.0.0.1:1337/');
Node.js Efficiency• Single threaded - nodejs only uses one thread.
• Most APIs are asynchronous by nature,(i.e. do not perform direct I/O, so the process never blocks.
• Node enjoys memory efficiency under high-load– Most systems allocate at least 2mb per thread– You cant dead-lock the process — there are no locks.
Node.js Efficiencyno server has the non- blocking ecosystem of Node.js today.
Over 50k modules all written in the async style, ready to use
A Deeper look into Node.js Efficiency
• Actual threads are contained at low level– and thus remain constrained in size and number,– and the thread synchronization is thus simplified
• OS-level "switching" via select() is faster thanthread context swaps(read about the C10K problem here)
• Threads are really hard. Developers are likely to:– break due to bugs– not use them as efficiently as possible
The Reactor PatternThe application expresses the interest to access a resource at one point in time (without blocking) and provides a handler, which will later be invoked when the operation completes.
A Node.js application exits when there are no more pending operations in the Event Demultiplexer, and no more events to be processed inside the Event Queue
Libuv - The non-blocking I/O engine of Node.js
• Each operating system has its own interfacefor the Event Demultiplexer:– epoll on Linux, kqueue on Mac OS X, and I/O
Completion Port API (IOCP) on Windows.• So In Node.js, libuv (a C library), is in
charge ofnormalizing the non-blocking behavior.
Shared-state concurrency is difficult
incorrect synchronization, deadlocks, inconsistent behavior, lost updates or dirty reads, are all there like an accident waiting to happen.
Lets put some dead code corps on the table:• Race Conditions• None Atomic operations (writing to long!)• Volatiles• Write Buffers• Padding• ConcurrentCollections, CopyOnWrite,
What About CPU Bound Apps?
What About CPU Bound Apps?
• If you naively do heavy computation in Node, you suddenlybecome a very uncooperative single-tasker.(i.e. – applying a filter on photo, find primes, etc)
• But there are ways!
• You can sometimes break calculations with setImmediatei.e. creating a none-blocking-forEach
• We can use the Cluster module and break the server into micro services
• Sometimes, we can spawn some of the calculations to be handled on the client side with Web Workers!
Summary
Slides and Demos: http://bit.ly/misterbit-electron
Node.js Single Threaded modelmakes our life easier and safer!
Slides and Demos: http://bit.ly/misterbit-electron
Node.js is Great Javascript is Great,And Angular2 is coming.http://angularworkshop.co.il/
Questions?
misterBIT.co.il
Keep on diving
misterBIT.co.il
Micro Services OverviewDec 2015
About CodefreshA Docker platform for development teams w automated Docker Flow (Workflow for Docker images).Build, Run & Test Docker based applications
Is “Micro Services Architecture” a really new concept
Back to “SOA” day :• Abstract Service Definition • Agnostic to technological stack• Decoupled and isolated
Containerization technologies (Docker) provides standard way to build and deploy services based solutions
So what is Micro Service?Logically / Business wise independent Unit
Deployable
Scalable
Micro Services + Docker , in right place at right time
Standard creation of deployable units
Ability to deploy images on different environments.
Easy scale of distributed application
Growing tool chain helps to orchestrate containers (SWARM , Kubernetes , Mesos)
From Monolithic App to Micro Services
And now back to reality
Desirable flow
In reality it might look like
From Monolith to Micro Service
Definition of services
Discovery pattern
Testing Practices
Release lifecycle
Deployment strategy
Auth API
Worker
Auth
API
Worker
Worker
Worker
Example of migration
WebUI
CommandLine
API
Team Management
Workflow Manager
Entity Manager
Monitoring
Routing
Template Manager
Integrations (Jira,etc)
Builder
Builder
Runner
Runner
Runner
Build
Mongo Redis
Hosted in Codefresh
Run
WebHook
LocalRegistry
DockerHubRegistry
Lessons learnedArchitecture should evolve over time based on use case and customer feedback. It will include adding new micro services from one side and rearranging existing one.
Testing - Make sure that every service testes through unit and API tests.
Development environment - Stable development environment that will enable to focus on developing specific service without need to setup all system locally
Release process should be adopted and continuously improved.
