[{"content":"Working for the leading AI company, people tend to ask you what AI means for their careers. Usually, they want to hear one of two extremes: &ldquo;this changes nothing&rdquo; or &ldquo;we&rsquo;re all doomed&rdquo;. To be honest, I appreciate both. A lot of what I have spent learning over two plus decades is now just a prompt away. Hard-earned debugging skills and deep technical knowledge can be generated by a model in seconds. It&rsquo;s uncomfortable to watch. But having your knowledge become cheap doesn&rsquo;t mean you become irrelevant. There is a huge gap between those two statements.\nThe Shelf-Life of Expertise This isn&rsquo;t actually new. Throughout my 20+ year career, the specific skills I fought hard to master have repeatedly stopped mattering. What kept me moving forward wasn&rsquo;t the specific knowledge; it was my ability to be perspicacious in an ambiguous situation \u2014 learn fast. AI didn&rsquo;t start this trend, it just turned the dial up to 11. What&rsquo;s actually disappearing? Memorizing syntax, looking up basic facts, and writing boilerplate code. Tech has always marched toward automating the boring stuff. Real engineering has never been about memorizing commands; it&rsquo;s about defining intent, making trade-offs, and managing systems.\nThe New Engineering Bottleneck When anyone can generate code for free, the bottleneck shifts from writing code to defining and verifying it. If you operate outside your comfort zone, you lose the ability to audit what the AI gives you. You need deep experience to spot the subtle, sometimes breaking mistakes an AI makes with total confidence. And trust me, it does make mistakes. Furthermore, unconstrained AI code creates a mess and bloat. We need engineers more than ever to clean up that architecture, manage dependencies, and keep the system sane. Code generation is a commodity; system orchestration is not.\nIt&rsquo;s Okay to Admit This Hurts I&rsquo;m not going to give you fake optimism. This shift genuinely hurts, and the anxiety people feel is completely justified:\nFewer entry-level spots \u2014 It&rsquo;s harder for junior engineers to build judgment when they can&rsquo;t do the basic, manual tasks that built mine. The middle squeeze \u2014 When one person can manage a fleet of AI agents, you simply need fewer people to do the same work. Loss of craft \u2014 The &ldquo;flow state&rdquo; of building things with your own hands is being replaced by reviewing and directing. &ldquo;You&rsquo;ll be more productive&rdquo; is a pretty hollow answer to that loss. The Playbook for Staying Relevant Still, at every tech shift I&rsquo;ve lived through, the winning strategy has been the same four moves:\nObserve \u2014 Use the tech or tools enough to know exactly where they shine and where they break. Learn \u2014 Understand the underlying primitives and how it all works. Adopt \u2014 Use it in new ways, apply it on the problems nobody has written about. Thrive \u2014 Stay close to the tech and take accountability for the final output. What Do We Do Now? Nobody actually knows how this ends, and anyone who claims they do is selling you something. But the answer isn&rsquo;t to pretend it&rsquo;s not happening, or to quit tech and take up woodworking. Get your hands on the tools. Find out exactly where they break. Be the person who can tell the difference between work that is actually done, and work that just looks done. My expertise has been eroding for over 20 years now. And honestly, I wouldn&rsquo;t want it any other way.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/staying-relevant-through-inflection-points\/","summary":"<p>Working for the leading AI company, people tend to ask you what AI means for their careers. Usually, they want to hear one of two extremes: &ldquo;this changes nothing&rdquo; or &ldquo;we&rsquo;re all doomed&rdquo;. To be honest, I appreciate both. A lot of what I have spent learning over two plus decades is now just a prompt away. Hard-earned debugging skills and deep technical knowledge can be generated by a model in seconds. It&rsquo;s uncomfortable to watch. But having your knowledge become cheap doesn&rsquo;t mean <em>you<\/em> become irrelevant. There is a huge gap between those two statements.<\/p>","title":"Staying Relevant Through Inflection Points"},{"content":"If you maintain an open source project, you&rsquo;ve probably wondered: who&rsquo;s actually contributing? Are we retaining contributors or burning through a revolving door? Is one person carrying the whole project? These questions matter.\nCommercial platforms answer these questions well. They do come with trade-offs though. Hosted analytics means sending your potentially private repo contributor data to a third party. Pricing models often assume enterprise budgets. And for a maintainer running a project with a handful of repos and no funding, the friction of setting up yet another SaaS integration is enough to never bother.\nDevPulse takes a different approach. It&rsquo;s a single binary that imports GitHub data into a embedded database and serves a browser-based dashboard from your machine. No dependencies, no cloud account, no subscriptions. Your data stays on your machine.\nDevPulse supports external DBs like PostgreSQL so when the time comes, migration is easy. See Scaling Up section below for details.\nWhat you get DevPulse organizes project insights into six areas, each mapped to a dashboard tab:\nHealth \u2014 Bus factor and pony factor tell you how concentrated your project risk is. Bus factor counts the minimum number of developers producing half your contributions. Pony factor does the same for organizations. A bus factor of one means your project has a single point of failure.\nActivity \u2014 Monthly event volume broken down by type: pull requests, reviews, issues, comments, forks. A trend line shows whether activity is growing or declining. PR size distribution reveals whether your project culture favors small, reviewable changes or massive drops.\nVelocity \u2014 Lead time from PR creation to merge, change failure rate, and release cadence. These are DORA metrics \u2014 the same signals that elite engineering teams track \u2014 computed automatically from your GitHub data. You also get release download counts and container image publication frequency if you publish to ghcr.io.\nQuality \u2014 PR-to-review ratio shows whether code is being reviewed at the rate it&rsquo;s being written. Review latency measures how long contributors wait for their first review. Time-to-close tracks issue responsiveness. Contributor reputation scoring surfaces identity confidence signals for people contributing to your project.\nCommunity \u2014 New contributors versus returning contributors per month. A rolling three-month active contributor count with momentum indicators. First-time contributor milestones (first comment, first PR, first merged PR). Top contributing organizations and individuals. This is the tab that tells you whether your community is actually a community or just a mailing list.\nEvents \u2014 Searchable, filterable event log. Click any data point in the charts above and the Events tab populates with the underlying records, each linked back to GitHub.\nGetting started Install via Homebrew:\nbrew tap mchmarny\/tap &amp;&amp; brew install devpulse Or download a binary from the releases page. Binaries are available for macOS, Linux, and Windows across amd64 and arm64. Every release is signed with Sigstore, ships with an SBOM, and includes GitHub build provenance attestations \u2014 so you can verify exactly what you&rsquo;re running.\nThen, three simple commands:\n# Authenticate with GitHub (stores token in your OS keychain) devpulse auth # Import data for your project devpulse import --org your-org --repo your-repo # Start the dashboard devpulse server Your browser opens to http:\/\/127.0.0.1:8080 (port and auto-open configurable) with a full analytics dashboard. The whole process takes a few minutes depending on how much history you&rsquo;re importing. By default, DevPulse pulls six months of data. Adjust with --months if you want more.\nYour data, your machine The default storage backend is SQLite. Your database lives at ~\/.devpulse\/data.db \u2014 a single file you can back up, move, or delete. The dashboard reads from this local database. No data leaves your machine once the initial GitHub API import is complete.\nThis matters if you maintain a project where contributor data is sensitive. Maybe you&rsquo;re tracking contributions across a corporate open source portfolio and don&rsquo;t want that mapping exported to a third party. Maybe you&rsquo;re a solo maintainer and just don&rsquo;t want another account to manage. Either way, the data stays where you put it.\nBeyond the dashboard The CLI isn&rsquo;t just a launcher for the web UI. It&rsquo;s a complete data management toolkit:\nQuery \u2014 Pull structured JSON from your local database. List developers, search events by type and date range, explore entity affiliations. Pipe the output to jq for scripting:\ndevpulse query events --org my-org --repo my-repo \\ --type pr --author username --since 2026-01-01 Score \u2014 Enrich contributor profiles with deep reputation signals from the GitHub API. Account age, organization membership, commit signing history, profile completeness, activity patterns:\ndevpulse score --org my-org --count 20 Substitute \u2014 Normalize messy entity data. GitHub profile company fields are free-text, so &ldquo;Google&rdquo;, &ldquo;Google LLC&rdquo;, &ldquo;Google Inc.&rdquo;, and &ldquo;google&rdquo; all show up as separate organizations. Fix that in one command:\ndevpulse substitute --type entity --old &#34;Google LLC&#34; --new &#34;GOOGLE&#34; Sync \u2014 Automate imports on a schedule. Point it at a YAML config file listing your orgs and repos, and run it hourly via cron. DevPulse rotates through repos round-robin style to stay within GitHub API rate limits:\ndevpulse sync --config sync.yaml Scaling up when you need to SQLite works well for most use cases \u2014 a maintainer tracking a handful of repos, or a small team monitoring their project portfolio. But if you&rsquo;re running DevPulse across a large organization with dozens of repos and thousands of contributors, you can switch to PostgreSQL:\ndevpulse import --org large-org --repo repo-1 \\ --db &#34;postgres:\/\/user:pass@host:5432\/devpulse&#34; The --db flag (or DEVPULSE_DB environment variable) accepts either a file path for SQLite or a postgres:\/\/ URI. Same CLI, same dashboard, same queries \u2014 just a different backend. This also opens the door to running DevPulse as a hosted service behind Cloud Run service or any container platform, with a managed database and scheduled sync jobs.\nThe point is that you start local and self-contained. If your needs grow, the path to a shared deployment is a flag change, not a rewrite.\nTry it DevPulse is open source under Apache 2.0. Install it, point it at your project, and see what the data says about your community. The questions it answers \u2014 who&rsquo;s contributing, are we retaining people, how concentrated is our risk \u2014 are the ones that determine whether a project is sustainable. Having answers shouldn&rsquo;t require an enterprise contract.\ngithub.com\/mchmarny\/devpulse\n","permalink":"https:\/\/blog.chmarny.com\/posts\/devpulse-community-health-analytics-for-the-rest-of-us\/","summary":"<p>If you maintain an open source project, you&rsquo;ve probably wondered: who&rsquo;s actually contributing? Are we retaining contributors or burning through a revolving door? Is one person carrying the whole project? These questions matter.<\/p>\n<p>Commercial platforms answer these questions well. They do come with trade-offs though. Hosted analytics means sending your potentially private repo contributor data to a third party. Pricing models often assume enterprise budgets. And for a maintainer running a project with a handful of repos and no funding, the friction of setting up yet another SaaS integration is enough to never bother.<\/p>","title":"DevPulse: Community Health Analytics for the Rest of Us"},{"content":"GPU Kubernetes is hard. Aligning kernels, drivers, container runtimes, operators, and Kubernetes versions is a version compatibility minefield. A single misconfigured component can take down an entire GPU fleet, and root cause analysis can take days. Typically, these known-good configurations live as tribal knowledge in &ldquo;runbooks&rdquo; and internal pipelines, not as portable, reproducible artifacts.\nThe recently open-sourced AI Cluster Runtime (AICR) project is designed to solve that friction. It provides optimized, validated, and reproducible configurations for a given GPU-accelerated Kubernetes cluster.\nThe Workflow AICR utilizes a composable, standards-based approach using YAML recipes and Helm bundles. The workflow is broken down into four stages:\nSnapshot (optional): Captures the current state of an existing GPU cluster Recipe: Generates an optimized, version-locked config for your environment Bundle: Converts the recipe into deployment-ready artifacts for a given deployer (e.g. Helm or ArgoCD, more too come soon) Deploy: Applies the bundle using your existing CD pipeline \u2014 this step is yours, no new tooling required Validate: Verifies deployment, performance, and conformance against the cluster AICR is about the optimized configuration for, and validation of your cluster, not the deployment or management of your cluster where it leans on the wealth of existing open source options.\nGetting Started The AICR CLI can be installed on Linux, macOS, or Windows (via WSL). You can use Homebrew:\nbrew tap NVIDIA\/aicr brew install aicr Alternatively, you can use the install script which does the implicit SLSA Level 3 provenance verification:\ncurl -sfL https:\/\/raw.githubusercontent.com\/NVIDIA\/aicr\/main\/install | bash -s Generating a Recipe Recipe captures the exact constraints and component versions required for your target state. You can specify your environment explicitly:\naicr recipe \\ --service eks \\ --accelerator h100 \\ --intent training \\ --os ubuntu \\ --platform kubeflow \\ --output recipe.yaml Or, you can point aicr at any existing GPU-accelerated Kubernetes cluster (EKS, GKE, AKS, or self-managed) to auto-discover that state:\naicr snapshot \\ --namespace aicr-validation \\ --node-selector nodeGroup=gpu-worker \\ --output snapshot.yaml aicr recipe \\ --snapshot snapshot.yaml \\ --intent training \\ --node-selector nodeGroup=gpu-worker \\ --output recipe.yaml Bundling for Deployment Once your recipe.yaml is generated, you convert it into deployable artifacts. For modern GitOps workflows, you can output directly to an OCI registry, or optionally include bundle cryptographic attestation using Sigstore:\naicr bundle \\ --recipe recipe.yaml \\ --deployer argocd \\ --output oci:\/\/ghcr.io\/nvidia\/bundle \\ --attest Supply chain security is built into every layer. Every bundle includes checksums for all generated artifacts end-to-end, and the project itself ships with SLSA Level 3 provenance, SPDX SBOMs, and cosign image attestations.\nValidate the Cluster Once deployed, AICR validates the cluster against the same recipe used to create the bundle. Validation runs across three phases:\nPhase What it proves deployment Fabric is properly configured and operational performance Synthetic workloads meet expected throughput conformance Overall cluster conformance is verified These phases can be run individually or all at once. Validation reports are output in Common Test Report Format (CTRF) to enable programmatic post-processing.\naicr validate \\ --recipe recipe.yaml \\ --phase all \\ --output report.json To verify CNCF AI Conformance, you can also add --evidence-dir to export evidence artifacts for CNCF submission.\nContributing The matrix of potential platform, GPU, OS, intent, and service configurations is bigger than any one team to manage. We built the framework, but we do need the community to help fill it in. If you&rsquo;ve already validated and optimized a new configuration combination, run performance benchmarks, or written new deployment tests, please contribute to this project by opening a PR.\nDo star the repo, try it on your cluster, and open an issue with your findings: github.com\/NVIDIA\/aicr.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/ai-cluster-runtime-reproducible-configs-for-gpu-accelerated-kubernetes\/","summary":"<p>GPU Kubernetes is hard. Aligning kernels, drivers, container runtimes, operators, and Kubernetes versions is a version compatibility minefield. A single misconfigured component can take down an entire GPU fleet, and root cause analysis can take days. Typically, these known-good configurations live as tribal knowledge in &ldquo;runbooks&rdquo; and internal pipelines, not as portable, reproducible artifacts.<\/p>","title":"AI Cluster Runtime: Reproducible Configs for GPU-Accelerated Kubernetes Clusters"},{"content":"Every dependency you install, every pull request you merge, carries an implicit trust decision. You trust that the person behind the commit is who they claim to be, that their account hasn&rsquo;t been compromised, and that their contribution is genuine. Most of the time, that trust is warranted. But supply chain attacks like the xz utils backdoor remind us that trust without verification is a vulnerability.\nreputer is a CLI tool that calculates contributor reputation scores from Git provider APIs. It doesn&rsquo;t claim to detect malicious intent. Instead, it answers a narrower question: based on observable signals from GitHub or GitLab (other signal providers coming soon), how confident should you be in a contributor&rsquo;s identity and engagement? The score is best understood as an identity confidence indicator, not a judgment of code quality.\nWhat it measures reputer evaluates seven signals grouped into four threat-model-prioritized categories. Each category carries a weight reflecting its relative importance to supply chain risk:\nCode Provenance \u2014 Are commits cryptographically signed? Is two-factor authentication enabled? Unsigned commits from accounts without 2FA represent the highest-risk vector. An account with 2FA acts as a multiplier on the verification score, while accounts without it are penalized up to 50% on core reputation.\nIdentity Authenticity \u2014 How old is the account, and does the contributor belong to the repository owner&rsquo;s organization? Freshly created accounts are inherently higher risk. Account age follows a logarithmic curve where early days matter most, with a ceiling at two years. Organization membership is a binary signal that provides strong identity corroboration.\nEngagement Depth \u2014 What proportion of the repository&rsquo;s commits belong to this contributor, and how recently did they contribute? A long-time contributor with recent activity is more trustworthy than an account that appeared once. Commit proportion adapts to the contributor count, and recency uses exponential decay with a 90-day half-life.\nCommunity Standing \u2014 What does the contributor&rsquo;s broader GitHub presence look like? Follower-to-following ratio and repository count provide weak but useful signals. These carry the lowest weight because they&rsquo;re the easiest to fabricate.\nHow scoring works reputer uses a graduated proportional model. Each signal contributes linearly between zero and its weight ceiling. The final score sums all signal contributions to produce a value between 0.0 and 1.0.\nThree mathematical curves shape the signals:\nLinear clamping for ratios like commit proportion, where more is proportionally better up to a ceiling Logarithmic scaling for signals like account age and follower ratio, where early growth matters more than late growth (diminishing returns) Exponential decay for recency, where the signal halves roughly every 90 days of inactivity A suspended account always scores zero, regardless of other signals. The model version is included in every report, so consumers can track scoring methodology changes over time.\nArchitecture The tool follows a layered design:\nCLI \u2192 Reporter \u2192 Provider \u2192 Scoring Engine The CLI layer parses flags and authenticates against the Git provider. The Reporter orchestrates the query and serializes output. The Provider layer abstracts the Git hosting API \u2014 GitHub is fully implemented, GitLab is mostly done. The Scoring Engine in pkg\/score is a standalone package with no provider dependencies, making it independently testable.\nWhen evaluating a repository, reputer paginates through commits, then concurrently fetches user profiles (up to 10 at a time) with built-in rate-limit awareness. It pauses when API calls run low and waits for the rate limit window to reset, so it won&rsquo;t burn through your token quota.\nThe output is structured JSON that includes repository metadata, the scoring model version, category weight definitions, and per-contributor scores with optional detailed stats.\nUsing the CLI Install via Homebrew, Go, or download a binary from the releases page:\nbrew tap mchmarny\/reputer &amp;&amp; brew install reputer Then point it at a repository:\nreputer --repo github.com\/owner\/repo Add --stats to see the raw signals behind each score, or --file report.json to write output to a file. The JSON report includes every contributor&rsquo;s reputation score alongside the model metadata:\n{ &#34;repo&#34;: &#34;github.com\/owner\/repo&#34;, &#34;total_commits&#34;: 338, &#34;total_contributors&#34;: 4, &#34;meta&#34;: { &#34;model_version&#34;: &#34;2.0.0&#34;, &#34;categories&#34;: [ { &#34;name&#34;: &#34;code_provenance&#34;, &#34;weight&#34;: 0.35 }, { &#34;name&#34;: &#34;identity&#34;, &#34;weight&#34;: 0.25 }, { &#34;name&#34;: &#34;engagement&#34;, &#34;weight&#34;: 0.25 }, { &#34;name&#34;: &#34;community&#34;, &#34;weight&#34;: 0.15 } ] }, &#34;contributors&#34;: [ { &#34;username&#34;: &#34;contributor-a&#34;, &#34;reputation&#34;: 0.92, &#34;context&#34;: { &#34;created&#34;: &#34;2016-03-12T10:22:08Z&#34;, &#34;name&#34;: &#34;Alice Example&#34;, &#34;company&#34;: &#34;ExampleOrg&#34; }, &#34;stats&#34;: { &#34;verified_commits&#34;: true, &#34;strong_auth&#34;: true, &#34;age_days&#34;: 3634, &#34;commits&#34;: 295, &#34;unverified_commits&#34;: 0, &#34;public_repos&#34;: 47, &#34;private_repos&#34;: 12, &#34;followers&#34;: 183, &#34;following&#34;: 22, &#34;last_commit_days&#34;: 3, &#34;org_member&#34;: true } }, { &#34;username&#34;: &#34;contributor-b&#34;, &#34;reputation&#34;: 0.41, &#34;context&#34;: { &#34;created&#34;: &#34;2024-11-08T15:44:31Z&#34;, &#34;name&#34;: &#34;Bob NewDev&#34; }, &#34;stats&#34;: { &#34;age_days&#34;: 470, &#34;commits&#34;: 12, &#34;unverified_commits&#34;: 12, &#34;public_repos&#34;: 3, &#34;followers&#34;: 2, &#34;following&#34;: 15, &#34;last_commit_days&#34;: 38 } } ] } Using the GitHub Action reputer also ships as a GitHub Action that automatically welcomes first-time pull request contributors with their reputation stats. Add a workflow file to your repository:\nname: welcome on: pull_request_target: types: [opened] permissions: pull-requests: write contents: read jobs: welcome: runs-on: ubuntu-latest steps: - uses: mchmarny\/reputer@main When a new contributor opens their first PR, the action posts a comment with a reputation summary table \u2014 account age, 2FA status, commit verification, follower count, and the overall score. It gives maintainers a quick signal without requiring them to manually investigate the contributor&rsquo;s profile.