One project every month

I constantly have ideas of software I want to build, skills I want to learn, sites I want to create. I’ve been writing these ideas into Evernote since 2009. The problem is I often start working on an idea but give up a week or two later when something else comes along. Life is too short for that, so now I’m going to get focused.

A few months ago I started organizing all these ideas on a Trello board to figure out how I want to spend the next 5 years of my life.

I had 125 ideas in total, which I’ve whittled down to my 10 favourite. This year I’ll be spending 1-2 months building a prototype or learning the basics of each. Then at the end of the year I should know what I want to spend a few years focusing 100% of my energy on.

My top 10 ideas for 2017 are:

Paper Towers

This is the open source version of Tower Storm. My original vision for Tower Storm is a Tower Defense game with as much depth as DOTA. Unfortunately this scope is far too huge for an indie company. However it has one major strength: It’s a web game that doesn’t require compiling and is configured through JSON scripts. So if I open source it others can build their own TD games using this engine / framework. They can make maps, minions, towers, game modes and more and share them around and help each other, and it can turn into something much bigger and more fun than I could produce by myself. I’d love to see what the community creates once this is released.

Learn Spanish

I’m currently at a level where I can hold a basic conversation. I want to get to a level where I can start thinking in Spanish and be able to hold ongoing conversation consisting of more than introductions and small talk.

Krav Maga

This is mostly about self defense, and hopefully it’ll be a lot of fun too. My first lesson is this Monday.

Study Time

Think Popcorn Time for MOOC’s. Software where you can learn anything you desire and it’s completely peer to peer and streamed via torrents. This way knowledge and lessons can live on forever even when MOOC sites take down their courses or shut down.

Learn the Cello

I’ve learnt the Clarinet and Tenor Sax, but have yet to figure out a stringed instrument. I love the sound of a Cello and my goal is to play the Rains Of Castamere.

Educational Honesty

I’ve been reading Amusing ourselves to death, it was written in 1985 and is absolutely on point with how woefully unintelligent public discourse has become on topics that we should be taking seriously. I want to build a site focused on educating, not influencing. A place where intelligent debate is praised, and all opinions are considered. Twitter, Meme’s and the comment sections on most websites are what I consider “Information junk food”. We had a crisis with actual Junk food in the 70’s, 80’s and 90’s, but if you look around recently you’ll notice these trends are reversing, people are now eating healthier and taking better care of their bodies. We must now do the same with our brains. I believe with good information we can do just that and live healthier mental lives, just like how we fought back against real junk food.

Reverse giving charity

It’s well known in psychology that if you get given a gift you feel more obliged to give back in return, this is why food samples and waiters giving mints at the end of a meal work so well. I’d like to try a charity built around this idea. Imagine giving people free coffee from countries in Africa or South America, and included with that is information about the country it came from, the issues it faces, and how you can help fix those issues, via donations or spreading the word. I think you’d have much more success garnering support in this way than the usual begging on the street, and so want to try it out. I may join an existing charity or start my own (depending on difficulty).

Build a Farmbot

The Farmbot is one of the coolest pieces of technology I’ve ever seen in my life, and it’s completely open source! I’d like to try building one of these from scratch and helping refine their wiki with information on where to source parts and fixing bugs and issues with the documentation or software. Imagine if we could get Farmbot cheap enough and reliable enough that anyone can homestead and get the basic food they need to live completely free.

Web Basic

I recently read an article on how q-basic is still the best beginners programming language, and I have to agree. Q-Basic was the language I started with when I was 11 and it makes far more sense to non-coders than most other languages. But installing q-basic, compiling, and sharing programs is not so beginner friendly. So why not bring Q-Basic to the web. Imagine if you could create a new Cloud9 project and just start coding in Q-Basic, hit run, and the program is compiled to Javascript and rendered using Canvas. Kids could start learning and coding in seconds and send their projects to friends minutes later (just send them the preview link!). This social feedback loop could bring so much joy to kids and lowering that barrier to entry could entice many new kids to learn coding that had never considered it before.