Continues deployment with an ability to push every micro service in independent way
Monitoring and logging of both single micro services and consolidate log
Release life cycle monolithic vs microservices
Push1 Push2
V1.0 V1.1 V1.2
Push2
Service 1 V1.0 V1.2 V1.3
Service 2 No change V1.0 No change
Service 3 No change No change V1.0
Development Environment for Micro service based architecture
Docker Compose
Vagrant
OttO
AZY other
@codefresh
additional resources Codefresh blog blog.codefresh.io
Containers #101http://www.meetup.com/Containers-101-online-meetup/
Get your own accountwww.codefresh.io
Thank You
4 Steps for Developing a Secured Containerized NodeJS ApplicationAmir Jerbi | CTO @ Scalock | @jerbia
Building a Secured Containerized NodeJS App
1. Secure Coding2. Containerized!3. Monitor Changes4. Update Packages
42
1.Secure Coding
43
Know Your HTTP Headers
Reference: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
HTTP Headers Why? Example
Strict-Transport-Security Make sure channel is encrypted. Always.
Strict-Transport-Security: max-age=16070400; includeSubDomains
X-Frame-Options Hidden iframes can be used for clickjacking attacks
X-Frame-Options: deny
X-XSS-Protection Browser based XSS protection
X-XSS-Protection: 1; mode=block
X-Content-Type-Options Prevent mime type sniffing X-Content-Type-Options: nosniff
44
Secure & Verify Data Received from User● Sanitize inputs:
○ SQL Injections○ Form field sanitation○ URL query string sanitation
● Sign or Encrypt Sensitive Cookie data● CSRF
References:https://www.npmjs.com/package/csrfhttps://www.npmjs.com/package/sanitize-htmlhttps://www.npmjs.com/package/cookie-encryption
45
Authentication● Complex passwords● Authenticate your REST API - JSON Web Tokens● Brute force protection - rate limit authentications
References:http://passportjs.org/https://github.com/jhurliman/node-rate-limiterhttps://www.npmjs.com/package/owasp-password-strength-test
46
Remove Secrets from Your Code!What are Secrets?● Hard-coded username and passwords● Encryption keys● Access Keys (AWS, Google)
Where to Store them?● Fetch from Secured location● Keep in memory, git rid when not needed● Encrypt
Reference:https://security.web.cern.ch/security/recommendations/en/password_alternatives.shtml
https://square.github.io/keywhiz/https://github.com/hashicorp/vault
47
2. Containerize!
48
What are Software Containers?Server Virtualization method that is:● Lightweight, has a small
footprint● Allows running multiple
isolated processes on a shared kernel (OS)
● Little to no overhead
49
Popular Container Engines
50
How Easy it is? Very.
● Ready made NodeJS packages from https://dockerhub.com● No need to install or configure - simply run it...
51
Build - Deploy - Run ● Create a Dockerfile to
automate build of your application.
● Easily run as daemon using “docker run -d” command.
52
Security Benefits of Containers● Better control on dependencies: ship your code with its packages● Compromised applications are still contained within container
boundaries● Built-in mechanisms to identify changes in container ● Better control on your deployment environment
53
3. Monitor Changes
54
Did Someone Change My Container?
● Use “docker diff” to see changes made in a running container.○ C - modified○ A - new○ D - deleted
55
4. Update Packages
56
Common Vulnerabilities and Exposures (CVEs)● Almost every software package has security issues.● The older the package is - the chances it has more issues.● Node nsp can be used to find vulnerable npm packages.
References:https://web.nvd.nist.gov/view/vuln/searchhttps://nodesecurity.io/tools
57
Peekr - Check Image Vulnerabilities
References:https://peekr.scalock.com 58
Putting it All Together
59
Summary● Containers are not the cure for everything.
Good programming is still the basis for good security.Take a look at OWASP top 10 vulnerabilities:https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
● CVEs are serious problem. Make sure you have a process to manage them.
● Containers adds to your visibility and control - better manage what’s being deployed.
● If you’ve been hacked then at least compromised code is running inside a container.
60
Questions?
Node.js - concurrency, microservices, docker
Dreaming on a job at Palo Alto? Get a real one in Palo Alto Networks
Palo Alto Networks TLV is hiring experienced Node.js developers!
Send your CV to: [email protected]
&
Yaron Biton Oleg Verhovsky Amir Jerbi