\nThe action uses pull_request_target rather than pull_request, meaning it runs in the context of the base repository and never checks out untrusted PR code.\nConclusion No single tool solves supply chain security. But having a quantified, reproducible signal about contributor identity confidence is one more data point for maintainers making trust decisions. reputer is open source under Apache 2.0 \u2014 try it on your own repositories, and decide for yourself whether the signals it surfaces are useful for your threat model.\ngithub.com\/mchmarny\/reputer\n","permalink":"https:\/\/blog.chmarny.com\/posts\/reputer-scoring-contributor-reputation\/","summary":"<p>Every dependency you install, every pull request you merge, carries an implicit trust decision. You trust that the person behind the commit is who they claim to be, that their account hasn&rsquo;t been compromised, and that their contribution is genuine. Most of the time, that trust is warranted. But supply chain attacks like the <a href=\"https:\/\/en.wikipedia.org\/wiki\/XZ_Utils_backdoor\">xz utils backdoor<\/a> remind us that trust without verification is a vulnerability.<\/p>","title":"Reputation scoring for open source contributors: what reputer measures and why"},{"content":"Builder, architect, and strategist dedicated to simplifying how developers interact with complex systems. Currently serving as a Principal Cloud Architect in NVIDIA\u2019s DGX Cloud organization, Mark focuses on bridging the gap between cutting-edge AI hardware and the cloud-native ecosystem. His mission is to enable optimized, validated, and reproducible GPU-accelerated infrastructure in Kubernetes for everyone.\nMark\u2019s work spans the entire lifecycle of large-scale AI\/ML platforms, including GPU runtime, networking, storage, and performance validation across heterogeneous, multi-cloud environments used for training and inference. Throughout a distinguished career at Google Cloud, Apple, and Microsoft Azure OCTO, Mark has championed &ldquo;developer-first&rdquo; platforms, leading engineering efforts in Kubernetes control-planes, software supply chain security, and distributed workload management.\nCore Expertise:\nAI\/ML Infrastructure: Architecting large-scale Kubernetes-based platforms for GPU clusters, including Blackwell-class compute infrastructure. Led GB200 enablement efforts on Kubernetes across AWS, GCP, and OCI, working closely with each CSP to ensure an optimized experience for their users. Cloud-Native Strategy: Steering the technical direction for serverless computing, multi-cloud deployment frameworks, CI\/CD, and secure software supply chains. Platform Engineering: Transforming internal technical expertise into public-facing, machine-consumable runtime data and validated recipes to reduce duplication and improve consistency across the ecosystem. Open Source Leadership: Deeply committed to the open-source community through leadership in projects like Knative, Tekton, and Dapr, as well as broader industry initiatives like NVSentinel to improve GPU fleet health and remediation. You can find me on Bluesky (@chmarny.com), Mastodon (@mchmarny@fosstodon.org), and my open source contributions on GitHub (@mchmarny)\nProfile picture\nNote: All posts in this blog represent Mark&rsquo;s personal opinions.\n","permalink":"https:\/\/blog.chmarny.com\/about\/","summary":"<p>Builder, architect, and strategist dedicated to simplifying how developers interact with complex systems. Currently serving as a Principal Cloud Architect in NVIDIA\u2019s DGX Cloud organization, Mark focuses on bridging the gap between cutting-edge AI hardware and the cloud-native ecosystem. His mission is to enable optimized, validated, and reproducible GPU-accelerated infrastructure in Kubernetes for everyone.<\/p>","title":"About Mark Chmarny"},{"content":"Today marks a bittersweet moment as I say goodbye to Cruise. When I joined the company seven months ago, my mission was to scale the AV services worldwide and to modernize the AV and Cloud service developer platforms. Despite the unexpected challenges following the October incident, my journey at Cruise has been incredibly enriching, teaching me the true essence of resilience, adaptability, and commitment to excellence.\nThis experience has also deepened my appreciation for the pivotal role of platforms in AI development, emphasizing the need for seamless creation, deployment, and scaling of AI applications. My previous work with platforms like Cloud Foundry, Knative, and Dapr has shown me the power of simplifying complexity and how it can fuel innovation. The AI field is ripe with opportunities for these advancements. I&rsquo;m excited to dive deeper into this space.\nLooking ahead, I&rsquo;m thrilled to embark on a new chapter focused on improved access to datasets, computational resources, and pre-built models. I&rsquo;m eager to share more about this journey next week.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/leaving-cruise\/","summary":"<p>Today marks a bittersweet moment as I say goodbye to <a href=\"https:\/\/getcruise.com\">Cruise<\/a>. When I joined the company seven months ago, my mission was to scale the AV services worldwide and to modernize the AV and Cloud service developer platforms. Despite the unexpected challenges following the <a href=\"https:\/\/getcruise.com\/news\/blog\/2024\/cruise-releases-third-party-findings-regarding-october-2\/\">October incident<\/a>, my journey at Cruise has been incredibly enriching, teaching me the true essence of resilience, adaptability, and commitment to excellence.<\/p>","title":"Leaving Cruise; why I'm still excited about AI platforms"},{"content":"The practice of Secure Software Supply Chain (S3C) can get complex at times. Fortunately though, a large portion of the key things we can do to secure our software delivery pipelines are actually pretty easy. This post covers three concepts you can implement today:\nprovenance - Where and how was the software created? Using what source code, tools, and build system? Who were the individuals involved in its development? transparency - What\u2019s in the software artifact? What are the packages, libraries, and their versions? Who provided them? And, what are the relationships between them? (what depends on, uses, what) context - What are the vulnerabilities, and what is their potential exploitability in that specific artifact? Let&rsquo;s review each one of these and provide some options on how to implement them in your software release pipeline.\nProvenance The open source community under OpenSSF has created a security framework for how we can think of build provenance. This framework is called Supply Chain Levels for Software Artifacts (SLSA). it provides a standardized check-list of controls to improve the integrity, prevent tampering, and secure software artifacts and build infrastructure.\nAt its core, SLSA is based on the builders producing conformant and signed provenance documents (aka build attestation). The provenance document includes Build Definition (e.g. parameters, dependencies), and Run Details (e.g. builder, metadata). And, to make it easier for us to reason about it, the key characteristics of the build provenance are grouped into SLSA Levels (1-3). The downstream consumers of the produced artifacts can inspect the provenance, and base their policy decisions on the inferred level of SLSA. More about SLSA levels on slsa.dev.\nAdd SLSA-based build provenance to your release pipeline:\nGoogle Cloud Build - Level 3 assurance automatically generated in Artifact Analysis for all images pushed to Artifact Registry GitHub Actions - Reusable workflow, which when added to your release pipeline generates Level 3 build provenance GitLab CI\/CD - Runner which can generate artifact metadata meeting SLSA Level 2 with support for external code signer to potentially deliver Level 3. Regardless of the means by which SLSA provenance was generated, you can use the SLSA Verifier CLI to ensure its validity.\nTransparency While SLSA is about how the software was produced, Software Bill of Materials (SBOM) is about what&rsquo;s in the software. Think of SBOM like an ingredients label on a can of food you buy in the grocery store. It&rsquo;s an inventory of all the components that make up the software. SBOMs are used during the production of software (e.g. license compliance), during process of software selection (e.g. policy compliance), or during operations (e.g. risk management). SBOMs can be also used in all three of these use-cases for vulnerability monitoring as new vulnerabilities are discovered all the time. More about SBOM and the related US regulation on cisa.gov\/sbom. Similar regulations apply in the EU and the UK. While there is many formats\/flavors of SBOM, the most common open standards today are:\nSPDX (Software Package Data Exchange) - Provides a structured format for documenting software components, licenses, copyrights, and security vulnerabilities, including information about packages, files, and relationships. It&rsquo;s maintained by the Linux Foundation (LF), and it has a broader ecosystem of tools and libraries which can make it easier to integrate into your pipeline. Given the extensive set of fields and options, SPDX can get complex for humans to reason about though. CycloneDX - Provides a lightweight and flexible representation of the components and dependencies, including details about packages, versions, licenses, and vulnerability information, allowing for interoperability between different tools and platforms. CycloneDX allows for extensibility (see VEX section below). However, unlike SPDX, CycloneDX is not an industry-standard format, and while it has gained traction and adoption, it may not enjoy the same level of standardization and industry-wide acceptance as SPDX. Ultimately, the choice between SPDX and CycloneDX depends on your specific needs, the ecosystem you operate in, and the level of standardization and extensibility required for your software supply chain management.\nYou can add SBOM to your release pipeline in a number of ways:\nUsing Lockfile - These SBOMs are generated using the information in language specific lockfile (e.g. go.mod, gradle.lockfile, or pom.xml). Sometimes they are generated by your Source Code Management System (e.g. GitHub SBOM). While easy, this approach does not account only for the user defined code, and lacks information about the base image on which this code will be deployed. Lockfile-based SBOMs don&rsquo;t work well also for repos which build to more than one artifact. During Build - Generating SBOMs during build is not very common yet. For the Go ecosystem, there is ko, and for Java Maven using the CycloneDX plugin. The benefit of this approach is build tools have a deep understanding of the dependencies, and the SBOM generation becomes this way an inherent part of the build workflow, ensuring consistency with each build (e.g. format) From Container - These SBOMs are generated from the final product. This is the most common approach to generating SBOMs today (e.g. using OSS tools like syft or snyk). The reliance on the layered file systems or container image may result in an incomplete view of all the dependencies, especially with transitive dependencies and in situations when not installed using package manager. Context Unless you are building a simple hello world application, chances are high you will have some vulnerabilities in your software and\/or its dependencies. The thing that&rsquo;s important to realize though is that software can contain components with vulnerabilities and yet not be vulnerable itself. This is where Vulnerability Exploitability eXchange (VEX) comes in. It&rsquo;s a machine-readable file that can be used by producers to convey information about the actual &ldquo;exploitability&rdquo; of each vulnerability and prioritize remediation, and by the consumers as an input into policy controls driving their release process.\nThe file itself is based on set of assertions (impact statements) about the status of a vulnerability in specific artifact and deployment context:\nNot affected \u2013 No remediation is required regarding this vulnerability. Affected \u2013 Actions are recommended to remediate or address this vulnerability. Fixed \u2013 Represents that these product versions contain a fix for the vulnerability. Under Investigation \u2013 Still looking whether this artifact is affected by this vulnerability. Somewhat early days for VEX, so there isn&rsquo;t yet a well-formalized standard or many OSS tools. Still, A couple of interesting initiatives in this space worth keeping an eye on:\nCycloneDX 1.4 - This version of the CycloneDX SBOM format adds support for VEX&rsquo;d vulnerabilities. This embedded VEX provides a single artifact that describes both inventory and VEX data. OpenVEX is a minimal (but compliant) implementation of the VEX format optimized for interoperability. OpenVex includes spec, and a growing ecosystem of tools (Go, .NET, Rest). Conclusion Hope this post helped you identify at least one thing you can do in your software release pipeline to increase its supply chain security.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/provenance-transparency-context-3-aspects-of-s3c-you-can-implement-today\/","summary":"<p>The practice of Secure Software Supply Chain (S3C) can get complex at times. Fortunately though, a large portion of the key things we can do to secure our software delivery pipelines are actually pretty easy. This post covers three concepts you can implement today:<\/p>","title":"Provenance, transparency, and context, the three aspects of software supply chain security you can implement today"},{"content":"If you are doing any vulnerability detection in your software release pipeline today, you are already familiar with the volumes of data these scanners can generate. That dataset gets significantly larger when you add things like license scanning and Software Bill of Materials (SBOM) generation. That volume of data gets further compounded with each highly-automated pipeline you operate. This can quickly lead to what I refer to as a Software Supply Chain Security (S3C) data fatigue, as many vulnerabilities you\u2019ll discover you simply can\u2019t do anything about. There is an actionable signal in there actually, it\u2019s just hard to find it in the midst of all the noise.\nOver the last year, there has been a growing number of existing and new security focused ISVs who are starting to now provide integrated products to help you management of all this data and offer algorithms to automate the discovery (e.g. Chainguard, Mend, Synopsys, Sonatype, Snyk). In GCP, we\u2019ve also added Container Analysis API to enable metadata management.\nTo learn more about S3C data, and to better understand the challenges in this space, I\u2019ve put together a simple solution called disco to:\nContinuously discover container images used in my workloads across multiple GCP projects, regions, and runtimes Easily plug different open source image scanners (e.g. syft and trivy for SBOM, grype, osv-scanner, snyk, and trivy for vulnerabilities, and some combination of each of these for licenses) Automatically manage data exports for: Raw scanner reports into GCS bucket Key data feature metrics into Cloud Monitoring time-series Synthesized data into BigQuery tables Here is a high-level topology of the disco solution:\nThe four challenges I\u2019ve been thinking about in relation to the above-described S3C data noise, along with a simple pragmatic approaches I wanted to evaluate are:\nLarge number of data sources (i.e. many images with many versions in container registry, which ones are actually used?) - Scope sources down to only what\u2019s actually being used at any given time to underpin the live services. Ideally the discovery shifts left and integrates into release pipeline, but, if the release frequency is not high (order of days, or more), this may be valuable addition, as new vulnerabilities are discovered all the time (i.e. Day 0). Multiple data formats (i.e. SPDX, CycloneDX, which version?) - Normalize the data into a consistent set that maps the key identities (e.g. packages, files, relationships, licenses, vulnerabilities, etc.), across multiple formats. Hard to parse signal in raw data (hard to reason over values in JSON or YAML file) - Identify key features and automate metering to create a change detection system to focus on significant events using threshold rules scoped to a project, deployment, runtime, image, or even single package. Point-in-time perspective (hard to compare multiple sources or capture deviation over time) - Enable forensic (historical) analysis over data spanning longer periods of time to detect trends and potential gaps using commonly known skills and technologies (e.g. SQL) to enable a broader number of reporting tools and audiences. Here is how I\u2019ve implemented each one of these approaches and what I have learned in the process:\nImage Discovery To find images that are being actively used in live services I\u2019ve written a simple Go client. That client queries the GCP API for projects, and traverses the active deployments in each runtime to find the specific image digest. This is basically equivalent to this gcloud commands like this:\ncurl -H &#34;Content-Type: application\/json; charset=utf-8&#34; \\ -H &#34;Authorization: Bearer $(gcloud auth application-default print-access-token)&#34; \\ &#34;https:\/\/cloudresourcemanager.googleapis.com\/v1\/projects&#34; The project, regions, runtimes, and service that client discovers are automatically scoped to the identity under which the disco service operates. This makes it easy to manage cross-project discovery using IAM roles.\nNew services are deployed all the time, so the disco service uses a cron job in Cloud Scheduler to continuously execute the discovery service (defaults to hourly). Technically, each new deployment in these runtimes has a corresponding event in Eventarc, so ad-hoc scans for newly updated services are possible. Still, to keep things simple, disco operates in batches.\nThe actual digest that underpins the live service in Cloud Run is stored on the revision, and Cloud Run can split traffic across multiple revisions. To deal with this, disco uses API filters and traverses the revisions to identify all of the \u201cactive\u201d ones. Also, while somewhat counter-intuitive, Cloud Functions does actually build images behind the scene when you deploy a new function. These are managed by GCP, so the GCF API doesn\u2019t expose the actual digest, but it does provide the revision ID, which can be used against the Cloud Run API to discover the actual digest.\nData Normalization To extract data from each one of the discovered images, disco uses one of the preconfigured open source scanners. These scanners generate reports which disco then uses to extract three main entities:\nPackages SBOM file generated by scanner (default: SPDX v2.2 using trivy although I have experimented with the other formats I found in the set the Chainguard team maintains in their (s)bom-shelter). The disco mapping is mostly flattened \u2018.packages\u2019 data with file level metadata. I\u2019ve started experimenting with traversing the \u2018.relationships\u2019 graph but this turned out to be a lot more complicated than I expected, and didn\u2019t really add that much value to the simple use-case I was after. (I\u2019d like to integrate GUAC here in the future to normalizing entity identities via mapping standard relationships using graph DB)\nVulnerabilities From a vulnerability report generated by one of the OSS scanners (default: Trivy) for all layers in each image (SPDX v3.0 will include vulnerability data, so this will remove the need for additional scans and different parsers. For now though, the subset of packages with vulnerabilities need to be mapped to all of the packages found in the image. I\u2019ve also started to look into the CVSS scores from different vendors, but still have much to learn about the lifecycle and implications of these so for now just using the \u201csimple\u201d severity\nLicenses From OS and package license report used in each image using an OSS scanner (default: trivy). Technically, you could pull the license information from SBOM, but the dataset in the explicit report is more complete and I was able to avoid the whole \u201cdeclared\u201d (by vendor) vs \u201cconcluded\u201d dance. Trivy also provides a \u201cconfidence\u201d indicator which helps in downstream analysis\nOnce extracted, in addition to all the other data, disco also normalizes the shape of the key elements for all of these identities to enable cross-reference:\nBatchID - single ID for the entire batch to make deduplication easier ImageURI - image URI (without tag or sha) for queries spanning multiple versions ImageSHA - image sha to ensure unique identity for specific image version Package - fully qualified package name PackageVersion - canonical version of the package Updated - timestamp when the data element was extracted Metrics Export\nEven with only a small number of services across a couple of runtimes, disco will quickly generate thousands of data points. To ensure that the meaningful signal is detected early, disco exports custom metrics from each scan, for example:\ndisco\/vulnerability\/severity - vulnerability count for each severity (labels: severity value, project, service, runtime, image) disco\/license\/image - licenses per image (labels: license kind, project, service, runtime) disco\/package\/image - packages per image (labels: project, service, runtime) Once exported, I was able to use Metric Explorer to review the generated metrics:\nI was also able to create notifications policies based on metric thresholds to alert using one of the supported channels (e.g. Mobile device app notification, Slack, Email, SMS, etc), and route the events to another process downstream using Pub\/Sub (or Webhook).\nAt the end, only the severity metric turned out to be of significant value here. Packages, and licenses have way too high cardinality for individual metrics, and generic point metrics are fun for graphs, but I\u2019m not sure anyone would actuate something on that (even when generalized, because there are at least ten diff ways to spell Artistic-2).\nForensic Analysis Each of the data sources in disco (image, package, license, and vulnerability), has many data points, so for broader analysis over a longer period of time, disco also batch exports its data to BigQuery tables. The schema of each one of the tables is available here. To ensure the queries are performant over time regardless of volumes, disco partitions each table per day. More on partitioned tables here.\nOnce in BigQuery, I was able to use standard SQL to query over that data, using different joins across all the three main identities (license, package, vulnerability). I haven\u2019t had the time to do it yet, but it would be interesting to combine the reports across different CVE sources like NVD or VULDB, to see how each reports CVEs over time. Using this setup, I was however able to identify a few interesting deviations over time. For example:\nPackage version changes between versions, and cross-service distribution Vulnerability (CVE) severity and score changes Package license changes (yep, those do happen), see FOSSA And because BigQuery has a rich ecosystem of visualization tools, I can also easily create reports from all this collected data like this one in Looker Studio which actually allows for drill-downs (select image and only its vulnerabilities, licenses, and package distribution).