Node.js meetup at Palo Alto Networks Tel Aviv

Node.js - concurrency,
microservices, docker
Dreaming on a job at Palo Alto? Get a real one in Palo Alto Networks
Palo Alto Networks TLV is hiring experienced Node.js developers!
Send your CV to: jobs-il@paloaltonetworks.com
&
Yaron Biton Oleg Verhovsky Amir Jerbi

Yaron Biton, CTO
misterBIT.co.il
… and then there was Javascript
everywhere …
Concurrency

My Technology Journey
1986
Commodore 64
Basic
1995
JCL, PL/I
1998
PC
Main Frame C++ & Java
2003
Apps Servers
JEE Architect
2007
Open Source
PHP
2009
Everywhere
Javascript

What do I do?
Focused on
Javascript Everywhere
12 weeks bootcamp that qualifies
Full-stack Javascript developers.
• Professional developers training
• High End Consulting
• Outsourcing

Its Javascript all the way
Javascript is becoming
an end to end choice for companies

ebay: Why we chose node.js? (for a project)
• excellent support for async I/O
• Low per-connection memory overhead
– “We were able to tune a regular developer-quality Ubuntu workstation
to handle more than 120,000 active connections per node.js process,
with each connection consuming about 2k memory”
• The full story: http://www.ebaytechblog.com/2011/11/30/announcing-ql-io/

Linkedin: Why we switched from Ruby to node.js?
• Node is optimized for JSON, which was what our backend was
giving us,
as well as what our front end was looking to consume.
• In our use cases, Node was roughly 20 times faster
• Memory footprint is also a factor. We looked at how well VMs
(virtual machines) worked in several languages, and the V8
JavaScript Engine just blew everything else away.
• The extent of code reduction proved to be huge — from
60,000 lines down to 2000.
• Node is getting a lot of hype, that made it easier for me to
recruit.

Need for Speed: Groupon Migrated to Node.js
“We’re able to serve much higher traffic,” McCullough said.
Before the change to Node, a Starbucks deal was so popular that
it brought the site down. “The next time, that didn’t happen,”
McCullough said. On top of that, he said, pages now take less
time to load for end users.
http://www.datacenterknowledge.com/archives/2013/12/06/need-speed-groupon-migrated-node-js/

Node.js
• Node.js is an open source platform built on Chrome's
JavaScript runtime (V8) for easily building fast,
scalable network applications.
• Node.js uses an event-driven, non-blocking I/O
model that makes it lightweight and efficient,
• Suitable for data-intensive real-time applications that
run across distributed devices.

A Simple Node Server
• In this basic web server example, many client connections can
be handled concurrently.
• Node (libuv C module) tells the operating system
that it should be notified when a new connection is made.
• When someone connects, then it executes the callback - Each
connection is only a small heap allocation.
var http = require('http');
http.createServer(function (req, res) {
res.writeHead(200, {'Content-Type': 'text/plain'});
res.end('Hello misterBITn');
}).listen(1337, "127.0.0.1");
console.log('Server running at http://127.0.0.1:1337/');

Node.js Efficiency
• Single threaded - nodejs only uses one thread.
• Most APIs are asynchronous by nature,
(i.e. do not perform direct I/O, so the process never blocks.
• Node enjoys memory efficiency under high-load
– Most systems allocate at least 2mb per thread
– You cant dead-lock the process — there are no locks.

Node.js Efficiency
no server has the non-
blocking ecosystem of
Node.js today.
Over 50k modules all
written in the async
style, ready to use

A Deeper look into Node.js Efficiency
• Actual threads are contained at low level
– and thus remain constrained in size and number,
– and the thread synchronization is thus simplified
• OS-level "switching" via select() is faster than
thread context swaps
(read about the C10K problem here)
• Threads are really hard. Developers are likely to:
– break due to bugs
– not use them as efficiently as possible

The Reactor Pattern
The application expresses the interest to access a
resource at one point in time (without blocking) and
provides a handler, which will later be invoked when
the operation completes.
A Node.js application
exits when there are
no more pending
operations in the
Event Demultiplexer,
and no more events
to be processed inside
the Event Queue

Libuv - The non-blocking I/O engine of Node.js
• Each operating system has its own interface
for the Event Demultiplexer:
– epoll on Linux, kqueue on Mac OS X, and I/O
Completion Port API (IOCP) on Windows.
• So In Node.js, libuv (a C library), is in charge of
normalizing the non-blocking behavior.

Shared-state concurrency is difficult
incorrect synchronization, deadlocks, inconsistent behavior, lost
updates or dirty reads, are all there like an accident waiting to
happen.
Lets put some dead code corps on the table:
• Race Conditions
• None Atomic operations (writing to long!)
• Volatiles
• Write Buffers
• Padding
• ConcurrentCollections, CopyOnWrite,

What About CPU Bound Apps?
• If you naively do heavy computation in Node, you suddenly
become a very uncooperative single-tasker.
(i.e. – applying a filter on photo, find primes, etc)
• But there are ways!
• You can sometimes break calculations with setImmediate
i.e. creating a none-blocking-forEach
• We can use the Cluster module and break the server into
micro services
• Sometimes, we can spawn some of the calculations to be
handled on the client side with Web Workers!