Mass Reforestation

We’ve had mass deforestation for 100 years now and the effects have been devastating. Now we need to reverse this process, but how? With drones of course! Imagine if we could create a drone that surveys a piece of land, uses AI to figures out the perfect combination and density of trees and fauna to re-invigorate that land, and then goes ahead and does it all by itself. The technology is available now, we just need someone to compile the knowledge build the software. The mass reforestation site will share ideas and technology on the latest efforts to reforest the world so that everyone can take part. Eventually with enough people and drones out there we’ll be able to accomplish mass reforestation.

What about the other 115 ideas?

I still really want to see them happen, I’m just not particularly excited about doing them myself. So I’m going to share them here on this blog, please steal them as I post them and help make the world a better place 🙂

 

Back to WordPress

I gave Ghost a good shot. And I do love it as a blogging platform, the markdown and writing experience is beautiful. But I’ve switched this site back to WordPress because I want it to be more than just a blog. I’ve been inspired by Derek Sivers’s site and want to make this a platform for many different videos, reviews, and projects I’m working on. If you notice anything broken please let me know.

I’ve also installed the Jetpack Markdown plugin because writing in markdown is so much nicer and cleaner than the default wordpress editing experience (or maybe I’ve just become used to it, coding and submitting PR’s on Github for the last 2 years).

I did like that Ghost was written in NodeJS, which I love far more than PHP, but in the end I did very little actual core hacking so that really didn’t matter.

 

Get docker container start time in unix timestamp (seconds)

You can use the following command to get the start time of a docker container in a unix timestamp (seconds since 1970).

docker inspect --format='{{.State.StartedAt}}' <CONTAINERID> | xargs date +%s -d

Just replace <CONTAINERID> with the actual container id.

Or you can use this to get the start time of all your containers:

docker ps -q | xargs docker inspect --format='{{.State.StartedAt}}' | xargs -n1 date +%s -d
 

How to stop Datadog alert recoveries going to Pagerduty

At Cloud9 we use Datadog for all our server monitoring and Pagerduty for alerts when things break. To do this we use the standard Datadog + Pagerduty integration and make Pagerduty automatically trigger for critical incidents by adding @pagerduty into the “Say what’s happening” field in the Datadog monitor.

Unfortunately datadog triggers the monitor both when it starts and when it has recovered. Because we had @pagerduty in the “Say what’s happening” area this meant we got a pagerduty call both times.

You can fix this by wrapping the @pagerduty trigger with {{#is_alert}}{{/is_alert}}. So your monitor should look something like:

Docker is having trouble creating containers. Please investigate @slack-datadog @slack-warnings {{#is_alert}}@pagerduty{{/is_alert}}

You can also use {{#is_warning}}@pagerduty{{/is_warning}} for warnings (where the monitor has gone over the warning threshold but not the alert threshold).

Then you can go back to bed safe in the knowledge your server isn’t going to wake you up to tell you “Everything is good, nothing is broken”.

 

How to get docker ps data in JSON format

If you want to get the output of docker ps in JSON format the easiest way is to run the remote docker API and use that, you can read about how to do that here

However if you can’t run the remote API because of security issues or for other reasons there is another way! With curl version 7.40 (If this isn’t available on your distro click here) and newer you can get data from the local unix socket, and docker always runs the remote api on docker.sock.

Here’s what you have to run:

curl --unix-socket /var/run/docker.sock http:/containers/json

Tada! Nice JSON Formatted docker ps output. I recommend using the jq library if you want an easy way to parse it in bash.

 

Linux Traffic control hfsc what is [default $CLASSID]

While learning our traffic control setup at Cloud9 I came across this line:

tc qdisc add dev $IFACE root handle 1: hfsc default 12

Most of it is explained by these great in depth guides to tc and hfsc traffic shaping:

http://linux-tc-notes.sourceforge.net/tc/doc/sch_hfsc.txt
http://linux-ip.net/articles/hfsc.en/

And the man page at:

http://manpages.ubuntu.com/manpages/trusty/man8/tc-hfsc.8.html

The only thing I couldn’t figure out was what default 12 means. I originally thought it was some inbuilt default policy that comes included with tc. But it actually refers to the class that you’ve defined that it should fall back to using when nothing else matches.