\nIn Summary If nothing else, building disco was an educational experience. I gained appreciation for some of the idiosyncrasies in SBOM formats, I\u2019ve learned about the different vulnerability data sources, and evaluated the tradeoffs in data aggregation and synthesis. This already happens in companies with more advanced SecOps, I do think, eventually, this data will more broadly drive policy decisions, be instrumental in audits, and used to manage risk. This data could also potentially drive better development practices. All in all, this is an exciting space with much, much more room for innovation. I look forward to digging deeper.\nIf you are interested, the disco source code, and Terraform-based deployment with prebuilt images, is available in my repo in github.com\/mchmarny\/disco. There also is a CLI you can use locally (installation instructions here). Hope you found this helpful.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/automating-software-supply-chain-security\/","summary":"<p>If you are doing any vulnerability detection in your software release pipeline today, you are already familiar with the volumes of data these scanners can generate. That dataset gets significantly larger when you add things like license scanning and <a href=\"https:\/\/www.cisa.gov\/sbom\">Software Bill of Materials<\/a> (SBOM) generation. That volume of data gets further compounded with each highly-automated pipeline you operate. This can quickly lead to what I refer to as a Software Supply Chain Security (S3C) data fatigue, as many vulnerabilities you\u2019ll discover you simply can\u2019t do anything about. There is an actionable signal in there actually, it\u2019s just hard to find it in the midst of all the noise.<\/p>","title":"Software supply chain data fatigue and what I\u2019ve learned from SBOM, vulnerability reports"},{"content":"Twitter does provide notifications for when new users start following you. It does now however provide any notifications when users stop following you. Now, there is an ample of web sites out there who do provide that service, in most cases though, they cost money, and ask you for a complete access to your Twitter account.\nThis is the Twitter prompt to authorize access for these kind of sites to your account. Do you feel comfortable agreeing to this after reading what that application actually will be able to do?\nNow, it&rsquo;s hard to blame these sites for asking for such extensive access though. Twitter app configuration settings allow only two modes of access request, Read Only, and Full Access like the one above. I&rsquo;ve tweeted before about the need for more granular access permissions in Twitter here, so who knows, maybe one day.\nPersonally, I wasn&rsquo;t willing to give some site out there a full access to my Twitter account. So, I did what most technologists do in these kinds of situations&hellip; I&rsquo;ve built my own. It&rsquo;s called TweeThingz and you use it for free at twee.thingz.io.\nTweeThingz provides visualization of the follower trends, reports of daily follower events, and optional on-change email notifications. Best of all, TweeThingz only needs a read access to your Twitter account!\nYou can also get email notifications whenever there are daily changes to your follower, friend, or list stats. The notifications can be disabled in the Account preferences.\nFinally, TweeThingz is very much a personal project. There is no ads or tracking. I&rsquo;m running this service under personal account in Google Cloud, using Cloud Run and use Cloud SQL for state management, which until this grows to thousands (millions?) of users, makes TweeThingz operations pretty inexpensive. Enjoy it, and let me know what you think.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/twitter-follower-activity-monitoring-using-tweethingz\/","summary":"<p><img align=\"right\" src=\"\/images\/twitter-api-access.jpeg\" style=\"width:300px; height:auto; margin:20px\" \/>Twitter does provide notifications for when new users start following you. It does now however provide any notifications when users stop following you. Now, there is an ample of web sites out there who do provide that service, in most cases though, they cost money, and ask you for a complete access to your Twitter account.<\/p>","title":"Twitter follower status monitoring made easy using TweeThingz"},{"content":"The recently introduced by GitHub support for OpenID Connect (OIDC) tokens in GitHub Actions allows workflows to mint new tokens and then exchange those tokens for short-lived OAuth 2.0 or JWT tokens. These tokens can be used to access and manage Cloud resources. This is all done without the need to store the traditional long-lived service account keys in a form of GitHub secrets.\nOn Google Cloud Platform (GCP) this process uses Workload Identity Federation and enable your GitHub Actions a fine-grained access scoping using attribute mappings between the OIDC token, which by default, automatically expires one hour after it was created, to impersonate a GCP service account and access resources on Google Cloud using the designated GCP permissions.\nOIDC Complexity The problem is that setting up identity federation for GitHub Actions in any of the Cloud Service Providers (CSP) requires executing number of CLI commands, each with endless number of flags to implement the required attribute mappings between the provider access permissions and GitHub repository or username.\nIn this post I&rsquo;ll outline a reproducible process of setting up Identity Federation in GCP for one of the most common use-cases in GitHub Actions, building and publishing container images.\nReproducible Setup Each execution of this process applies to a single GCP project and GitHub repository combination. To make this setup reproducible we&rsquo;re going to use Terraform. By providing different variables during execution, we\u2019ll be able to apply that same Terraform configuration to any other GitHub repo and GCP project combination.\nPrerequisites The prerequisites to executing this setup include:\nTerraform CLI GCP Project gcloud CLI Good how-to on using terraform with GCP is located here.\nOne-time Setup To acquire the reproducible Github Workflow OpenID Connect setup for GCP you can either clone the Repo using SSH:\ngit clone git@github.com:mchmarny\/oidc-for-gcp-using-terraform.git or using HTTP:\ngit clone https:\/\/github.com\/mchmarny\/oidc-for-gcp-using-terraform.git Once you&rsquo;ve cloned the setup repo, navigate inside of that cloned directory and initialize Terraform\nMake sure to authenticate to GCP using gcloud auth application-default login if you haven&rsquo;t done it already.\nterraform init Note, this flow uses the default, local terraform state. Make sure you do not check the state files into your source control (see .gitignore), or consider using a persistent state provider like GCS.\nExecuting Configuration To configure Github Workflow OpenID Connect setup for GCP apply the cloned configuration:\nterraform apply When promoted, provide the 2 required variables:\nproject_id is the GCP project ID (not the name) which you want to target from your GitHub Action. git_repo is the username\/repo combination in which you GitHub Actions will be executing What Included You can review each one of the *.tf files for content. When you confirm yes at the final prompt, the main artifacts created by this setup in the GCP project defined by the project_id variable include:\nEnablement of the required GCP APIs servicecontrol.googleapis.com containerregistry.googleapis.com iam.googleapis.com iamcredentials.googleapis.com servicemanagement.googleapis.com storage-api.googleapis.com Creation of github-actions-user service account which the GitHub Action will impersonate when publishing images into GCR, and binding that account to the two required role: roles\/storage.objectCreator roles\/storage.objectViewer Creation of the workload identity pool: github-pool, and GitHub repo-level pool provider: github-provider Finally, creation of the IAM policy bindings to the service account resources created by GitHub identify for the specific GitHub repository defined by the git_repo variable Repo Configuration The result each execution of the above defined configuration will include 3 GitHub repo configuration properties:\nPROJECT_ID which is the project ID in which you setup the workload identity federation SERVICE_ACCOUNT which is the IAM service account your GitHub Action workflows will use to push images into GCR (e.g. github-action-publisher@&lt;project_id&gt;.iam.gserviceaccount.com) IDENTITY_PROVIDER which is the workflow identity provider ID you must use lng with the above service account to connect to GCP (e.g. projects\/&lt;project_number&gt;\/locations\/global\/workloadIdentityPools\/github-pool\/providers\/github-provider) Depending on your tolerance, you may be OK using all 3 of these parameters in your GitHub Actions workflow in plain-text. In most cases, however, you will probably create GitHubsecrets in your repository to inject them into your workflow at runtime.\nGitHub Workflow Configuration With the Workload Identity Federation configured yur workflow can now establish delegated trust relationships to the narrowly scoped set of permissions in GCP. The google-github-actions\/auth includes many examples using gcloud in your workflow.\nIn this post I&rsquo;m going to focus on Go-specific configuration using ko, (a super simple and fast container image builder for Go apps) to build and publish images into GCR. The full workflow is available here. The key steps include:\nPush Job First, in order to create OIDC tokens, the GitHub Actions will need additional permissions. In addition to regular content read, the workflow will also id-token write.\njobs: push: runs-on: ubuntu-latest permissions: contents: read id-token: write steps: GCP Authentication In order to push images to GCR, the workflow will need to first authenticate to GCP. Google has an action just for that that can be configured to generate OAuth 2.0 Access Token. To do this you will need to set the token_format to access_token. Additionally, this step will use the workload identity provider and service account secrets we configured above:\n- id: auth name: Get GCP token uses: google-github-actions\/auth@v0.5.0 with: token_format: &#34;access_token&#34; workload_identity_provider: ${{ secrets.IDENTITY_PROVIDER }} service_account: ${{ secrets.SERVICE_ACCOUNT }} Install And Login Ko Ko is the fastest way of creating container images in Go without Docker. All we need to do is install it and login to GCR with the access token created by the auth step above:\n- name: Install Ko uses: imjasonh\/setup-ko@v0.4 with: version: tip - name: Login With ko run: | ko login gcr.io --username=oauth2accesstoken --password=${{ steps.auth.outputs.access_token }} Publish Image With ko logged in, now you can build and publish the image. A few things to highlight here. ko build (pka publish) will build and publish container images from the given path. The --image-refs flag will output the digest of the published image to the provided file, and the --bare allows us to define the full image URL using the KO_DOCKER_REPO environment variable.\nIn addition to this we will set the previously exported RELEASE_VERSION environment variable to both version field in the main.go file and set it as a tag on the image.\n- name: Publish Image run: | ko build .\/cmd\/ --image-refs .\/image-digest --bare --tags ${{ env.RELEASE_VERSION }},latest env: KO_DOCKER_REPO: gcr.io\/${{ secrets.PROJECT_ID }}\/restme GOFLAGS: &#34;-ldflags=-X=main.version=${{ env.RELEASE_VERSION }}&#34; Sign Image Once the image is published, we can also sign and verify the published image in GCR using cosign.\n- name: Install Cosign uses: sigstore\/cosign-installer@main with: cosign-release: v1.4.1 The benefit of combining ko and cosign is that we can use the image digest output into a local file by ko by providing its path using --force flag in the cosign sign command.\nWith the v1.4 release of cosign, you set th COSIGN_EXPERIMENTAL variable to push the data into GCR.\n- name: Sign Image run: | cosign sign --force $(cat .\/image-digest) env: COSIGN_EXPERIMENTAL: 1 Summary Hope you find this helpful. The Terraform configuration is available in my oidc-for-gcp-using-terraform repo, and you can find a fully functional example fo the image-on-git-tag GitHub Actions workflow in my restme repo.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/reproducible-github-workflow-openid-connect-for-gcp-using-terraform\/","summary":"<p>The recently introduced by GitHub support for <a href=\"https:\/\/openid.net\/connect\/\">OpenID Connect<\/a> (OIDC) tokens in <a href=\"https:\/\/github.com\/features\/actions\">GitHub Actions<\/a> allows workflows to mint new tokens and then exchange those tokens for short-lived OAuth 2.0 or JWT tokens. These tokens can be used to access and manage Cloud resources. This is all done without the need to store the traditional long-lived service account keys in a form of GitHub secrets.<\/p>","title":"Reproducible OpenID connect to GCR for GitHub Actions workflows using Terraform"},{"content":"I learn best by doing. And recently, most of the projects I&rsquo;ve been building are either REST or gRPC-base services deployed as container images into Cloud Run on GCP. That means that I increasingly find myself recreating a lot of the same infra and app deployment flows.\nOver time, the stack for these services started getting also more complex. Multi-region deployment in Cloud Run, fronted by Load Balancer with custom domain and SSL cert, throttled by Cloud Armor policies, and pushing images to GCR from GitHub action without the need to provision service account keys.\nSo, over the holidays, I&rsquo;ve decided to automate the provisioning of the entire stack in a GitHub template project so I can quickly bootstrap new services, in a more reproducible fashion, and focus on actually writing the code, not tweaking the infra.\nThe result, restme. It&rsquo;s a Terraform-based configuration to provision into your GCP project a fully functional, multi-region, REST service with a secure developer release pipeline in GitHub.\nHere is what&rsquo;s included:\nCloud Run service provisioning Configured in an n number of regions with Custom identity (service account) Sample Secret Manager-based variable Configurable capacity and autoscaling strategy Accessible only by Internal and Load Balancer traffic (no external access) HTTPS Load Balancer with external IP and Custom domain with SSL certificate Cloud Armor policies for throttling and Canary CVE Serverless NEGs config for Cloud Run service in each region Dev and Ops Configuration for Container registry (GCR) Service uptime and SSL cert expiration alerts IODC-based Workload Identity Pool short-lived credentials provider for GitHub Actions Service logging with GCS bucket sink Local test, lint, and validate actions using Makefile GitHub Actions to test each PR and container image build\/publish to GCR on git tag The template project also includes Go source code for very rudimentary REST services based on gin framework to expedite bootstrapping new app dev:\n[GET] Request info - client request, headers and environment variables [POST] Echo message - simple echo message This entire setup is available as a template with prerequisites and deployment instructions my GitHub repo. I hope you find it as helpful as I do.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/multi-region-rest-service-on-gcp\/","summary":"<p>I learn best by doing. And recently, most of the projects I&rsquo;ve been building are either REST or gRPC-base services deployed as container images into Cloud Run on GCP. That means that I increasingly find myself recreating a lot of the same infra and app deployment flows.<\/p>","title":"Multi Region REST Service on GCP using GitHub Template"},{"content":"Why not Medium My main reason for migrating off Medium was the paywall Medium introduced while back. I actually understand why they did it. The unlimited access price: $5\/month ($50\/year) is too high, but still, I get it.\nFor me though, the objective was to allow readers to easily discover and read my posts. I don&rsquo;t want my readers to experience any friction. Forcing the reader to deal with the frustrating Medium up-sell pop-ups just to read my post was just unnecessary.\nWhy Hugo on GitHub I chose Hugo because it was the simplest, most flexible, and fastest static site generator I could find. It allowed me to use the technologies I already was familiar with (e.g. Markdown). And, it can be easily deployed to any number of hosting targets (e.g. including GitHub Pages for free!).\nThe other properties of Hugo that contributed to my decision were:\nOpen source (Apache v2) with a thriving community and many free themes to choose from Written in Go with well-documented customization\/contribution process (github.com\/gohugoio\/hugo) Multilingual support (one of these days I&rsquo;ll write in Polish; one of these days&hellip;) How I Migrated content The process of migrating form Medium to Hugo was a lot more complex than I expected. It was mainly related to some idiosyncrasies of how Medium exports images and formats code samples in its HTML files. Hope my learnings captured in this post are helpful.\nMedium provides a quick way to export all of your personal content as HTML files in a single .zip file. The entire process for either desktop of mobile is documented here.\nOnce I had my content downloaded locally, I had to convert the posts into Markdown (it&rsquo;s how posts are defined in Hugo). I&rsquo;ve tried a few tools and the medium2md CLI did the best job. After the conversion, I had to manually modify the Hugo metadata generated by my HTML to Markdown conversion tool. Here is an example of the metadata for this post:\n--- title: Medium to GitHub using Hugo - Why and How I Migrated my Blog date: &#39;2022-01-03T13:51:00.022Z&#39; categories: [dev] tags: [hugo, github, blog] thumbnail: &#34;\/images\/hugo.png&#34; draft: true --- Note: medium2md requires Node. The only other migration tool I found that wasn&rsquo;t Node based was medium-to-hugo but it hasn&rsquo;t been updated for over 3 years.\nOnce I had my posts in Markdown format and all the images exported, I&rsquo;ve used the Hugo Quick Start docs to create my site. Most of the steps were easy to follow. I&rsquo;ve spent over two hours selecting the theme for my blog, but that has to do more with the amount of free themes that are available and my inability to make a decision.\nThe one thing that made the whole customization a lot easier was the live reload feature in Hugo. When started as a server in the developer mode (hugo server -D), Hugo allowed me to edit the different configuration options as well as post content and instantaneously view them in the browser without reload or refreshing of the pages. This made the whole experience a lot easier and faster.\nOnce I was satisfied with how my blog looked, I moved on to deploying the blog to GitHub. Hugo has a doc on how to publish your blog to GitHib pages which keeps everything in a single, public, repo. I&rsquo;ve opted to keep my Hugo project in a private repo called blog, and use GitHub Action to publish only the generated content to another repo (mchmarny.github.io).\nTo do this I had to edit the Hugo workflow to provide parameters for the external_repository and configuring a deploy key on the repo. The standard GITHUB_TOKEN has no permission to access to external repositories.\n- name: Deploy Blog uses: peaceiris\/actions-gh-pages@v3 if: github.ref == &#39;refs\/heads\/main&#39; with: deploy_key: ${{ secrets.ACTIONS_DEPLOY_KEY }} external_repository: mchmarny\/mchmarny.github.io publish_branch: main publish_dir: .\/public commit_message: ${{ github.event.head_commit.message }} cname: blog.chmarny.com allow_empty_commit: true Notice the cname setting in the above YAML. It&rsquo;s required to setup the SSL cert for the custom domain in my blog. More on setting up custom domain in GitHub pages here.\nAs a result of this configuration:\nSite generation workflow is triggered with each commit to the blog repo I can write and edit posts on my iPad just by creating a new Markdown file (*.md) New posts in draft mode are not being discoverable in public site (draft: true in hugo prevents the public content from being generated) Static content (no DB) means more secure site (i.e. how often do you hear about Wordpress vulnerabilities) I hope you found my experience of migrating from Medium to Hugo helpful.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/medium-to-hugo-why-and-how\/","summary":"<h2 id=\"why-not-medium\">Why not Medium<\/h2>\n<p>My main reason for migrating off Medium was the <a href=\"https:\/\/help.medium.com\/hc\/en-us\/articles\/360017581433-About-the-metered-paywall\">paywall<\/a> Medium introduced while back. I actually understand why they did it. The unlimited access price: $5\/month ($50\/year) is too high, but still, I get it.<\/p>\n<p>For me though, the objective was to allow readers to easily discover and read my posts. I don&rsquo;t want my readers to experience any friction. Forcing the reader to deal with the frustrating Medium up-sell pop-ups just to read my post was just unnecessary.<\/p>","title":"Medium to GitHub using Hugo - Why and How I Migrated my Blog"},{"content":"Increasing large amount of technical news I read come from the posts shared on Hacker News or on Twitter. While both of these services have search options, neither of these seem to be advanced enough to narrow my searches at the desired level or to setup automatic delivery.\nI decided to write my own using a few of the on-line services that come with generous free-tier option:\nFirst, the runtime. I\u2019ve been impressed with the flexibility of GitHub Actions. While actions are normally written in JavaScript, with its support for pre-built Docker images, I decided to write my service in Go. To persist the state between each execution (GitHub Actions are ephemeral by nature) I\u2019ve used Firestore (part of Firebase service), which has been my goto serverless &ldquo;database&rdquo; for a while now due to its easy API, schema-less design, and generous free plan (1GB, 50K reads and 20K writes per day). Finally, to deliver the matching results, I\u2019ve chosen the e-mail sending service offered by SendGrid. Again, simple API and super easy configuration with up to 100 free emails per day. With the services selected, I wrote a simple application that builds the desired queries against the Hacker News and Twitter API, filters out results based on provided criteria, and captures the final state of each query for subsequent queries. The application builds into a Docker image using, you guest it, GitHub Actions. The entire source code and the automation around the project are located here.\nDelivery schedule You can setup your searches in a private repository, this keeps the topics to which you subscribe and your email address hidden. Start by creating an action with on schedule matching your desired delivery times. For example (15 min after noon, 5 and 11PM GMT):\non: schedule: - cron: &#34;15 12,17,23 \\* \\* \\*&#34; Next, define any number of steps in your job, each with the source type parameter and the query which you want to schedule. For example, to search for most recent not retweets in English on Kubernetes, DevOps, or CI\/CD that have links, were shared by people who themselves posted more than 200 tweets, have at least 500 followers, and have a low following (friend) to follower ratio the schedule would look something like this:\n- name: Twitter Search uses: docker:\/\/ghcr.io\/mchmarny\/gaw:v0.2.9 with: source: twitter query: kubernetes OR devops OR ci\/cd to: you@your-domain.com subject: Tweets about k8s, devops, or ci\/cd email-config: ${{ secrets.EMAIL_CONFIG }} state-config: ${{ secrets.FIRESTORE_CONFIG }} twitter-config: ${{ secrets.TWITTER_CONFIG }} lang: en # language (en == English) latest: true # most recent popular links: true # must have links followers: 500 # min number of followers retweets: false # Include retweets posts: 200 # min number of posts ratio: 0.1 # number of friends\/number of followers Notice that the API tokens and other secrets are using encrypted environment variables provided by GitHub secrets. The instructions on how to configure these are located here.\nThe full examples of schedules are available in the repo:\nHacker News search example Twitter search example Delivery dispatch In addition to scheduled queries, you can also set up on-demand searches for specific topic. In this case we combine the Twitter and Hacker News sources into a single workflow with an on action set to repo dispatch:\non: repository_dispatch: types: [search] The full example of this workflow is available here. When configured, the specific topic (e.g. golang) for which you want to search can be defined in a command line:\ncurl -H &#34;Accept: application\/vnd.github.v3+json&#34; \\ -H &#34;Authorization: token ${GITHUB_TOKEN}&#34; \\ https:\/\/api.github.com\/repos\/&lt;username&gt;\/&lt;repo&gt;\/dispatches \\ -d &#39;{ &#34;event_type&#34;: &#34;search&#34;, &#34;client_payload&#34;: { &#34;topic&#34;:&#34;golang&#34; }}&#39; To execute the dispatches using HTTP API you will need GitHub personal access token. The instructions how to create one are located here.\nEmail Notifications Whether you executed the workflow on schedule or using the HTTP dispatch, the delivered email looks something like this:\nHope you found this helpful,\n","permalink":"https:\/\/blog.chmarny.com\/posts\/custom-news-scraper-using-free-services-from-github-firebase-sengrid\/","summary":"<p>Increasing large amount of technical news I read come from the posts shared on Hacker News or on Twitter. While both of these services have <a href=\"https:\/\/help.twitter.com\/en\/using-twitter\/twitter-advanced-search\">search options<\/a>, neither of these seem to be advanced enough to narrow my searches at the desired level or to setup automatic delivery.<\/p>","title":"Custom news scraper using free services from GitHub, Firebase, and Sengrid"},{"content":"All complexity needs to be abstracted, right? This reductionist statements misses nuance around the inherent cost\/benefit tradeoffs, especially when you consider these over time.\nDon\u2019t get me wrong, there often are good reasons for additional layers to make things simpler (grow adoption, lowering toil, removing friction, etc.). Still, these layers come at the long-term cost that\u2019s often is not a part of the evaluation process.\nTake for example the complexity around Kubernetes (it seems to be an easy target nowadays).\nWhile improving the user experience in specific use-case there, you are de-facto taking on the responsibility for maintenance of that abstraction over time.\nIs that value (ease of use for your specific use-case) higher than that responsibility? If your use-case is more common, you may be thinking about open-sourcing that abstraction to offset that cost. Just ask those who created OSS projects before, that cost is usually multiple of that associated with managing your own &ldquo;custom solution&rdquo;.\nMore importantly, perhaps, you have to ask yourself if that compounded cost is lower than the cognitive load required to learn how to use the current implementation.\nIs that a one time cost that users, once learn, apply over time? Or is that just replacement of one thing the user has to learn with another? The Kubernetes landscape is full of carcasses of well-intended projects aiming to solve its complexity. Their relevance usually ends by either being outpaced by the community, or acquiring an even higher cognitive load. Another cost which perhaps is not always consider when hiding complexity is the potential for decreased portability. This can be due to the fact that the resulting implementation, lacking broad adoption, is simply not available in the target platform. Or, the decreased portability may also be related to the implementation &ldquo;leaking&rdquo; into the user space, making that application now dependent on that abstraction.\nAgain, there are many examples where abstractions of complexity delivers a lot of value. Often that value is broadly recognized, and it becomes either upstreamed to address the root complexity (e.g. kustomize in kubectl), or it becomes part fo the broader community cannon (e.g. CNCF projects) around the project.\nThe points I\u2019m trying to make here is this:\nEvaluate the broader and long-term cost\/value trade-offs of abstracting complexity Consider addressing that complexity at its root, rather than abstraction And, most importantly, don\u2019t underestimate users\u2019 ability to learn! ","permalink":"https:\/\/blog.chmarny.com\/posts\/complexity-can-be-learned-but-abstractions-come-at-long-term-cost\/","summary":"<p>All complexity needs to be abstracted, right? This reductionist statements misses nuance around the inherent cost\/benefit tradeoffs, especially when you consider these over time.<\/p>\n<p>Don\u2019t get me wrong, there often are good reasons for additional layers to make things simpler (grow adoption, lowering toil, removing friction, etc.). Still, these layers come at the long-term cost that\u2019s often is not a part of the evaluation process.<\/p>","title":"Complexity can be learned but abstractions come at a long-term cost"},{"content":"I recently joined the Office of CTO in Azure at Microsoft and wanted to ramp up on one of the open source projects the team has built there called Dapr. Dapr describes itself as:\nA portable, event-driven runtime that makes it easy for developers to build resilient, microservice stateless and stateful applications that run on the cloud and edge and embraces the diversity of languages and developer frameworks.\nI learn technology best by using it, so I decided to build a simple tweet sentiment processing pipeline and see how easy and portable it really is. The resulting project with source code, which you can run both locally and on Kubernetes, is available here.\nA few takeaways from my experience:\nDapr was easy to start with, thanks mainly to the very thorough documentation and its dead simple CLI. The local development experience in Dapr also felt natural. I was able to use my existing skills and get something going within 10\u201315 minutes. I did like that Dapr didn\u2019t have any &ldquo;invasive&rdquo; libraries or required SDKs. There are client libraries in most languages, but its API is well structured and has feature parity in both HTTP and gRPC. I, actually, ended up writing my own HTTP client (godapr), just to get a better &ldquo;feel&rdquo; for the API. The opt-in abstractions for state and pub\/sub enable easy portability. I used Redis for both during local development and then swapped for Azure Storage Table and Azure Service Bus when deploying to Kubernetes without any code changes. The growing list of bindings allow developers to quickly integrate backing services with minimal effort. Everything from generic ones like Kafka or MQTT to Cloud-provider specific ones like DynamoDB or S3 for AWS, Cloud Pub\/Sub and GCS for GCP, or EventGrid and EventHubs for Azure. Building these extensions is pretty easy too. I contributed the Twitter input binding, which went out in the recent Dapr v0.7 release. When building apps based on multiple microservices like my pipeline, Dapr provides a consistent service discovery and invocation mechanism, whether locally or on Kubernetes. Dapr seems to strike the right balance between helping developers with primitives, like persisting state or eventing though pub\/sub, without being too overbearing.\nI look forward to working on Dapr, contributing to the project, and yes, developing with on Dapr myself.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/how-i-learned-dapr-building-tweet-sentiment-processing-pipeline\/","summary":"<p>I recently joined the Office of CTO in Azure at Microsoft and wanted to ramp up on one of the open source projects the team has built there called Dapr. Dapr <a href=\"https:\/\/dapr.io\/\">describes itself<\/a> as:<\/p>\n<blockquote>\n<p>A portable, event-driven runtime that makes it easy for developers to build resilient, microservice stateless and stateful applications that run on the cloud and edge and embraces the diversity of languages and developer frameworks.<\/p>","title":"How I learned Dapr building tweet sentiment processing pipeline"},{"content":"We are entering a period where custom, highly-optimized, vertical solutions are becoming viable option again. This is a good news for ISVs with proven domain expertise and skilled development resources.\nWhy do I think so? We now have:\nPlethora of feature-rich developer frameworks, message queues, scalable data stores, and even lower-level components in the OSS community with great documentation and a large number of use-case validation Growing number of custom solution companies (more than just ISVs) with existing deep vertical\/domain expertise who are also increasingly now investing in hiring and training strong development teams Virtually every Cloud provider offering either a raw Kubernetes service or managed container execution platform which (regardless how you feel about these technologies) creates ubiquitous surface area that can be addressed with a single solution Yes, there still are many ways in which these custom development efforts can fail. Still, as one who has started their professional career developing custom software, I\u2019m glad to see how these kinds of efforts are becoming cost effective again and increasingly represent a viable option for differentiation and real business value delivery.\nKeep an eye on vertically-focused companies like (just to name a few) NCR or Manhattan Associates in retail, Schlumberger or OSI Soft in energy, or Siemens and Rockwell Automation in manufacturing. The renaissance of custom vertical solution is coming.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/renaissance-of-custom-vertical-solution\/","summary":"<p>We are entering a period where custom, highly-optimized, vertical solutions are becoming viable option again. This is a good news for ISVs with proven domain expertise and skilled development resources.<\/p>\n<p>Why do I think so? We now have:<\/p>\n<ol>\n<li>Plethora of feature-rich developer frameworks, message queues, scalable data stores, and even lower-level components in the OSS community with great documentation and a large number of use-case validation<\/li>\n<li>Growing number of custom solution companies (more than just ISVs) with existing deep vertical\/domain expertise who are also increasingly now investing in hiring and training strong development teams<\/li>\n<li>Virtually every Cloud provider offering either a raw Kubernetes service or managed container execution platform which (regardless how you feel about these technologies) creates ubiquitous surface area that can be addressed with a single solution<\/li>\n<\/ol>\n<p>Yes, there still are many ways in which these custom development efforts can fail. Still, as one who has started their professional career developing custom software, I\u2019m glad to see how these kinds of efforts are becoming cost effective again and increasingly represent a viable option for differentiation and real business value delivery.<\/p>","title":"Renaissance of custom vertical solution"},{"content":"When dealing with file permissions in a non-root image or building apps that include static content (like css or templates), I sometime get an error resulting from the final image content mismatch with my expectations.\nMost of the time the errors are pretty obvious, simple fix and rebuild will do. Sometimes though, you want to take a look into the image and understand what the actual layout looks like in there.\nI\u2019m sure there is a few valid ways of doing this, here are the simplest steps I found to be consistently reliable for me\nLet&rsquo;s assume I build my app (myapp) locally using this command:\ndocker build -t myapp . To start, I first need to save the image into an archive:\ndocker save -o myapp.tar myapp Now I can list the archive layers by piping the image manifest to some pretty json tool like jQuery:\ntar xf myapp.tar -O manifest.json | jq &#34;.&#34; To peek into a specific layer, I can output its content using one of the layer\u2019s ID. (Unless you are doing something creative, the content of your app will be the last item in &ldquo;Layers&rdquo;):\ntar xf myapp.tar -O 093015edb4b7f6f64a3bcb3a4646146d0476fe59b4f47924700b66b779cb7330\/layer.tar | tar tv\nDon\u2019t @ me for .DS_Store files or file permissions in the above image ;)\nHope this helps.\nPS. Massive thanks to mattomata@ for clarifying some of these things for me.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/how-to-debug-container-image-content\/","summary":"<p>When dealing with file permissions in a non-root image or building apps that include static content (like css or templates), I sometime get an error resulting from the final image content mismatch with my expectations.<\/p>\n<p>Most of the time the errors are pretty obvious, simple fix and rebuild will do. Sometimes though, you want to take a look into the image and understand what the actual layout looks like in there.<\/p>","title":"How to debug container image content"},{"content":"While the idea of a serverless platform and long running workloads does seem somewhat &ldquo;unnatural&rdquo; at first, smart people are already working on that (looking at you @Knative community). In the meantime, a simple approach is sometimes all you may need.\nIn this post I will illustrating how to use Google Compute Engine (GCE) container execution option to run variable duration jobs. This approach supports custom VMs, GPU\/TPU accelerators and VPC networks\u2026 so may be handy alternative to other compute options on GCP. I\u2019ll also demo how to auto-terminate the created VM on container completion, so you won\u2019t have to pay for idle VM time.\nFinally, in this example I\u2019ll parses small gzip file from Google Cloud Storage (GCS), but since this approach is not limited by client timeouts you can use it to do pretty much anything\u2026 transformations on bigger files, lightweight ETL, or media format encoding. You can even combine it with GCP Task Queue for more complex pipelines.\nPre-requirements If you don\u2019t have one already, create new GCP project and configuring Google Cloud SDK.\nSetup To start, clone this repo, and navigate into that directory:\ngit clone [https:\/\/github.com\/mchmarny\/long-running-job.git](https:\/\/github.com\/mchmarny\/long-running-job.git) cd long-running-job Also, to streamline the subsequent commands, we are going to export a few variables:\nexport PROJECT=$(gcloud config get-value project) export APP_NAME=&#34;my-long-job&#34; export SA_NAME=&#34;${APP_NAME}@${PROJECT}.iam.gserviceaccount.com&#34; Service Account To execute this sample you will need a GCP service account. You can do that either in UI or using gcloud SDK.\ngcloud iam service-accounts create $APP_NAME \\ --display-name &#34;Service Invoker Account for ${APP_NAME}&#34; We also will have to assign this account the necessary IAM roles:\ngcloud projects add-iam-policy-binding $PROJECT \\ --member &#34;serviceAccount:${SA_NAME}&#34; \\ --role roles\/logging.logWriter gcloud projects add-iam-policy-binding $PROJECT \\ --member &#34;serviceAccount:${SA_NAME}&#34; \\ --role roles\/cloudtrace.agent gcloud projects add-iam-policy-binding $PROJECT \\ --member &#34;serviceAccount:${SA_NAME}&#34; \\ --role roles\/monitoring.metricWriter gcloud projects add-iam-policy-binding $PROJECT \\ --member &#34;serviceAccount:${SA_NAME}&#34; \\ --role roles\/storage.objectViewer gcloud projects add-iam-policy-binding $PROJECT \\ --member &#34;serviceAccount:${SA_NAME}&#34; \\ --role roles\/pubsub.editor gcloud projects add-iam-policy-binding $PROJECT \\ --member &#34;serviceAccount:${SA_NAME}&#34; \\ --role roles\/compute.instanceAdmin Finally, to enable our demo to impersonate that account, we will need to provision a key for that account which will be saved in your home directory. You should protect that key or just delete it after this demo.\ngcloud iam service-accounts keys create \\ --iam-account $SA_NAME &#34;${HOME}\/.${APP_NAME}-sa.json&#34; Container Image The unit of workload in this example is container image. To create an image from the source code in this demo, first vendor all the go dependencies:\ngo mod tidy go mod vendor And then submit the image build request to Cloud Build:\ngcloud builds submit --tag &#34;gcr.io\/${PROJECT}\/${APP_NAME}:0.0.1&#34; If successful, you should see a confirmation with the fully qualified URI to the created image.\nDeploy Container to VM Now to start a new VM and configure it to run the above built image. This sample will use gzipped CSV file (100-Sales-Records.csv.gz) located in publicly available GCS bucket (long-running-job-src-files). If you want you can replace these with your own files.\ngcloud compute instances create-with-container $APP_NAME \\ --container-image=&#34;gcr.io\/${PROJECT}\/${APP_NAME}:0.0.1&#34; \\ --machine-type=n1-standard-1 \\ --zone=us-central1-c \\ --image-family=cos-stable \\ --image-project=cos-cloud \\ --maintenance-policy=MIGRATE \\ --scopes=cloud-platform \\ --container-privileged \\ --container-env=&#34;GOOGLE_APPLICATION_CREDENTIALS=\/tmp\/sa.pem,BUCKET=long-running-job-src-files,OBJECT=100-Sales-Records.csv.gz,TOPIC=${APP_NAME}&#34; \\ --container-mount-host-path=mount-path=\/tmp,host-path=\/tmp,mode=rw There is no way right now to upload files in the same command, so right after, you need copy the service account key created above to the new VM. The container is set to restart on failure so it will automatically use the key when it becomes available in the mounted volume attached to our VM.\ngcloud compute scp &#34;${HOME}\/.${APP_NAME}-sa.json&#34; \\ &#34;${APP_NAME}:\/tmp\/sa.pem&#34; --zone=us-central1-c Container Logs Once the VM has started you can monitor the logs output from the container to Stackdriver. To do that we need to first capture the VM instance Id:\nexport VM_INSTANCE_ID=$(gcloud compute instances describe \\ $APP_NAME --zone=us-central1-c --format=&#34;value(id)&#34;) Once we have captured the VM instance ID we can now query the Stackdriver for logs output by the container:\ngcloud logging read &#34;resource.type=gce_instance AND \\ logName=projects\/${PROJECT}\/logs\/cos_containers AND \\ resource.labels.instance_id=${VM_INSTANCE_ID} AND \\ jsonPayload.message:\\&#34;\\[LRJ\\]\\&#34;&#34; \\ --order=&#34;asc&#34; Note, this command will print only the logs that are output by the user code in the container (the logger inside prefixes all log entries with &ldquo;[LRJ]&rdquo;). You can see the complete list of log entries by removing the__jsonPayload.message:&quot;[LRJ]&quot;_ filter.\nAfter the container exists, the VM will automatically shutdown but the logs should still be still available in Stackdriver for forensic analyses.\nConclusion I hope you find this helpful addition to your GCP compute toolbox. You can find the source code along with scripts for easier execution at https:\/\/github.com\/mchmarny\/long-running-job\n","permalink":"https:\/\/blog.chmarny.com\/posts\/how-to-run-containerized-workloads-in-gce-vm\/","summary":"<p>While the idea of a serverless platform and long running workloads does seem somewhat &ldquo;unnatural&rdquo; at first, smart people are already working on that (looking at you <a href=\"http:\/\/twitter.com\/KnativeProject\">@Knative<\/a> community). In the meantime, a simple approach is sometimes all you may need.<\/p>","title":"How to run containerized workloads in GCE VM"},{"content":"A co-worker recently told me about flic.io buttons. These button caught my attention because they can include triggers for single, double, or hold click and can be easily wired up to all kinds of actions.\nI instantly thought of of a few really interesting applications. To start with though, I wanted to create a simple service that would allow me to push the custom data defined on each button over HTTP to Cloud PubSub. That in turn would then connect me to the many more actuation options through GCP APIs and services that connect to Cloud PugSub.\nI went ahead and ordered 4-pack of Flic buttons and chose Cloud Run to implement my buttons service. Here is a short demo on to:\nDeploy Cloud Run service that will persist sent data to Cloud PubSub and, how to configure Flic buttons to send data to Cloud Run service https:\/\/github.com\/mchmarny\/buttons\n","permalink":"https:\/\/blog.chmarny.com\/posts\/using-flick-buttons-with-cloud-run-on-gcp\/","summary":"<p>A co-worker recently told me about <a href=\"https:\/\/flic.io\/\">flic.io<\/a> buttons. These button caught my attention because they can include triggers for single, double, or hold click and can be easily wired up to all kinds of actions.<\/p>\n<p>I instantly thought of of a few really interesting applications. To start with though, I wanted to create a simple service that would allow me to push the custom data defined on each button over HTTP to Cloud PubSub. That in turn would then connect me to the many more actuation options through GCP APIs and services that connect to Cloud PugSub.<\/p>","title":"Using Flick buttons with Cloud Run on GCP"},{"content":"Next week, April 9\u201311, Google will be hosting this year\u2019s Cloud Next Conference in San Francisco. The conference is already sold out, but there will be a livestream from keynotes and video available shortly after the sessions.\nThis year, we have a lot of content to share, and I have the privilege of presenting in four sessions\u200a\u2014\u200aand hope to do at least six live demos.\nOn Tuesday, April 10 at 12:35 PM, Donna Malayeri and I will be overviewing the integration options developers have on GCP when building serverless solutions on Kubernetes:\nKubernetes provides a great platform for operators, but what about your developers? Dive into the details about a new GCP product powered by Knative and Kubernetes Engine that enables enterprise developers to build and deploy stateless containerized apps into a cluster without writing any YAML.