So in our case we had the following other classes defined:

tc class add dev $IFACE parent 1:1 classid 1:10 hfsc rt m1 $HALF_MAXUP d 10ms m2 $MAX_UPRATE
tc class add dev $IFACE parent 1:1 classid 1:11 hfsc ls m2 $HALF_MAXUP ul m2 $MAX_UPRATE
tc class add dev $IFACE parent 1:1 classid 1:12 hfsc ls m2 $LOW_MAXUP ul m2 $LOW_MAXUP
tc class add dev $IFACE parent 1:1 classid 1:13 hfsc ls m2 $VERY_LOW_MAXUP ul m2 $VERY_LOW_MAXUP

$IFACE is the interface we’re running the rules on and the rates such as $HALF_MAXUP are network speeds in kbps that we’ve set and are still experimenting with.

Below this we then had a bunch of rules that prioritize different traffic types which look like below:

# prioritize SSH
$TC filter add dev $IFACE protocol ip parent 1: prio 1 u32 match ip sport 22 0xffff flowid 1:10
$TC filter add dev $IFACE protocol ip parent 1: prio 1 u32 match ip dport 22 0xffff flowid 1:10

# prioritize DNS
$TC filter add dev $IFACE protocol ip parent 1: prio 2 u32 match ip sport 53 0xffff match ip protocol 0x6 0xff flowid 1:10
$TC filter add dev $IFACE protocol ip parent 1: prio 2 u32 match ip dport 53 0xffff match ip protocol 0x6 0xff flowid 1:10

# prioritize application traffic
$TC filter add dev $IFACE protocol ip parent 1: prio 3 u32 match ip sport 8080 0xffff flowid 1:11
$TC filter add dev $IFACE protocol ip parent 1: prio 3 u32 match ip sport 8081 0xffff flowid 1:11
$TC filter add dev $IFACE protocol ip parent 1: prio 3 u32 match ip sport 8082 0xffff flowid 1:11

# Make UDP and ICMP really slow, they are rarely used for legitimate purposes
$TC filter add dev $IFACE protocol ip parent 1: prio 4 u32 match ip protocol 17 0xff flowid 1:13
$TC filter add dev $IFACE protocol ip parent 1: prio 4 u32 match ip protocol 1 0xff flowid 1:13

These rules ensure our users are able to ssh, resolve sites and host their applications at full speed, while throttling those who may be attempting to use Cloud9 for nefarious reasons. We also have other blocking rules not included here for security reasons.

So all outbound traffic that doesn’t match these rules is subject to the rules of class 1:12 which gives users $LOW_MAXUP bandwidth with a $LOW_MAXUP burst speed for uploads. That’s what the default 12 at the end means.

Let me know if you have any questions about this or suggestions on how to improve our traffic shaping. I’m no expert on this and didn’t write most of these rules, but just sharing what I’ve learnt to help others having the same confusions.

 

Using Express 4 routes to secure your web app

Today I had the fun task of taking Cloud9’s build bot and making it more secure. Primarily because it’s now exposed to the outside world and we don’t want random strangers having the ability to ship or revert our code.

Our bot responds to slash commands on Slack, so we can type /ship [appname] at any time in any channel in slack and the latest tested code will be pushed to production. It also recieves notifications from Jenkins when jobs have started, succeeded or failed.

Securing Slack

The first step was ensuring all Slack commands were actually coming from Slack. Whenever you create a new slash command Slack tells you it will send a specific token with all api calls, and you should use this to verify the call is from Slack.

Now there are multiple routes we wanted our bot to talk to and multiple slash commands to reach them, each with their own tokens. But we don’t want to add if (token == ‘xyz’) to every single route. Firstly because it’s messy, and secondly because then whenever a new developer joins the project they have to remember to do that or they’ll compromise security. So how do we do it? By creating a /slack route that verifies every token for us.

var express = require("express");
var config = require("config);

function verifyToken(req, res, next) {
if (!req.body.token || config.get("slack.tokens").indexOf(req.body.token) === -1) {
return next(new Error("Invalid slack token" + req.body.token));
}
next();
}

var slackRouter = new express.Router();
slackRouter.use(verifyToken);

slackRouter.post("/highfive", highFive.handleRequest.bind(highFive));
slackRouter.post("/ship", ship.startShipping.bind(ship));

app.use("/slack", slackRouter);

We have an array of possible slack tokens stored in our config file and whenever we add or remove commands we can simply add the token to that one list.

Now our routes are /slack/ship and /slack/highfive and whenever anyone sends data to them it will always validate that they have a valid slack token. No more manual verification in each route or having new developers forget to add security to their route, it’s all automatic.