\nThen on Thursday, April 11 at 9 AM, Tomas Isdal and I will give an update on Knative and the fascinating momentum this project has had since we announced it at this same event the previous year:\nKnative, which provides the technology for a serverless developer experience on Kubernetes, has seen remarkable growth and uptake since launching in 2018. Join Google to hear how we are delivering Knative-based products to customers in 2019.\nAt 11:40 AM, Ryan Gregg and I will host a session overving the consistent developer experience enabled by Google on Kubernetes:\nCome learn about the latest Google Cloud offering that brings the best of serverless to your GKE cluster and anywhere you can run Kubernetes. Learn how Knative and GCP provide a consistent developer experience for new apps across cloud, on-prem and hybrid. Where you choose to run your services should be your choice!\nAnd last, but not least, at 1:15 PM, Ville Aikas and I will overview the new Knative Eventing features and demonstrate how to leverage them in your solutions.\nTechnical deep dive into how to write an event source to connect your legacy systems with modern compute primitives in Knative.\nI\u2019m super excited for Google Cloud Next, and am looking forward to these sessions. If you are in San Francisco next week, I hope to see you there.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/my-sessions-at-google-next-2019\/","summary":"<p>Next week, April 9\u201311, Google will be hosting this year\u2019s <a href=\"https:\/\/cloud.withgoogle.com\/next\/sf\"><strong>Cloud Next Conference<\/strong><\/a> in San Francisco. The conference is already sold out, but there will be a <a href=\"https:\/\/youtu.be\/WPfyjzgBEJU%29%20youtu.be\/WPfyjzgBEJU\">livestream<\/a> from keynotes and video available shortly after the sessions.<\/p>\n<p>This year, we have a lot of content to share, and I have the privilege of presenting in <a href=\"https:\/\/cloud.withgoogle.com\/next\/sf\/speakers?speaker=2278AB79A813FD48\">four sessions<\/a>\u200a\u2014\u200aand hope to do at least six live demos.<\/p>","title":"My Sessions at Google Next 2019"},{"content":"I had a chance to speak at the Cloud Conf 2019 in Turin, Italy. The conference has double its audience from last year, had a spectacular venue, and large selection of topics. I spoke in the #serverless track on using Knative as a means to serverless where you want it and on your own terms. Stressing the importance of portability and demonstrating the key features that the Kantive community has already delivered.\nServing Knative Serving provides higher level abstraction for Kubernetes and, by extension, the underlying infrastructure, so that the developers can focus on writing code.\nIt exposes easy to reason about object model and enables seamless autoscaling based on requests. It also integrates networking and service mesh automatically so devs can gradually rollout new revisions or label some services as internal only so that they can\u2019t be access directly in a microservice based solution.\nBuild Knative Build provides configurable and flexible approach to building source code into containers.\nIt can leverage Dockerfiles or built templates in case of building directly from sources without the developers needing to worry about cross-compiling or even installing the build tools locally. And because the build happens on cluster, it support artifact caching for faster builds\nEventing Knative Universal provides a subscription, delivery, and management framework for events both on and off the cluster.\nIt allows developer to create a declarative binding between event producers and event consuming services. And, because it integrates with serving, it\u2019s scalable from just a few events to live event streams. And it\u2019s flexible, so you can build simple trigger to one service binding or custom event pipelines to connect with your existing systems.\nServerless on your own terms So, yes, there is Kubernetes, yes there are containers, and yes, there are even servers underneath it all\u2026 but you do you, developer. You write code and the Knative operators do their job well, you don\u2019t have care about none of it\u2026 until you want to.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/knative-serverless-on-your-own-terms\/","summary":"<p>I had a chance to speak at the Cloud Conf 2019 in Turin, Italy. The conference has double its audience from last year, had a spectacular venue, and large selection of topics. I spoke in the #serverless track on using Knative as a means to serverless where you want it and on your own terms. Stressing the importance of portability and demonstrating the key features that the Kantive community has already delivered.<\/p>","title":"Knative - Serverless on Your Own Terms"},{"content":" I wrote a new post on Google blog on the momentum behind the Knative project. How it the community reached another adoption milestone, doubling the number of its contributors. Also, another data point underscoring the Knative momentum is the month-over-month contributions which have increased over 45% since the 0.1 release, now representing more than a dozen of different companies.\nThis post was released to showcase Google&rsquo;s OSS contributions at KubeCon North America. Full post at https:\/\/opensource.googleblog.com\/2018\/12\/knative-momentum-continues.html\n","permalink":"https:\/\/blog.chmarny.com\/posts\/knative-momentum-continues\/","summary":"<img style=\"width:100px; height:100px;\" align=\"right\" src=\"\/images\/kubecon.png\" \/>\n<p>I wrote a <a href=\"https:\/\/opensource.googleblog.com\/2018\/12\/knative-momentum-continues.html\">new post<\/a> on Google blog on the momentum behind the <a href=\"https:\/\/github.com\/knative\">Knative<\/a> project. How it the community reached another adoption milestone, doubling the number of its contributors. Also, another data point underscoring the Knative momentum is the month-over-month contributions which have increased over 45% since the 0.1 release, now representing more than a dozen of different companies.<\/p>","title":"Knative momentum continues\u2026"},{"content":"I had an opportunity to keynote at this year\u2019s SpringOne conference in DC on Serverless, Kubernetes, and more specifically Knative.\nI also covered the great work our open source team at Google been doing, making Spring 1st class citizen on Google Cloud Platform. On a personal level, it was good to reconnect with some old friends from Pivotal, and, community at large.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/my-keynote-at-springone\/","summary":"<p>I had an opportunity to keynote at this year\u2019s <a href=\"https:\/\/springoneplatform.io\/2018\/speakers\/mark-chmarny\">SpringOne<\/a> conference in DC on Serverless, <a href=\"https:\/\/kubernetes.io\/\">Kubernetes<\/a>, and more specifically <a href=\"https:\/\/cloud.google.com\/knative\/\">Knative<\/a>.<\/p>\n<iframe width=\"560\" height=\"315\" src=\"https:\/\/www.youtube.com\/embed\/EKmp9xbKiso\" title=\"YouTube video player\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe>\n<p>I also covered the great work our open source team at Google been doing, making Spring 1st class citizen on <a href=\"https:\/\/cloud.google.com\/\">Google Cloud Platform<\/a>. On a personal level, it was good to reconnect with some old friends from <a href=\"https:\/\/pivotal.io\/\">Pivotal<\/a>, and, community at large.<\/p>","title":"My Keynote at SpringOne"},{"content":"Ville and I did a session at Google Cloud Next 2018 in San Francisco.\nI also published the slides as well as the repo containing all the demos I used in this session in my repo here.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/one-platform-for-your-functions-apps-and-containers\/","summary":"<p>Ville and I did a session at Google Cloud Next 2018 in San Francisco.<\/p>\n<iframe width=\"560\" height=\"315\" src=\"https:\/\/www.youtube.com\/embed\/F4_2gxTtLaQ\" title=\"YouTube video player\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe>\n<p>I also published the slides as well as the repo containing all the demos I used in this session in my repo <a href=\"https:\/\/github.com\/mchmarny\/next18\">here<\/a>.<\/p>","title":"One Platform for Your Functions, Applications, and Containers"},{"content":"By now, Kubernetes should be the default target for your deployments. Yes, there are still use-cases where Kubernetes is not the optimal choice, but these represent an increasingly smaller number of modern workloads.\nThe main value of Kubernetes is that it greatly abstracts much of the infrastructure management pain. The broad support amongst virtually all major Cloud Service Providers (CSP) also means that your workloads are portable. Combined with the already vibrant ecosystem of Kubernetes-related tools, means that the experience of the operator, the person responsible for managing Kubernetes, is now pretty smooth.\nBut what about the experience of the developer, the person who builds solutions on top of Kubernetes?\nDespite what some might tell you, Kubernetes is not yet today\u2019s application server. For starters, the act of developing, deploying and managing services on Kubernetes is still too complicated. Yes, there are many open source projects for logging, monitoring, integration, etc., but, even if you put these together just right, the experience of developing on Kubernetes is still fragile and way too labour-intensive.\nAs if that wasn\u2019t enough, the growing popularity of functions as the atomic unit of code development further contributes to the overall complexity. Often creating different development patterns on two disconnected surface areas:one for functions (FaaS) and one for applications (PaaS).\nAs the result, developers today are being forced to worry about infrastructure-related concerns: such as, image building, registry publishing, deployment services, load balancing, logging, monitoring, and scaling. However, what all they really want to do is write code.\nIntroducing Knative At Google Cloud Next in San Francisco this week, Google announced an early preview of the GKE serverless add-on (g.co\/serverlessaddon). Google also open-sourced Knative (kay-nay-tiv), the project that powers the serverless add-on github.com\/knative.\nKnative implements many of the learnings from Google. The open source project already has contributions from companies like Pivotal, IBM, Red Hat and SAP and collaboration with open-source Function-as-a-Service framework communities like OpenWhisk, riff, and Kyma who either replatform on to Knative or consume one or more components from the Knative project.\nKnative helps developers build, deploy, and manage modern serverless workloads on Kubernetes.\nIt provides a set of building blocks that enable modern, source-centric and container-based development workloads on Kubernetes:\nBuild\u200a\u2014\u200aSource-to-container build orchestration Eventing\u200a\u2014\u200aManagement and delivery of events Serving\u200a\u2014\u200aRequest-driven compute that can scale to zero Knative documentation provides instructions on how to install it on hosted Kubernetes offering like Google Cloud Platform or IBM, and on-prem Kubernetes installations, like the one offered by Pivotal. Finally, Knative repository also includes samples and how-to instructions to get you started developing on Kubernetes.\nKnative Overview Knative is based on the premise of clear separation of concerns. It allows developers and operators to reason about the workload development, deployment, and management by defining primitive objects in a form of Custom Resource Definitions (CRDs) which extend on the object model found in Kubernetes.\nConfiguration \u2014 is the desired state for your service, both code and configuration Revision \u2014 represents an immutable point-in-time snapshot of your code and configuration Route \u2014 assigns traffic to a revision or revisions of your service Service \u2014 is the combined lite version of all the above objects to enable simple use cases In addition to these objects, Knative also defines principle objects for eventing\u2026 you know, because serverless. Knative decouples event producers and consumers and implements CNCF CloudEvents (v0.1) to streamline event processing.\nEvent Sources \u2014 represents the producer of events (e.g. GitHub) Event Types \u2014 describes the types of events supported by the different event sources (e.g. Webhook for the above mentioned GitHub source) Event Consumers \u2014 represents the target of your action (i.e. any route defined by Knative) Event Feeds \u2014 is the binding or configuration connecting the event types to actions The functional implementation of the Knative object model means that Knative is both easy to start with, but capable enough to address more advanced use cases as the complexity of your solutions increases.\nSummary I hope this introduction gave you an understanding of the value of Knative. And how the Knative objects streamline development on Kubernetes, regardless if you work on applications or functions.\nOver the next few weeks I will be covering each one of the key Knative usage patterns (image push, blue\/green deployment model, source to URL, etc). In each post, I will also provide a sample code to illustrate that pattern and allow you to reproduce them on Knative. I\u2019m super excited to share Knative with you, and I hope you come back to find out more.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/build-modern-serverless-workloads-using-knative-on-kubernetes\/","summary":"<p>By now, <a href=\"https:\/\/kubernetes.io\/\">Kubernetes<\/a> should be the default target for your deployments. Yes, there are still use-cases where Kubernetes is not the optimal choice, but these represent an increasingly smaller number of modern workloads.<\/p>\n<p>The main value of Kubernetes is that it greatly abstracts much of the infrastructure management pain. The broad support amongst virtually all major Cloud Service Providers (CSP) also means that your workloads are portable. Combined with the already vibrant ecosystem of Kubernetes-related tools, means that the experience of the operator, the person responsible for managing Kubernetes, is now pretty smooth.<\/p>","title":"Build and manage modern serverless workloads using Knative on Kubernetes"},{"content":"Google Stackdriver has thousands of build-in metrics to monitor everything from Kubernetes cluster to database or storage. Stackdriver is also not just limited to Google Cloud Platform (GCP), it supports a number of AWS-native services and extensive log monitoring capabilities for a wide array of open source software packages, whether they run in the Cloud or in on premises.\nCustom Metrics When developing a solution though, in addition to monitoring the infrastructure and software, you may also want to monitor internal application events, like throughput of specific types of events, multi-step transaction duration or a total end-to-end pipeline performance.\nTo enable this kind of granular and custom monitoring, Stackdriver supports custom metrics. While it\u2019s possible to write those metrics directly against Stackdriver metricDescriptors API, it\u2019s much easier to use the native Client libraryy support provided by Stackdriver in many development languages (C#, GO, Java, Node.js, PHP, Python, Ruby).\nProducer For illustration purposes, let\u2019s assume you want to track special type of messages in your solution.\ndataPoint := &amp;monitoringpb.Point{ Interval: &amp;monitoringpb.TimeInterval{ EndTime: &amp;googlepb.Timestamp{ Seconds: time.Now().Unix() },\t},\tValue: &amp;monitoringpb.TypedValue{ Value: &amp;monitoringpb.TypedValue_Int64Value{ Int64Value: m }, }, } The Stackdriver libraries strongly type the metric (in this case Int64). Also, while normally you will include the timestamp of the time when the event was collected, for simplicity this example we will generate it at sending time.\nYour solution is distributed so in addition to the data point, we will also want to send the event source for each one of the events to allow us to attribute each event source individually.\ntsRequest := &amp;monitoringpb.CreateTimeSeriesRequest{ Name: monitoring.MetricProjectPath(projectID),\tTimeSeries: []*monitoringpb.TimeSeries{ { Metric: &amp;metricpb.Metric{ Type: customMetricType, Labels: map[string]string{ &#34;instance_id&#34;: sourceID }, },\tResource: &amp;monitoredrespb.MonitoredResource{ Type: &#34;global&#34;, Labels: map[string]string{ &#34;project_id&#34;: projectID}, }, Points: []*monitoringpb.Point{dataPoint}, }, }, } Once the payload is prepared, the producer can send it to StackDriver API using a simple command\nif err := monitorClient.CreateTimeSeries(appContext, tsRequest); err != nil { log.Printf(&#34;Failed to write time series data: %v&#34;, err), } The complete sample of code for the producer along with Dockerfile to build and publish into your Kubernetes cluster is available in this GitHub repository.\nMonitoring (Dashboard) The quickest way to inspect your newly submitted metrics is the StackDriver dashboard. Simply add new chart using the &ldquo;Custom Metrics&rdquo; resource type.\nOnce saved this custom metrics appear as a chart. If you have not chosen to aggregate the metric data, each source will be represented individually.\nIncident Management Besides generating nice charts, the StackDriver data is also actionable. You can create notification policy with number of common incident management target options (e.g. PagerDuty, SMS, or Slack) as well as any publically accessible Webhook.\nSimply define a conditions that identify an unhealthy state for a resource or a group of resources, (in our case the custom metric), and create\/define notification target which will be notified to let you know when the resource is unhealthy.\nThe one notification target I &ldquo;enjoy&rdquo; the most is the Cloud Console Mobile App which is available for both Android and iOS. Using the mobile app you can monitor your GCP Console resources and Stackdriver information.\nYou can find the source code and how to for this post on GitHub.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/how-to-use-stackdriver-to-monitor-custom-application-metrics\/","summary":"<p>Google <a href=\"https:\/\/cloud.google.com\/stackdriver\/\">Stackdriver<\/a> has thousands of build-in metrics to monitor everything from Kubernetes cluster to database or storage. Stackdriver is also not just limited to Google Cloud Platform (GCP), it supports a number of AWS-native services and extensive log monitoring capabilities for a wide array of open source software packages, whether they run in the Cloud or in on premises.<\/p>","title":"How to use Stackdriver to monitor custom application metrics"},{"content":"I wanted to use the now generally available Cloud Spanner database to write an app that would track stock prices and social media sentiment to identify potential correlation.\nTo test even the validity of this approach I put together a Go app that subscribes to Twitter stream for all companies defined in the Stocks table and scores each event against the Google NLP API while comparing the user sentiment against the stock ask price against Yahoo API.\nThe app uses event author\u2019s (tweet in case of Twitter) follower and post counts to define the weights of influence and &ldquo;credits&rdquo; them for positive influence when stock price moves up or negative stock when the stock moves down within an hour of their post.\nOverall great experience, a couple of things I had to work around that may be helpful to others.\nDDL Loading well-formed DDL into spanner instance through the gcloud CLI was little of a challenge. Looks like you have to send one continuous string for each DLL command. I wanted to maintain the DB schema in a human readable format and minimize the amount of &ldquo;stitching&rdquo; I would have to do to recreate the environment so I put together this script. It parses through the DDL above and executes schema create scripts in the way that gcloud CLI likes.\nReports Ideally my app would come with some UI but in the mean time I needed to run some queries to understand the different correlations. The JDBC Drivers for Cloud Spanner works great from Java but it took me a while to find a DB Explorer\/Query type of tool that would be able to load the driver and connect using GCloud credential file.\nIt didn\u2019t take me too long to find DBeaver. it loaded the 4.2 JDBC compatible version of Spanner driver and connect to my Spanner instance\u2026 including schema discovery!. Make sure you have the GOOGLE_APPLICATION_CREDENTIALS environment variable defined with path to your service account credential file.\nThe app code along with the docker\/GKE deployment scripts are available in GitHub repo.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/using-google-cloud-spanner-to-measure-social-media-influence-over-stock-market\/","summary":"<p>I wanted to use the <a href=\"https:\/\/cloudplatform.googleblog.com\/2017\/05\/Cloud-Spanner-is-now-production-ready-let-the-migrations-begin.html\">now generally available Cloud Spanner<\/a> database to write an app that would track stock prices and social media sentiment to identify potential correlation.<\/p>\n<p><img loading=\"lazy\" src=\"\/images\/1__xGWhGM____d__LluxeXMRBpmg.png\"><\/p>\n<p>To test even the validity of this approach I put together a Go app that subscribes to Twitter stream for all companies defined in the <code>Stocks<\/code> table and scores each event against the <a href=\"https:\/\/cloud.google.com\/natural-language\/\">Google NLP API<\/a> while comparing the user sentiment against the stock ask price against Yahoo API.<\/p>","title":"Using Google Cloud Spanner to measure social media influence over stock market"},{"content":"As part of my ramp up on Google APIs I wanted to create a project that would allow me some practical exercise in a context of a real application.\nTFeel (short for Twitter Feeling) is a simple sentiment analyses over tweeter data for specific Twitter search terms using Google Cloud services:\nGoogle Container Engine Google NLP API Google Dataflow Google Pub\/Sub All GCP services used in this example can be run under the GCP Free Tier plan. More more information see https:\/\/cloud.google.com\/free\/\nThe Go code, docs, and setup scripts are located in my GitHub repo.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/twitter-sentiment-analysis-in-go-using-google-nlp\/","summary":"<p>As part of my ramp up on Google APIs I wanted to create a <a href=\"https:\/\/github.com\/mchmarny\/tfeel\">project<\/a> that would allow me some practical exercise in a context of a real application.<\/p>\n<p><img loading=\"lazy\" src=\"\/images\/1__MV8vPEMdz5obDiBmZDECIg.png\"><\/p>\n<p>TFeel (short for Twitter Feeling) is a simple sentiment analyses over tweeter data for specific Twitter search terms using Google Cloud services:<\/p>","title":"Twitter Sentiment Analysis in Go using Google NLP API"},{"content":"I had the opportunity to attend Google Next this year. Week after this event I joined Google. Here are some quick notes in no particular order:\nRegistration was a pain, long lines. My first tech conference where I had to go through a metal detector. Impressive reminder of the core tech underlining Google Cloud (i.e. Borg) and Google\u2019s experience in operating at scale. Serious commitment to ML and Data Science: invest in talent\/community (Kaggle), vision\/leadership (Fei-Fei Li keynote), powerful APIs (i.e. Label\/Face Detection, OCR, Explicit Content etc.) Feels like the ease of use for Google is more important than time time market (see the above DS APIs but also Spanner UX). Clear understanding of data economy\u2019s potential value (goes with the scale comment but the experience was apparent in many sessions\/keynotes) Open\/partner market makes stronger platform (Sam Ramji\u2019s keynote drilled on this best), early hints of this were probably the main reason why I wanted to join Google Cloud team. Size\/quality of the network (both, cables &amp; tech), globally distributed data systems (specifically latency) are perhaps the best example of the user value here. ","permalink":"https:\/\/blog.chmarny.com\/posts\/notes-from-google-next-2017\/","summary":"<p>I had the opportunity to attend Google Next this year. Week after this event I joined Google. Here are some quick notes in no particular order:<\/p>\n<ul>\n<li>Registration was a pain, long lines. My first tech conference where I had to go through a metal detector.<\/li>\n<li>Impressive reminder of the core tech underlining Google Cloud (i.e. <a href=\"https:\/\/static.googleusercontent.com\/media\/research.google.com\/en\/\/pubs\/archive\/43438.pdf\">Borg<\/a>) and Google\u2019s experience in operating at scale.<\/li>\n<li>Serious commitment to ML and Data Science: invest in talent\/community (<a href=\"https:\/\/www.kaggle.com\/\">Kaggle<\/a>), vision\/leadership (<a href=\"https:\/\/www.youtube.com\/watch?v=Rgqgdddl018\">Fei-Fei Li keynote<\/a>), powerful <a href=\"https:\/\/cloud.google.com\/products\/machine-learning\/\">APIs<\/a> (i.e. Label\/Face Detection, OCR, Explicit Content etc.)<\/li>\n<li>Feels like the ease of use for Google is more important than time time market (see the above DS APIs but also Spanner UX).<\/li>\n<li>Clear understanding of data economy\u2019s potential value (goes with the scale comment but the experience was apparent in many sessions\/keynotes)<\/li>\n<li>Open\/partner market makes stronger platform (<a href=\"https:\/\/www.youtube.com\/watch?v=h9FSqVbdHis&amp;index=7&amp;list=PLIivdWyY5sqI8RuUibiH8sMb1ExIw0lAR\">Sam Ramji\u2019s keynote<\/a> drilled on this best), early hints of this were probably the main reason why I wanted to join Google Cloud team.<\/li>\n<li>Size\/quality of the network (both, cables &amp; tech), globally distributed data systems (specifically latency) are perhaps the best example of the user value here.<\/li>\n<\/ul>","title":"Few quick notes from Google Next 2017"},{"content":"Data is growing at an exponential pace. Based on recent numbers from IDC, the total amount of data in 2015 (4.4ZB) will grow to 44ZB in 2020. Franky, how much is in Zettabyte is almost inconsequential. It is the fact that all of the data generated since the beginning of time (at least the electronic part), will grow 10x in just the next four years that\u2019s shocking!\nSince data is the new: &ldquo;oil&rdquo;, &ldquo;gold&rdquo; or even &ldquo;bacon&rdquo; it is natural to think we should value it as a yet another commodity: $0.20\/GB. That perspective, I would argue, will lead us to miss even larger opportunity.\nDevice, role of the machine The interesting part of these predictions is the fact that the majority of new data (90%) will be machine-generated; driven by the explosion of newly connected devices.\nBy all accounts we currently use less than a quarter of our data (22%) for anything meaningful! Perhaps the most surprising part of the IDC report is that while the data volume will grow 10x by 2020, our ability to derive insight from the newly generated data will increase only slightly (35%).\nNew device, new Data Perhaps one of the reasons why our ability to extract value will not increase anywhere near the predicted growth of the volume is that much of the new data is fundamentally different from what you would find in a traditional warehouse or even a NoSQL application DB.\nIn a tractional systems we had star schemas with facts, each referencing number of dimensions. In NoSQL stores we went with duplicating data into each document. But, in both of these cases the data was managed with its context. Consider this example of an IOT sensor observation:\nTo a large degree, the machine generated data &ldquo;observed&rdquo; on the edge has no context. We have the time and a source of the observation (when) and reference codes for this observation\u2019s place (where), as well as its subject (the what). In some cases there may even have additional attributes. To large degree, though, this is the only context we have at the point of collection.\nTo put it in practical terms, the light sensor on the corner of my street doesn\u2019t know anything about the surrounding lights nor does it know its own location, only the codes which were embedded during the deployment. Yes, it has an ID which it sends with each observation. That ID does allow those who consume that data to derive some context about that observation by reconciling it to a larger project and referenced location. Still, by itself, the value of that individual event is nominal.\nNew device data value chain That got me to think. If the volume of data will grow 10x over the next five years we ought to really figure out how to derive more of its value.\nInspired by thoughts on the subject from the likes of Dave McCrory and the SVDS team, I asked myself a question: what impacts the value of data and what is its value chain?\nThe first and more obvious part of the answer is that the value of a data series increases the longer it is observed. The second part, that\u2019s perhaps less obvious, is that in many cases, the raw data will have nominal value until it is augmented with context. That made me realize that a single raw data set, in different context, can drive multiple insights; even more than just one value chain.\nTLTR; To a large degree, new device data has no value until it is integrated, and will not truly have its full potential realized until it is delivered as a service that answers specific business questions.\nYes, these ZBs of device data will lead to new revenue streams, but, that opportunity will not be measured in $\/GB. The ones who stand to gain most from this opportunity are those who can answer questions faster and more accurately. More accurate models and faster services will improve performance and reduce operation costs. ZBs of raw data, not so much.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/service-not-volume-data-explosion-and-how-to-amplify-its-value\/","summary":"<p>Data is growing at an <a href=\"https:\/\/web-assets.domo.com\/blog\/wp-content\/uploads\/2015\/08\/15_domo_data-never-sleeps-3_final1.png\">exponential pace<\/a>. Based on recent numbers from <a href=\"http:\/\/www.computerweekly.com\/news\/2240217788\/Data-set-to-grow-10-fold-by-2020-as-internet-of-things-takes-off\">IDC<\/a>, the total amount of data in 2015 (4.4ZB) will grow to 44ZB in 2020. Franky, how much is in <a href=\"https:\/\/en.wikipedia.org\/wiki\/Zettabyte&amp;t=YmJkMzIzNDU5ZWI0ZGQzNWQ3ZTRkNGZlZmJkY2RiZmE4OTk2ZGM2YixtZ05JVTNVbA%3D%3D\">Zettabyte<\/a> is almost inconsequential. It is the fact that all of the data generated since the beginning of time (at least the electronic part), will grow 10x in just the next four years that\u2019s shocking!<\/p>","title":"Service, not Volume - data explosion and how to amplify its value"},{"content":" The presentation that goes along with this post is available here\nIn my last post I went over the value cycle of machine generated data. In this post, I want to follow up with a few ideas on how to further amplify value of that data by expanding its context beyond the walls of owning organization, in a construct we came to know as Data Exchange, and list a few innovation opportunities in each one of these areas.\nBefore we start though, it is worth mentioning that there are many reasons why exchanging data with external partners is not always possible (privacy, intellectual property, legal constraints around ownership etc.). In my experience, however, these challenges represent but a small subset of the overall data market and even in most stringent environments can be overcome through anonymization, de-identification or distributed access patterns where the data in question never actually leaves the walls of the owning organization.\nLower OPEX Let\u2019s start with the basics: minimizing the cost associated with sharing data. Nobody is going to share data if the cost of its exchange is higher than its perceived market value. I\u2019m stressing the &ldquo;perceived&rdquo; here as in some cases the monetary value of data may be small, but its value to the society at large may outway any costs associated with its sharing (i.e. health or environmental search). As with many service economies, the largest part of cost data exchanges is often the human labour. That\u2019s why to assure these data exchanges are sustainable, they must be built from ground-up with a fanatical focus on automation.\nOpportunities:\nReusable data source connectors Appliance gateways with robust APIs for scheduling, validation, alerts Verifiable and trusted audit capabilities Add Context Raw data alone, especially when machine generated, is often not of high value. In most cases, however, you can easily and significantly improve its value by creating new views by relating connected data sets. This approach allows for same data sets to be used in multiple views to expose otherwise not obvious insights. By adding context, data exchanges have also the opportunity to become a birthplace of organic sets. Subsequently that new organic set itself becomes a component of a new view which further amplifies the value\u2026and so on.\nOpportunities:\nGeneric link-mining utilities building associative structures Distributed data curation services with lineage preserving capabilities Dynamic record &ldquo;decoration&rdquo; for on-read data stream Deliver Diverse\u00a0APIs In most cases, exchanging raw data is not a very helpful or sustainable model. Instead, create an abstraction layer for domain specific services. This kind of highly-optimized service will significantly amplify value of the raw data and increase the monetization opportunities associated with that set. For example, instead use a simple per GB charge model, this approach would allow more granular query access plans with protocol-specific charge plans (i.e. REST vs. DDS-based API). This also allows for more granular data queries based on the input parameters, which would certainly increase the stickability of such service.\nOpportunities:\nAPI management, bindings Federated and granular ACLs Deep metering, telemetry capabilities Create Data\u00a0Bazar Data exchanges, whether simple bit-shipping platforms like Data.gov or more granular data delivery services like Nielsen, suffer form the the same problem: their relevance decreases after the initial use. To avoid this, exchanges should aim to create a data bazar. By that, I mean a set of services beyond simple data delivery. Instead, a bi-directional exchange with value consumption at multiple levels: not only data providers and consumer but also data scientists, curators and domain-specific analysts.\nOpportunities:\nModel and service gamification On-demand data scientists, and domain analysts In-platform competitions and hackathons As the data market continues to mature and our ability to derive value from machine generated data increases, more exchanges will be created. The part that excites me though, is that with the growing number of infinite data streams data exchanges will have to enable distributed data queries (avoid duplication) and support adaptive model training use-cases (dynamic rules)\u2026but that\u2019s a subject for another post.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/data-exchange-how-to-amplify-value-of-machine-data\/","summary":"<blockquote>\n<p>The presentation that goes along with this post is available <a href=\"http:\/\/www.slideshare.net\/MarkChmarny\/machine-data-how-to-realize-and-amplify-its-value\">here<\/a><\/p>\n<\/blockquote>\n<p>In <a href=\"http:\/\/mark.chmarny.com\/post\/139001618764\/service-not-volume-data-explosion-and-how-to\">my last post<\/a> I went over the value <a href=\"http:\/\/mark.chmarny.com\/post\/139001618764\/service-not-volume-data-explosion-and-how-to\">cycle of machine generated data<\/a>. In this post, I want to follow up with a few ideas on how to further amplify value of that data by expanding its context beyond the walls of owning organization, in a construct we came to know as Data Exchange, and list a few innovation opportunities in each one of these areas.<\/p>","title":"Data Exchange \u2014 How to Amplify Value of Machine Data"},{"content":"This is one of those posts you write on your phone while getting sprayed for 11+ hours with bathroom chemicals in minimally reclining seat in a second to last row of a transatlantic flight. Still, I\u2019m going to try to be as constructive as my thumbs allow.\nLet me back up\u2026 when booking ticket for my business trip to Poland recently, I realized that part of the flight was operated by Lufthansa; flagship Star Alliance member. I wasn\u2019t able to select seats on couple of their flights during initial booking but I figured, no big deal, it\u2019s 2016, I will go to Lufthansa site and select them there. This is where the fun started.\nI figured, ok, maybe this is a low end ticket or something, let me try to pay for an upgrade.\nBut, despite this being actually &ldquo;U&rdquo; class ticket and me having Star Alliance Gold Status (United 1K) I got one of the worst seats on the flight: 93G.\nWhen I called the airline directly I was told that &ldquo;Lufthansa does not recognize United status&rdquo; and those seats are &ldquo;locked&rdquo; anyway so they can\u2019t do anything for me. The shift supervisor however, after some lengthy wait, did tell me she was able to assign me a seat closer forward (63G). And, since the seats will be &ldquo;unlocked&rdquo; 24 hours before flight anyway I should just come back then and pick any available seat I want.\nAs you suspect by now, when I checked-in at PDX, the seat was still 93G. I quickly dialed Lufthansa support desk only to be told, again, that:\n&ldquo;Lufthansa does not recognized United status&rdquo; \u2014 Lufthansa Agent\nI asked to talk to supervisor because surely there must be some kind of notes in my travel record. Just for that assumption I was given a lovely dose of the ear-pleasing tunes for 20+ min only to be finally disconnected without any notice.\nUpon arrival in SFO I inquired again with the gate agent. He told me to come back at 14:30, an hour before the flight, when the manager is there. As you can imagine, when I came back the manager told me all the seats are already booked. He was gracious enough to move me however to a mcuh &ldquo;better seat&rdquo; upstairs. I\u2019m thinking at this point, upstairs on A380\u2013800, sure, anything will be better than 93G. He even ushered me quickly through the boarding procedures.\nWhen I boarded I realized this was the exact same seat I had before&hellip; just upstairs. Still just as minimally reclining and just as close to the bathroom.\nI expected more from world\u2019s largest global airline alliance. That whole experience made me question the value of Star Alliance. What are the actual benefits? Yes, those 11+ hours of chemical spray I suppose did get me more United miles. I also know you can check bags all the way to your destination\u2026 not much of a value to me on my business travels, but sure, let\u2019s go with that. Is that it? Shouldn\u2019t we expect more?\nEven with my 1K status on United I got less love from Lufthansa than I would if I actually bought my ticket directly. I expected much better from flagship Star Alliance member.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/how-lufthansa-has-made-me-question-the-value-of-star-alliance\/","summary":"<p>This is one of those posts you write on your phone while getting sprayed for 11+ hours with bathroom chemicals in minimally reclining seat in a second to last row of a transatlantic flight. Still, I\u2019m going to try to be as constructive as my thumbs allow.<\/p>","title":"How Lufthansa has made me question the value of Star Alliance"},{"content":"Over the holidays, as many of us do, I embarked on a little extra-curriculum development effort I called thingz.io. I was driven by the pattern I\u2019d observed in Data Center (DC) monitoring products; although that pattern also exists in many of today\u2019s Internet of Things (IoT) solutions.\nI refer to this pattern as Forensic Understanding. In simplest terms it implies that in order to understand (derive any value) out of monitoring data we must first persist that data; load it into a priory-defined model, probably in some kind of database. This approach is often driven by the use of traditional BI tools to &ldquo;understand&rdquo; these metric in a context of an entire volume.\nThere are two fundamental weaknesses in this approach though:\nIt requires design-time model definition (understanding of the questions one will be asking) and designing the underlining persistence to optimize for that usage model and, it often requires interactive analysis. As the number of &ldquo;things&rdquo; we monitor grows the volume of data that needs to be analyzed increases Addressing these weaknesses requires a fundamental shift from reports and forensic queries to more adaptive models and dynamic rules.\nAs a result of the after-the-fact nature of this approach, the value of the analyzed data is often realized too late to make any significant impact.\nThingz Understood To experiment with an idea I created a couple of GitHub projects: thingz-agent where thingz are measured and thingz-server where thingz are understood.\nthingz-agent Generates streams of system metrics from variety of devices (cpu, memory, swap, load, processes, etc.) based on configurable strategies: report CPU every second but system load every 10 and so forth. To accommodate different deployment scales, thingz-agent also supports multiple publishers:\nkafka \u2014 queues messages in Kafka influxdb \u2014 publishes to REST or UDP endpoint stdout \u2014 output to console thingz-server Processes the inbound streams and builds dynamic models which identifies portent data (signal) and filter it from the noise. The thingz-server can actually close the loop and provide this guidance to the agents to pre-filter that data right at the edge.\nYes, the thingz-server also supports forensic queries. And, because it is generic in nature, it doesn\u2019t require priory model definition which in turn enables data discovery with fair amount of analytical capabilities while supporting down-sampling to any arbitrary level (e.g. deviation, mean and percentile for all records from specific sources over last hour down-sampled to one minute).\nActuation Guidance To support schedulers and other type of actuators, the thingz-server also exposes a flexible REST API designed to identify availability across all monitored resources. Here is an example of a query for least utilized resources based on standard deviation in memory over last 10 min.\n[GET] \u2014 \/api\/v1.0\/util\/mem\/used\/10 All in all this was an interesting exercise in understanding the challenges related to dynamic models\u2026 even if it got me the occasional look from my wife for &ldquo;working&rdquo; over holidays;)\n","permalink":"https:\/\/blog.chmarny.com\/posts\/vision-of-smarter-thingz-project-in-adaptive-metric-flow-modeling\/","summary":"<p>Over the holidays, as many of us do, I embarked on a little extra-curriculum development effort I called <a href=\"http:\/\/thingz.io\">thingz.io<\/a>. I was driven by the pattern I\u2019d observed in Data Center (DC) monitoring products; although that pattern also exists in many of today\u2019s Internet of Things (IoT) solutions.<\/p>","title":"Vision of smarter thingz - project in adaptive metric flow modeling"},{"content":"As part of my recent solution review, I wanted to compare a few performance metrics specific to multi-node data service deployment on different clouds. This post is about my experience with Google Compute Engine (GCE) as part of that evaluation.\nAPI &amp; Tools When targeting developers, API and surrounding tooling is an absolute must. The ability to easily manage and automate cloud resources is something that developers demand. Their usage patterns require efficiency, which at that level, comes mainly from automation.\nHere are three specific areas that set GCE apart from others. Remember, it is not that other providers do not have these (which in many cases they do not) but rather about how clean, explicit and simple GCE implementation is in these areas.\nREST Interface One of the benefits of REST as a cloud management interface is its consistent approach to provisioning and management of resources. To manage GCE, clients send authenticated requests to perform a particular action: provision network, create instances, associate disks, etc.\nOne of the nice GCE touches in assisting programmatic implementation is that the GUI interface to Cloud Console exposes REST and command line equivalent for each operation. This allows developers to simply copy the defined operation and use it in their automation tools to remove guesswork from the initial message format creation.\nCommand-line tool gcutil is a command-line tool designed to help with management of GCE resources. Written in Python, gcutil runs natively on any UNIX-based OS or under Cygwin on Windows. The important thing to realize here is that while gcutil is a command-line tool; it still uses the same REST interface to message its commands to GCE.\nOne of the things that I often long for in cloud management APIs is support for multiple personas. With gcutil it is as simple as providing an existent credential file (--credentials_file). This way separating accounts is just a runtime flag away.\nWhat makes gcutil really user-friendly for developers however is its ability to set default values for common operations. By caching values of common commands (--cache_flag_values), gcutil can reuse arguments like --zone or --machine_type across multiple commands.\nPerhaps the part that makes gcutil most unique though is its ability to perform each command in either synchronous or asynchronous mode. By default, gcutil waits for each command to complete before moving returning control. In asynchronous mode, however, gcutil returns request id immediately after posting the request. This was a massive feature for me when testing number of cluster node discovery strategies.\nThese features combined with the ability to customize result format per each command: JSON, CSV, Table as well as the ability to return only the name of the newly created resources which allows for piping results from one command as on input to another, make gcutil one of the best though-through IaaS clients I\u2019d ever seen.\nSpeed &amp; Flexibility In my short experience, I found instances and disk (yes, not &ldquo;volumes&rdquo;) provisioning as well as general instance startup on GCE to be fast. My specific interest was the time that it took to spin, configuring and terminating entire clusters of data nodes. In that specific use-case, CGE was faster than EC2, Azure or Rackspace.