Securing Jenkins

Our bot also listens to build hooks from Jenkins so that it can post to our Slack channel letting us know about the stats of various jobs.

We can secure Jenkins in the same way, but because it doesn’t pass any custom data in these job notifications we’ll secure it based on the requester IP address.

var requestIp = require("request-ip");

function verifyIPIsJenkins(req, res, next) {
var reqIp = requestIp.getClientIp(req);
if (!reqIp || config.get("jenkins.ips").indexOf(reqIp) === -1) {
return next(new Error("Jenkins push request came from " + reqIp + " which isn't a known address"));
}

return next();
};

var jenkinsRouter = new express.Router();
jenkinsRouter.use(verifyIPIsJenkins);

jenkinsRouter.post("/success", jenkins.buildSuccess.bind(jenkins));
jenkinsRouter.post("/failed", jenkins.buildFailed.bind(jenkins));

app.use("/jenkins", jenkinsRouter);

Now just like above we have 2 routes at /jenkins/success and /jenkins/failed and whenever anyone tries to access them it automatically verifies they are our CI server. If they are not the request will fail.

The reason I enjoy using these routes is they keep the code neat and also ensure that when someone comes to work on this project in the future they can easily add another route and won’t accidently allow hackers in the back door. Keeping things simple and automatic so any developer can pick up this code and run with it is my style of programming.

 

Above the fold is stupid

A short post for those in Internet Marketing who still believe the “Put everything above the fold because people don’t usually scroll down” myth. Unfortunately whoever originally said this didn’t quite think the data through and it has been repeated ad-nausium by Internet Marketers ever since.

Here’s why you shouldn’t worry about putting your stuff above the fold and it may even be counterproductive to jam it all up there:

  1. Most people aren’t interested in what you’re selling. Especially if your traffic isn’t pre-sold or coming from relevant locations. Not all traffic is equal and I really wish people would stop a/b testing like it is.
  2. 60% of people don’t scroll down because they don’t like what you have to sell, not because they don’t know how to scroll.
  3. Putting your signup form above the fold is counterproductive. Just because people don’t scroll dosn’t mean they’re going to be like “Oh wow a signup form, I better add my details”.
  4. If you had better content or marketing in place of that signup form you’ll probably (test this!) get better results as you hook people in and get them to register later.

The core thing you should be putting above the fold is content that sucks your visitors in, something that within 5 seconds makes them think “Hey this is a problem I have and they may have the solution”.

Here are things that should not be above the fold:

  1. Videos that start slowly (boring)
  2. Signup forms (seriously the only person who would sign up without reading is your Mum, or heavily presold visitors, in which case it doesn’t matter where your signup form is).
  3. Pictures that mean nothing to fresh visitors (your logo, stock photography, banners etc).
  4. Links (If you want your visitors to do something don’t overload them with options).

Now go build a landing page people actually enjoy and remember: test everything. If you think I’m wrong run a test then come back here and tell me how wrong I am. Being told I’m wrong is fantastic, because it helps me constantly grow and be a better market and human being.

 

Git show all commits between two versions

So you want to upgrade a library but don’t know what’s changed? Easy enough to do in git. Most projects tag their releases with something like v1.2.3. If you want to see all the commits between two of these releases simply do:

git log --no-merges v1.2.3 --not v1.2.2 

This shows all commits from v1.2.3 that aren’t in v1.2.2.

Or if you want a short summary grouped by author you can do:

git shortlog --no-merges v1.2.3 --not v1.2.2 
 

Git create new branches basing them off master

For the longest time I’d had the frustration of working on one branch, needing to create another branch for a bug fix, then creating a PR with this bug fix only to discover all the commits from the original branch are now in the PR.

Today I discovered you can actually specify the base branch in the git checkout command. Simply do this:

git checkout -b newbranch master

It will create and switch to the new branch basing it off master. I’ve created a new script called ‘gnb’ (for ‘git new branch’) to do this all the time for me now. You can see it here

Also if you’ve already submitted the PR and now want to remove those additional commits you can easily do this by rebasing your new branch off master.

git rebase --onto master originalbranch newbranch
git push origin +newbranch # Force push as we're re-writing history here

This will rebase all the commits you did in newbranch onto master skipping commits that are in originalbranch.