\nThe project metaphor, while somewhat awkward for me initially, quickly became for me a clear separation for distinct areas of work. Additionally, its integration with the advanced routing features allowed me to easily create gateway servers (aka VPN) to span clusters across local and GCE network.\nFor me personally, perhaps the biggest feature was the metadata support. In addition to the basic key value pair tags, every GCE instance also supports metadata. In addition to including information defined by the service itself like instance host name, it can also include user-defined data.\ngcutil addinstance node-${NODE_COUNT}&#34; \\ --metadata=&#34;cluster:${CLUSTER_NAME}&#34; \\ --metadata=&#34;index:${NODE_COUNT}&#34; ... Update: gcutil is now deprecated in favour of gcloud compute. More info on transitioning here.\nInstance configuration, as well as the configuration of other instances in the same project, is available in a form of a REST query against the provisioned metadata server. This metadata can also include project-level metadata.\nThe place where this capability really came handy for me was node-level metadata. By simply defining metadata value for a node index, I was able to have individual data nodes define their own unique cluster names (\u2013metadata=name:node-0) as well as query the project-level data for cluster name.\nCustom metadata becomes especially useful when using startup scripts to execute during instance boot. Using gcutil, I was able to pass in a single local startup scripts using the \u2013metadata_from_file flag and have it discover its variables from metadata parameters.\nNODE_INDEX=$(curl http:\/\/metadata\/computeMetadata\/v1beta1\/instance\/attributes\/index) Pricing In my particular test cycles, I must have deployed close to 1000 individual instances across EC2 and GCE. Each one of these instances stayed up for maximum 15\u201320 minutes, just enough to run a set of tests on the new cluster. The part that makes GCE a lot more compelling for these kinds of use-cases is the granular pricing. Google prices its instances in one-minute increments with 10-minute minimum; not hourly, like EC2.\nOne area where GCE is perhaps not as flexible as I would like is in the area of billing. I do like the flexibility to charge individual projects to different credit cards, but would like to see a consolidated billing option there too. Also, this is the one area that is not supported by the API!\nGCE seems like a fundamentally different type of IaaS, designed specifically with developers in mind. While probably not much of a challenge to EC2 anytime soon, over time though, provided they augment their service offering list, GCE\u2019s focus on developers will pay off. Having experienced their tools first hand, it is clear these guys know how to run infrastructure at a massive scale without alienating developers.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/my-experience-with-google-compute-engine\/","summary":"<p>As part of my recent solution review, I wanted to compare a few performance metrics specific to multi-node data service deployment on different clouds. This post is about my experience with Google Compute Engine (GCE) as part of that evaluation.<\/p>","title":"My experience with Google Compute Engine"},{"content":"I am excited to share with you today that starting Monday I will be joining the Big Data team at Intel. Yes, Intel. While not traditionally known for its software offerings, Intel has recently entered the Big Data space by introducing their own, 100% open source Hadoop distribution with unique security and monitoring features.\nAs illustrated by their Github repository, Intel has already done a lot of work with Apache Hadoop. The particular repos worth mentioning are their work on HBase\u2019s security in Project Rhino as well as their work on advanced SQL support in Hive and performance enhancements for HBase in Project Panthera. In addition to these projects, Intel has also established Benchmarking Suite and Performance Analyzer projects which aim to standardize measurements around real-life Hadoop workloads.\nAs a solution architect, I will work on a team dedicated to designing the next-generation data analytics platform by leveraging the full breadth of Intel\u2019s infrastructure experience with compute (Xeon processor), storage (Intel SSD), and networking (Intel 10GbE), as well as its cryptographic and compression technologies (AES-NI, SSE).\nWhy Intel If you have read my blog over the last couple of years, you will know how passionate I am about data. I believe Apache Hadoop specifically represents a very unique opportunity for the enterprise as it challenges many preconceived notions about analytics, both from the scale as well as cost perspective.\nMy vision for Hadoop is for it to become a truly viable data platform: open, easy and performant.\nA platform upon which the community can innovate and solve real complex problems. I joined Intel because it provides me the means to execute on this very vision. After all, Intel\u2019s Hadoop distribution is the only open source platform backed by a Fortune 100 company.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/thinking-big-about-data-at-intel\/","summary":"<p>I am excited to share with you today that starting Monday I will be joining the Big Data team at <a href=\"http:\/\/www.intel.com\/&amp;t=YjBkOTU4OTE0ZjlmMGI5YmQ4MTNlMWE0NzUwMGE3MmQwODdmNzRjNCxJVHRWNTZwQw%3D%3D\">Intel<\/a>. Yes, Intel. While not traditionally known for its software offerings, Intel has recently entered the Big Data space by introducing their own, <a href=\"http:\/\/hadoop.intel.com\/&amp;t=OGIwNmNhMjhlMDk1Y2IzODIyMmEyYWZkYjRmMmI4YTFhZjUwN2UyMyxJVHRWNTZwQw%3D%3D\">100% open source Hadoop distribution<\/a> with unique security and monitoring features.<\/p>","title":"Thinking Big about Data at Intel"},{"content":"The &ldquo;high-priests&rdquo; of Big Data have spoken. Hadoop Distributed File System (HDFS) is now the de facto standard platform for data storage. You may have heard this &ldquo;heresy&rdquo; uttered before. But, for me, it wasn\u2019t until the recent Strata conference that I began to really understand how prevalent this opinion actually is.\nPerhaps even more important, how big of an impact this approach to data storage is beginning to have on the architecture of our systems.\nSince the Strata conference, I\u2019ve tried to reconcile this new role of HDFS with yet another major shift in system architecture: the increasing distinction between where data sleeps (as in where it is stored) and where data lives (as in where it is being used). Let me explain how one relates to the other, and why I actually now believe that HDFS is becoming the new, de facto standard for storing data.\nHDFS Overview HDFS is a fault-tolerant, distributed file system written entirely in Java. The core benefit of HDFS is in its ability to store large files across multiple machines; in distributed computing commonly referred to as &ldquo;nodes&rdquo;.\nBecause HDFS is designed for deployment on low-cost commodity hardware, it depends on software-based data partitioning to achieve its reliability. Traditional file systems would require the use of RAID to accomplish this same level of data durability, but, in HDFS\u2019s case, it is done without dependency on the underlining hardware. HDFS divides large files into smaller individual blocks and distributes these blocks across multiple nodes.\nIt is important to note that HDFS is not a general-purpose file system. It does not provide fast individual record lookups, and, its file access speeds are pretty slow. However, despite these shortcomings, the appeal of HDFS as a free, reliable, centralized data repository capable of expanding with organizational needs is growing.\nBenefitting from the growing popularity of Hadoop, where HDFS is used as the underlining data storage, HDFS is increasingly viewed as the answer to the prevalent need for data collocation. Many feel that centralized data enables organizations to derive the maximum value from individual data sets. Because of these characteristics, organizations are increasingly willing to ignore the performance shortcoming of HDFS as a &ldquo;database&rdquo; and use it purely as a data repository.\nBefore you discredit this approach, please consider the ongoing changes that are taking place in on-line application architectures. Specifically the shift away from direct queries to the database and increasing reliance on law latency and high-speed data grids that are distributed, highly optimized, and most likely host the data in memory.\nShift in Data Access\u00a0Patterns Increasingly, the place where data is stored (database) is not the place where the application data is managed. The illustration that perhaps most accurately reflects this shift is comparing data storage to the place where data sleeps and data application to the place where data lives.\nBuilding on this analogy, the place where data is stored does not need to be fast; it does however need to be reliable (fault-tolerant) and scalable (if I need more storage I just add more\u00a0nodes).\nThis shift away from monolithic data stores is already visible in many of today\u2019s Cloud-scale application architectures. Putting aside the IO limitations and the obsessive focus on atomicity, consistency, isolation, durability (ACID) of traditional databases, which leads to resource contention and subsequent locks. Simply maintaining speed of query execution as the data grows in these type of databases is physically impossible.\nBy contrast, new applications architected against in-memory data grids benefit from already &ldquo;buffered&rdquo; data, execute queries in parallel, and are able to asynchronously persist modifications to storage, so that these operations do not negatively impact their performance. This approach results in greater scalability of the overall application and delivers raw speed in order of magnitude compared to disk-based, traditional databases.\nIt is important to realize that these in-memory data grids are not dependent on the persistence mechanism and can leverage traditional databases as well as next-generation data storage platforms like HDFS.\nNew Data Storage Architecture As in-memory data grids become the backbone of next-generation on-line applications, their dependency on any specific data storage technology becomes less relevant. Overall, organizations want durable, scalable and low-cost data storage, and HDFS is increasingly becoming their consolidated data storage platform of choice.\nAs you can imagine, this is not an all-or-nothing situation. Whatever the specific workload is \u2014 write-intensive or demanding low-latency \u2014 HDFS can support these requirements with a variety of solutions. For example, an in-memory grid can be used for sub-second analytical processes of terabytes of data while persisting data to HDFS as a traditional data warehouse for back-office analytics.\nConsidering the relatively short life span of HDFS, its ecosystem often displays maturity. Solutions like Cloudera\u2019s open source Impala can now run on the raw HDFS storage and expose it to on-line workloads through a familiar SQL interface without the overhead of MapReduce (as it is implemented by Hive).\nThe Kiji Project is another example of an open source framework building on top of HDFS to enable real-time data storage and service layer for applications. Impala and Kiji are just a few frameworks of what is likely to become a vibrant ecosystem.\nMany organizations have already started to leverage HDFS\u2019s capabilities for various, non Hadoop-related applications. At Strata, I attended a session HDFS Integration presented by Todd Lipcon from Cloudera and Sanjay Radia from Hortonworks. It was a great overview of the vibrant technological integrations of HDFS with tools like Sqoop, Flume, FUSE or WebHDFS\u2026just to name a few.\nHDFS has also a large set of native integration libraries in Java, C++, Python, PHP, Ruby, Erlang, Perl, Haskell, C#, Cocoa, Smalltalk and many more. Additionally, HDFS has a powerful command-line and Web interface as well as Apache HBase project, which when necessary, can run on top of HDFS and enable fast record-level access for large data sets.\nOnce the data is centrally located, there is a well-documented concept of Data Gravity originally created by Dave McCrory, which among many other things has the effect of attracting new applications and potentially resulting in further increase of the data quality and overall value to an organization.\nI am not saying that all future data processing frameworks should be limited to HDFS. But, considering its prevalence in the Big Data market, low-cost, and scalability, and when combined with the vibrant ecosystem of libraries and project, it may be wise for organizations to start consider HDFS as their future-proof data storage platform.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/hdfs-has-won-de-facto-standard-for-centralized-data-storage\/","summary":"<p>The &ldquo;high-priests&rdquo; of Big Data have spoken. Hadoop Distributed File System (<a href=\"http:\/\/hadoop.apache.org\/docs\/hdfs\/current\/hdfs_design.html&amp;t=ZjcxYWQyNjE5NTI5MjVjMGIyZDlhYTgwZDQ1ZmJkOWNiNjEwMjJiMixOSG5XdzVSRA%3D%3D\">HDFS<\/a>) is now the de facto standard platform for data storage. You may have heard this &ldquo;heresy&rdquo; uttered before. But, for me, it wasn\u2019t until the recent <a href=\"http:\/\/mark.chmarny.com\/2012\/10\/stratahadoop-world-2012-etl-sql-other.html\">Strata conference<\/a> that I began to really understand how prevalent this opinion actually is.<\/p>","title":"HDFS has won, now de facto standard for centralized data storage"},{"content":"We are in a midst of drastic shift in application development landscape. Developers entering the market today use different tools and follow different patterns.\nOne of the core patterns of on-line application development today is cloud scale design. While traditionally architectures would rely on more powerful servers, today, that approach simply does not scale. We have reached that point where, in many cases, there are no powerful enough servers, or their cost would be prohibitive. Considering the unpredictable usage patterns today\u2019s on-line applications also must be flexible to address demand spikes and assure efficient service during low utilization.\nIncreasingly, organizations are comfortable scaling their capability that way on the Web and App Server layers. However, as the number of application instances increases to accommodate the growing demand, many times their data layer is simply unable to keep up.\nThe overall performance of any solution is only as good as its lowest common denominator. Increasingly, that lowest common denominator of today\u2019s on-line applications is the database.\nThe time for one-size-fits-all database has expired. When faced with today\u2019s performance requirements, we must consider the most appropriate data solutions for each specific use case. To assure the necessary scale out architecture, we must choose database that is actually optimized for the type of workload your application requires.\nNow, some believe that these data characteristics are unique to the dotcom space. I would argue however that, right now, enterprise itself is in a midst of data renaissance. Due to the rapid proliferation of new data sources, enterprise applications require longer storage, faster delivery, and higher availability than ever before. The lines between public and enterprise application architectures are blurring.\nAny organization developing applications today should have a well-thought through approach for managing data in three specific categories:\nBig data sets of infrequently changing content persisted in many kinds of formats Volatile data to support fast delivery in on-line transactional applications Flexible data platform capable of adapting to ever-changing development requirements So, the next time someone recommends that &ldquo;uber&rdquo; database that does everything, don\u2019t buy it. There simply is no solution on the market today that addresses all of these needs well.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/dont-use-yesterday-database-to-develop-tomorrow-solutions\/","summary":"<p>We are in a midst of drastic shift in application development landscape. Developers entering the market today use different tools and follow different patterns.<\/p>\n<p>One of the core patterns of on-line application development today is cloud scale design. While traditionally architectures would rely on more powerful servers, today, that approach simply does not scale. We have reached that point where, in many cases, there are no powerful enough servers, or their cost would be prohibitive. Considering the unpredictable usage patterns today\u2019s on-line applications also must be flexible to address demand spikes and assure efficient service during low utilization.<\/p>","title":"Don't use yesterday's database to develop tomorrow's solutions"},{"content":"Over the last decade, the access to best-of-bread data technologies has become easier. This is due mainly to the increasing popularity of open source software (OSS). While this phenomenon holds true in other areas like operating systems, application servers, development frameworks or even monitoring tools, it is perhaps most prevalent in the area of data.\nNot many people will argue with the fundamental role OSS plays in Big Data or NoSQL. These categories were virtually built on OSS. Just consider Hadoop, MongoDB and Redis as a small sample.\nWhat surprised me though is how these solutions have infiltrated the enterprise market and caused a drastic shift in the way organizations are now spending their money on data-related projects.\nThis shift away from technology and investment into skills is primarily due to two overarching technology trends:\nAdoption of Cloud services as the predominate means of delivering applications; not software Prevalent lack of support for scale-out architecture in traditional data solutions and its dependency on proprietary hardware Just consider this; today, whether I work for a small start-up or a large conglomerate, I have access to the same data technology that is used by the most popular companies in the world: Twitter, Facebook, Instagram just to name a few.\nThis new technologies are have been designed from ground up to meet the scale of on-line applications and are also available as open source. However, the issue is that many of these data solutions meet one and only one specific issue. It is the skills, expertise and endless hours of experts that make these data products truly valuable to organizations. Unfortunately, in the hands of many untrained professionals, these powerful tools, while free, are useless!\nThere are already some high-profile examples of this shift to OSS-based data solutions in the enterprise. Disney, which recently announced their Data Management Platform, has built it on a &ldquo;start-up-like&rdquo; budget. This complex system uses Hadoop and NoSQL databases, coupled with some innovative API architecture that shields developers from product complexities and enables standard approaches to data management, regardless of its format.\nSears also announced last week that it was going &ldquo;all-in on Hadoop&rdquo;. They found their traditional (proprietary) data solution not flexible enough, and decided that to remain relevant, this old-school company had to adopt to new (Big Data) technologies. Sears is in fact so committed to this new direction, that they are actually planning on re-selling their new Big Data solution as a service.\nThese two Fortune 100 companies are but a precursor to what we will see over the next five years as a result of this growing trend in today\u2019s enterprise.\nWhile everyone may have access to free analytical solutions like Hadoop, open source key-value like Redis or document-based database like MongoDB, the skill and expertise needed to glue these products into differentiated solutions is hard to come by. This is where I can see another shift that is currently impacting the popularity of OSS in the enterprise: organizations are increasingly willing to work with multiple, best-of-breed, vendors.\nThe traditional desire to have a single partner responsible for all issues appears to have been overwritten by competitive advantages and the fear of vendor lock-in. The money saved by making these OSS choices gives now organizations the luxury of outsourcing to a variety of technology experts.\nFor example, when Disney needs support with a Hadoop cluster, they call Cloudera, When they have questions about Solr or Cassandra implementation they bring in DataStax. The interesting part of this trend is that it even applies to propitiatory products that leverage OSS as in case of Sears leveraging Datameer\u2019s expertise in analytical tools.\nI\u2019m sure there are many examples of where this kind of best-of-breed approach to data delivered less than optimal results. But, to remain competitive enterprise has to make systems that scale and are able to quickly adopt to the ever-changing application demands. Right now, these systems seem to be built on top of data platforms based on open source. And, since the access to these technologies has been commoditized, it is the skill of personnel that\u2019s becoming the true differentiator.\nUnfortunately, in many cases, companies shy away from training their people in these solutions, fearing they will leave for greener pastures. That\u2019s however a very shortsighted perspective. They really should fear what will happen if they don\u2019t train them and they stay!\n","permalink":"https:\/\/blog.chmarny.com\/posts\/data-related-investments-shift-from-tech-to-skills-talent-new-differentiator\/","summary":"<p>Over the last decade, the access to best-of-bread data technologies has become easier. This is due mainly to the increasing popularity of open source software (OSS). While this phenomenon holds true in other areas like operating systems, application servers, development frameworks or even monitoring tools, it is perhaps most prevalent in the area of data.<\/p>","title":"Data-related investments shift from tech to skills \u2014 talent new differentiator"},{"content":"Over eight months ago, I joined Intel to work on their next-generation data analytics platform. In large, my decision was based on Intel\u2019s desire to address the &ldquo;voodoo magic&rdquo; in Big Data: the complexities that require deep technical skills which are preventing domain experts from gaining access to large volumes of data. The idea was that by leveraging the distributed data processing capabilities of Apache Hadoop, and combining them with Intel\u2019s breadth of infrastructure experience, we could make Big Data analytics more accessible and therefore more prevalent.\nLast week, Intel demonstrated just how serious it is about this vision by announcing a strategic partnership with Cloudera, the largest distributor of\u00a0Hadoop.\nMuch has been already written about this partnership. To me, this single largest data center technology investment demonstrates the level of Intel\u2019s commitment to deliver on the promise of open, performance optimized platform for big data analytics. As part of this deal, Cloudera will optimize its software to take greater advantage of the features found in Intel processors, which already power the majority of data centers.\nOne of the fastest growing areas and biggest opportunity for Hadoop optimization is Internet of Things (IoT). Whether it is edge signal aggregation, stream processing, or scalable storage later, the use of Hadoop in IoT currently demands a substantial layer of specialized code. The problem is that this software layer is too complex to develop. Intel\u2019s collaboration with Cloudera will greatly simplify analysis of machine-generated data and become an intrinsic part of the next-generation IoT analytics platform.\nThe wider Hadoop ecosystem will benefit too.\nThe leaders of both companies are already talking about a two-year optimization roadmap and their commitment to release these enhancements upstream into the open source community.\nBy making this platform generally available, Intel will assure that in near future, you will be able to build innovative data solutions that are less expensive and easier to implement, while still realizing its rapid performance improvements in Hadoop.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/intel-doubles-down-on-its-vision-of-open-performance-optimized-hadoop\/","summary":"<p>Over eight months ago, <a href=\"\/posts\/thinking-big-about-data-at-intel.md\">I joined Intel to work on their next-generation data analytics platform<\/a>. In large, my decision was based on Intel\u2019s desire to address the &ldquo;voodoo magic&rdquo; in Big Data: the complexities that require deep technical skills which are preventing domain experts from gaining access to large volumes of data. The idea was that by leveraging the distributed data processing capabilities of <a href=\"http:\/\/hadoop.apache.org\/&amp;t=ODQwMzljZTFhMjE4MzZlNjUxNWQ5ZjFhYjE2Y2MwOGE1OGE4YzFmNSxaVU4zS00wOQ%3D%3D\">Apache Hadoop<\/a>, and combining them with Intel\u2019s breadth of infrastructure experience, we could make Big Data analytics more accessible and therefore more prevalent.<\/p>","title":"Intel doubles down on open, easier to use, and performance-optimized Hadoop"},{"content":"Last week I had a chance to attend the 3rd AWS re:invent conference in Vegas. I\u2019m not a big fan of that city myself, but, as in previous years, re:invent has not disappointed. Much coverage has been dedicated to the newly introduced services; I won\u2019t bore you with that. Instead, I wanted to share with you a few higher-level thoughts I captured at the event.\nAWS Lambda and the fundamental shift away from monolithic apps to increasingly smaller and (more?) atomic services that it represents.\nI fully expected the AWS Container as a Service announcement based on their partnership with Docker, the release of AWS Lambda has actually surprised me. At its most basic, it is a compute service, which simply executes code. Yes, nothing-new there. Lambda is also able to respond to event triggers, also nothing special there\u2026 Xively was able to do that in IoT context for years.\nThe part that sets Lambda apart is its ability to automatically manage compute resources; making this &ldquo;simple function execution engine&rdquo; into an independent components of powerful event processing pipeline with scale only limited by the amount of money you are willing to spend.\nWhile we are on the subject of money, Lambda charge model is exactly what we came to expect from AWS: pay for what you use: $0.20 per million requests with the first million being free. At larger volumes its $0.0000002\/request plus the compute time metered in increments of 100ms! That means that while many of us probably could build an event processing pipeline using some combination of Kafka, AKKA, Flume and Storm, instrumenting comparably elastic service capable to respond to the unpredictable usage patterns at Lambda price-point would actually be pretty hard.\nYes, Lambda itself is a proprietary service. While some will use that fact as a show-stopping argument, it is hard to deny that Lambda represents a fundamental shift in service delivery. It decomposes monolithic processes into their lowest programmable level: function.\nLambda\u2019s atomic function is a preview of next-generation Compute-as-a-Service offerings. It represents the core ingredient of tomorrow\u2019s computing.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/smaller-single-purpose-atomic-functions-core-ingredient-of-tomorrow-computing\/","summary":"<p>Last week I had a chance to attend the 3rd AWS re:invent conference in Vegas. I\u2019m not a big fan of that city myself, but, as in previous years, re:invent has not disappointed. Much coverage has been dedicated to the newly introduced services; I won\u2019t bore you with that. Instead, I wanted to share with you a few higher-level thoughts I captured at the event.<\/p>","title":"Smaller, single-purpose, atomic functions core ingredient of tomorrow\u2019s computing"},{"content":"After a pretty positive experience with influxdb I wanted to create a super simple telemetry producer (this one in Node.js) to spotlight a few types of time series data query supported in influxdb. (Source code available on GitHub)\nTo get live data for this demo, I created a simple script that generates metric data for CPU Utilization and Free Memory on your local machine at 1 sec resolution.\nSample queries Select of values based on arbitrary time window.\nselect sample_value from cpu_series where time &gt; \u20182013\u201308\u201312 23:32:01.232\u2019 and time &lt; 2013\u201308\u201312 23:22:055.134 On the fly 90th percentile of value in 5 second intervals. No windowing or period tables required.\nselect percentile(sample_value, 90) from mem_series group by time(5s); Standard deviation of value in 5 second intervals. Again, all ad-hoc, down-sampling with no priori declarations.\nselect stddev(sample_value) from cpu_series group by time(1m); Why influxdb Having done a few time series systems in Cassandra, HBase and yes, even Mongo, I was looking for something that would be already optimized for that specific data type. Furthermore, I wanted clean API as well as support for many of common telemetry aggregate functions:\ncount(), min(), max(), mean(), mode(), median(), distinct(), percentile(), histogram(), derivative(), sum(), stddev(), first(), last() Additionally:\nOpen source (MIT), hosted on GitHub No external dependancies (nope, no zookeeper) SQL-like query and built-in UI On the fly, downsample aggregate (no need to define windows, just record it and query by ad-hoc period: e.g. 1s, 4s, 2m etc.) Clustering support (there is currently a limit of 2M writes per second in 0.9 release, which suppose to be removed in 1.0) Pure Golang since 0.9 (plus for me, may not be for others) ","permalink":"https:\/\/blog.chmarny.com\/posts\/time-series-data-management-using-influxdb\/","summary":"<p>After a pretty positive experience with <a href=\"http:\/\/influxdb.com&amp;t=MDNmNjA2NmIwNTkxYjUzNDg0YzY2NTUwNmJmMjAzNjkzOGY0ZjFjNCxjclJsVjdENA%3D%3D\">influxdb<\/a> I wanted to create a super simple telemetry producer (this one in Node.js) to spotlight a few types of time series data query supported in influxdb. (Source code available on <a href=\"https:\/\/github.com\/mchmarny\/timeseries-samples&amp;t=Nzk1NjkzYWI3ZDU1OGUzYTg3YmY4MjBkMzE5ZDlmNjk2ODc2NmMzYixjclJsVjdENA%3D%3D\">GitHub<\/a>)<\/p>\n<p><img loading=\"lazy\" src=\"\/images\/0__bqylsNDJDNtWuTyx.png\"><\/p>\n<p>To get live data for this demo, I created a simple script that generates metric data for CPU Utilization and Free Memory on your local machine at 1 sec resolution.<\/p>","title":"Time series data management using InfluxDB"},{"content":"Seems like every week we hear about yet another new open source Machine\/Deep Learning library or Analytical Framework.\nTalking to people at Strata this week only confirmed for me that in the midst of what can only be described as virtual gluttony of open-source software, there is massive number of organizations who find it increasingly harder to implement these technologies. Even the task of identifying the right solution can overwhelm many, and result in a tailspin of endless use-case\/feature comparison.\nIn the meantime, the gap between access to open and capable data science software, and the necessary know-how to actually use it, is growing. This trend is only accelerated by constant innovation in the open-source community. How many ML libraries do we have now?\nWhile we wait on consolidation, there is a massive opportunity for streamlined and opinionated data analytics platform to emerge. Platform which focuses more on usage patterns, and less on software package delivery.\nTo some degree, Cloud Service Providers have an advantage here due to their ability to on-demand provision the necessary capabilities backed by their own elastics resource pools. Regardless however how such platform is delivered, the provider has a window of opportunity right now to earn those net-new analytical workloads by allowing developers to focus on building their differentiation.\nOver time, if that provider continues to run these workloads cheaper, faster and with all the necessary level of control, they will have created themselves an organic and loyal customer base.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/gluttony-of-open-machine-intelligence-software-enterprise-finds-hard-to-use\/","summary":"<p>Seems like every week we hear about yet another new open source Machine\/Deep Learning library or Analytical Framework.<\/p>\n<p>Talking to people at <a href=\"http:\/\/conferences.oreilly.com\/strata\/hadoop-big-data-eu\">Strata this week<\/a> only confirmed for me that in the midst of what can only be described as virtual gluttony of open-source software, there is massive number of organizations who find it increasingly harder to implement these technologies. Even the task of identifying the right solution can overwhelm many, and result in a tailspin of endless use-case\/feature comparison.<\/p>","title":"Gluttony of great open ML tools too hard for enterprise to use"},{"content":"As a long-term Cloud storage user I recently wanted to re-evaluate my options. New content management providers became available and I wanted to make sure I wasn\u2019t missing on the new shinny tech out there.\nAs I was considering the pros and cons of each option, I realized the apparent shift in my personal attitude towards cloud data storage over last few years. My concerns used to be solely with security. Now, while the data security is still critical, I am much more interested in data access, ownership, integration and its control.\nMany people talk about how the recent consumerization of the enterprise, where the lines between our personal and work data are being increasingly blurred. But nothing brought it home for me as much as what I saw during the recent VMworld in Las Vegas where Steve Herrod, CTO from VMware, was talking about the new content storage solution code-name Project Octopus. It provides Dropbox-like experience to corporate users while preserving the IT control over the company content. Before he gave a demo, Steve has asked how many of the 20,000+ attendants currently use a consumer cloud storage solution like Dropbox at work. About a half of the audience raised their hands. These are some of the most network-savvy, security-conscious users of the Cloud industry!\nShould we be surprised? How many of us currently use our personal devices at work? More importantly, how many businesses are actually OK with that? So, how did we get here? More importantly, how must we deal with this exponential growth of data while preserving the necessary level of control?\nFor starters, we need to realize that with the proliferation of SaaS-based solutions, we are giving up more and more control over our own data. When was the last time you read the agreements for which we so nonchalantly check the &ldquo;I Agree&rdquo; box when signing up for new Web-based app?\nBut SaaS is not the problem here, as we are moving to the post-document era and increasingly larger amounts of our content is managed in the public cloud, we do not necessary need to give up control. Rather, we need to start thinking about a more federated storage model. Now, I know the concept of &ldquo;storage federation&rdquo; get some people really excited, but, what I am talking about here is a model focused not on private vs. public storage but a fabric that is intimately aware of the data content, its origin, as well as its access and retention policies in context of user\u2019s current identity across all providers.\nTim Berners-Lee, at his recent keynote address at RSA Europe, talked about the demand for control of storage. Not as something we will need in the future, but rather, as a clear and present danger of impacting the cloud adaptation and balkanization of our data resulting in our inability to leverage its real value.\nAnalyst firm IDC now claim the growing volumes of cloud storage providers will lead to combined storage spending of $22.6 billion by 2015. We must figure out a scalable and secure way of controlling all that storage really soon, otherwise the promise of cloud value will be overshadowed by increased loss of control and eventually lesser security.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/federated-not-balkanized-future-of-data-and-cloud-challenges\/","summary":"<p>As a long-term Cloud storage user I recently wanted to re-evaluate my options. New content management providers became available and I wanted to make sure I wasn\u2019t missing on the new shinny tech out there.<\/p>\n<p>As I was considering the pros and cons of each option, I realized the apparent shift in my personal attitude towards cloud data storage over last few years. My concerns used to be solely with security. Now, while the data security is still critical, I am much more interested in data access, ownership, integration and its control.<\/p>","title":"Federated not Balkanized - The Future of Data and Its Short-term Cloud Challenges"},{"content":"About a year and a half ago, I wrote about Big Data Opportunities, focusing primarily on Leveraging Unused Data, Driving New Value From Summary Data and Harnessing Heterogeneous Data Sensors (more recently known as Internet of Things).\nSince that post, data space has exploded with numerous solutions addressing many of these areas. These solutions while mostly based on batch operations and limited to serial MapReduce jobs against frequently off-line, inadequately secured, Hadoop cluster, they do allow access to previously inaccessible data.\nWhile attending recently Hadoop Summit I got a glimpse of the upcoming trends and I decided to outline three new areas of opportunities in data management space:\nComplex Event Processing During Ingestion As we are often reminded, Hadoop, in its original architecture, was not built for low-latency access. Over the last year, a few point-solutions came to market to address this very issue, but now, with the introduction of YARN as part of the upcoming Hadoop 2.0 release, I think we finally have a platform to build an open support for processing ingestion listeners.\nI envision these implemented as a set of native Hadoop components capable of eventing on ingested data without impacting the throughout (inability to throttle the data) or the format in which the data is persisted in HDFS (proprietary formats).\nSo, why is all this dynamic capability important? Many companies already decided to use HDFS as a global data repository. But, the luck of low-latency access prevents any kind of dynamic analytic on that data. I suspect in the near future, projects like Tez and Spar, besides enabling real-time validation, Id generation and cleansing, will greatly expedite the time it takes to derive actionable insight from ingested data. Perhaps someone finally comes up with a solution for &ldquo;continuous query&rdquo; on top of HDFS (yes, little GemFire nostalgia here from my VMware days).\nOn the other hand, if Hortonworks, as part of its Stinger initiative, does deliver on its challenge to make Hive 100x faster, low-latency access to newly ingested data in HDFS through SQL interface may be sufficient.\nUpgrade Compliance Approach In many cases, the traditional compliance rules have not caught up with the new data management patterns of Hadoop. Most of the clusters I have ever seen not only don\u2019t have comprehensive security layer, they even lack a good data access audit. Some initiatives like Apache Accumulo are introducing cell-level access management extension on top of Hadoop, but as more and more data is loaded into HDFS, there is an increasing opportunity for comprehensive monitoring solution, especially as it relates to large distributed enterprise data pipelines.\nThis is not only a technology problem.\nMany of the traditional data compliance approaches don\u2019t fit well in the new data access paradigms._\nEspecially when you consider the the traditional regulations on data in rest and their implementation on distributed data grids with data partitioning and query sharing during access.\nHeterogeneous Data Management Traditional Relational Database Management Systems (RDBMS) relied on the SQL interface to extend its functionality and manage it state (e.g. grant privileges on object to user;). However with the growing number of hybrid data systems there is now a need to read, write and update data in multiple systems. For example, document stored in Cassandra are often indexed in ElasticSearch; data persisted in HDFS is cataloged in HCatalog and cached in Memcached.\nThe goal here is to Instead of directly programming applications to these underlying technologies, there needs to be a more transparent and centralized &ldquo;abstraction layer&rdquo; that could simplify this effort for developers, and enable easier upgrade\/replacement path for infrastructure architects (API).\nThere you have it, my three areas of opportunity for innovative data solutions. If last year taught me anything though, by the time I write next year\u2019s version of this post, it will likely include technologies and challenges we have not even heard about today.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/data-opportunities-3-areas-to-focus-innovation\/","summary":"<p>About a year and a half ago, I wrote about <a href=\"\/posts\/3-killer-big-data-app-opportunities.md\">Big Data Opportunities<\/a>, focusing primarily on Leveraging Unused Data, Driving New Value From Summary Data and Harnessing Heterogeneous Data Sensors (more recently known as <a href=\"https:\/\/en.wikipedia.org\/wiki\/Internet_of_things\">Internet of Things<\/a>).<\/p>\n<p><img loading=\"lazy\" src=\"\/images\/0__FnPtGrT0LSmX6DBG.jpg\"><\/p>\n<p>Since that post, data space has exploded with numerous solutions addressing many of these areas. These solutions while mostly based on batch operations and limited to serial MapReduce jobs against frequently off-line, inadequately secured, Hadoop cluster, they do allow access to previously inaccessible data.<\/p>","title":"Data Opportunities, 3 Areas to Focus Innovation"},{"content":"In general, Platform as a Service (PaaS) is developed by developers for developers. Of course they\u2019re going to love it.\nIt enables them to focus on the nuances of their applications \u2014 not on the day-to-day pointless activities that so often take their time away from solving real problems.\nThe non-developers point to the abstraction of underlining infrastructure and dynamic resource allocation as some of the core benefits of PaaS. In short, we often view PaaS as a runtime execution engine that trivialize the complex aspects of application development and deployment.\nThe problem with that kind of view however is that it focus primarily on the run-time aspects of the platform. This may be a result of some vendors treating data services as an external concern, strapped onto the platform as an add-on, almost as an afterthought. Heroku, for example, provides only Postgres as their one &ldquo;native&rdquo; data service, while OpenShift does slightly better, adds MySQL and a community supported edition of MongoDB.\nEveryone would agree that add-ons play an important role in the extendibility of any PaaS solution. I would argue, however, that as the &ldquo;open&rdquo; and &ldquo;polyglot&rdquo; aspects of PaaS become the de facto standard, a more holistic view of the entire application platform, including a diverse selection of native data services is quickly becoming a major differentiator.\nToday, for example, you would not choose PaaS without its support for most common development frameworks, or its ability to run unmodified in public cloud and in private data centers.\nThe very same way, you should not choose a PaaS solution without an integrated, native and diversified data service support. As many of you know, I work for VMware, which initiated open source PaaS solution called Cloud Foundry.\nRight now, Cloud Foundry delivers the richest selection of native data services on the market, including MySQL, PostgreSQL, MongoDB, RabitMQ and a couple different versions of Redis.\nThese services deliver predictable, low-latency connectivity to your data whether your application is deployed to the public instance of Cloud Foundry operated by VMware, AWS instance operated by one of our ecosystem partners like AppFog, or to a private instance running out of your own data center. Whichever Cloud Foundry instance your application targets, that data service provisioned by Cloud Foundry will behave exactly the same.\nHowever, it would be na\u00efve to expect all necessary data services to always be available natively. Just for these kinds of situations, Cloud Foundry provides an open source Service Broker (yes, service extending a service), which delivers the very same provisioning characteristics to external or legacy services, which are currently not offered by Cloud Foundry. The best part is that these services can be managed through the same API and benefit from the very same native integration into your application.\nIn short, if application mobility is important to you, please view data services as an intrinsic part of your PaaS strategy.\nAdd-ons are great and certainly appropriate in many cases; just make sure they don\u2019t become your gateway drug locking your application to specific provider.\n","permalink":"https:\/\/blog.chmarny.com\/posts\/paas-not-just-about-runtime-data-services-are-the-next-differentiator\/","summary":"<p>In general, Platform as a Service (<a href=\"http:\/\/en.wikipedia.org\/wiki\/Platform_as_a_service&amp;t=YzdiYWU1Yjc0MTdkMzZiMzM3N2NjN2I0MTNmMDk0ZDhlYTBiNzk1YixZY0ltODJRaQ%3D%3D\">PaaS<\/a>) is developed by developers for developers. Of course <a href=\"http:\/\/www.informationweek.com\/cloud-computing\/platform\/vmwares-cloud-foundry-ranked-top-develop\/232200211&amp;t=ZTE3MjQyYzA0ODc4ZTQ2M2ExZjRmZGYwODJiNWJlN2M3OGY1ZWE1YyxZY0ltODJRaQ%3D%3D\">they\u2019re going to love it<\/a>.<\/p>\n<blockquote>\n<p>It enables them to focus on the nuances of their applications \u2014 not on the day-to-day pointless activities that so often take their time away from solving real problems.<\/p>","title":"PaaS not just about runtime, data services are the next differentiator"},{"content":"Legal Disclosure Information in accordance with the applicable law\nMark Chmarny\n","permalink":"https:\/\/blog.chmarny.com\/imprint\/","summary":"<h1 id=\"legal-disclosure\">Legal Disclosure<\/h1>\n<p>Information in accordance with the applicable law<\/p>\n<p>Mark Chmarny<\/p>","title":""}]