Summary
Slides and Demos:
http://bit.ly/misterbit-electron
Node.js Single Threaded model
makes our life easier and safer!

Slides and Demos:
http://bit.ly/misterbit-electron
Node.js is Great
Javascript is Great,
And Angular2 is coming.
http://angularworkshop.co.il/

Keep on diving
misterBIT.co.il

Micro Services
Overview
Dec 2015

About Codefresh
A Docker platform for development teams w automated Docker
Flow (Workflow for Docker images).
Build, Run & Test Docker based applications

Is “Micro Services Architecture” a
really new concept
Back to “SOA” day :
• Abstract Service Definition
• Agnostic to technological stack
• Decoupled and isolated
Containerization technologies (Docker) provides standard way
to build and deploy services based solutions

So what is Micro Service?
Logically / Business wise independent Unit
Deployable
Scalable

Micro Services + Docker , in right
place
at right time
Standard creation of deployable units
Ability to deploy images on different environments.
Easy scale of distributed application
Growing tool chain helps to orchestrate containers (SWARM ,
Kubernetes , Mesos)

From Monolithic
App to Micro
Services

From Monolith to Micro Service
Definition of services
Discovery pattern
Testing Practices
Release lifecycle
Deployment strategy

Auth API
Worker
Auth
API
Worker
Worker
Worker
Example of migration

WebUI
CommandLine
API
Team Management
Workflow Manager
Entity Manager
Monitoring
Routing
Template Manager
Integrations (Jira,etc)
Builder
Builder
Runner
Runner
Runner
Build
Mongo Redis
Hosted in Codefresh
Run
WebHook
Local
Registry
DockerHub
Registry

Lessons learned
Architecture should evolve over time based on use case and customer feedback.
It will include adding new micro services from one side and rearranging existing
one.
Testing - Make sure that every service testes through unit and API tests.
Development environment - Stable development environment that will enable to
focus on developing specific service without need to setup all system locally
Release process should be adopted and continuously improved.
Continues deployment with an ability to push every micro service in independent
way
Monitoring and logging of both single micro services and consolidate log

Release life cycle monolithic vs
microservices
Push1 Push2
V1.0 V1.1 V1.2
Push2
Service 1 V1.0 V1.2 V1.3
Service 2 No change V1.0 No change
Service 3 No change No change V1.0

Development Environment for
Micro service based architecture
Docker Compose
Vagrant
OttO
AZY other

@codefresh
additional resources
Codefresh blog blog.codefresh.io
Containers #101
http://www.meetup.com/Containers-101-online-meetup/
Get your own account
www.codefresh.io

4 Steps for Developing a
Secured Containerized NodeJS
Application
Amir Jerbi | CTO @ Scalock | @jerbia

Building a Secured Containerized NodeJS App
1. Secure Coding
2. Containerized!
3. Monitor Changes
4. Update Packages
42

Know Your HTTP Headers
Reference: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
HTTP Headers Why? Example
Strict-Transport-Security Make sure channel is
encrypted. Always.
Strict-Transport-Security: max-
age=16070400;
includeSubDomains
X-Frame-Options Hidden iframes can be used
for clickjacking attacks
X-Frame-Options: deny
X-XSS-Protection Browser based XSS
protection
X-XSS-Protection: 1;
mode=block
X-Content-Type-Options Prevent mime type sniffing X-Content-Type-Options: nosniff
44

Secure & Verify Data Received from User
● Sanitize inputs:
○ SQL Injections
○ Form field sanitation
○ URL query string sanitation
● Sign or Encrypt Sensitive Cookie data
● CSRF
References:
https://www.npmjs.com/package/csrf
https://www.npmjs.com/package/sanitize-html
https://www.npmjs.com/package/cookie-encryption
45

Authentication
● Complex passwords
● Authenticate your REST API - JSON Web Tokens
● Brute force protection - rate limit authentications
References:
http://passportjs.org/
https://github.com/jhurliman/node-rate-limiter
https://www.npmjs.com/package/owasp-password-strength-test
46

Remove Secrets from Your Code!
What are Secrets?
● Hard-coded username and passwords
● Encryption keys
● Access Keys (AWS, Google)
Where to Store them?
● Fetch from Secured location
● Keep in memory, git rid when not needed
● Encrypt
Reference:
https://security.web.cern.ch/security/recommendations/en/password_alternatives.sht
ml
https://square.github.io/keywhiz/
47

What are Software Containers?
Server Virtualization method that
is:
● Lightweight, has a small
footprint
● Allows running multiple
isolated processes on a shared
kernel (OS)
● Little to no overhead
49

How Easy it is? Very.
● Ready made NodeJS packages from https://dockerhub.com
● No need to install or configure - simply run it...
51

Build - Deploy - Run
● Create a Dockerfile to
automate build of your
application.
● Easily run as daemon using
“docker run -d” command.
52

Security Benefits of Containers
● Better control on dependencies: ship your code with its packages
● Compromised applications are still contained within container
boundaries
● Built-in mechanisms to identify changes in container
● Better control on your deployment environment
53

Did Someone Change My Container?
● Use “docker diff” to see
changes made in a running
container.
○ C - modified
○ A - new
○ D - deleted
55

Common Vulnerabilities and Exposures (CVEs)
● Almost every software package has security issues.
● The older the package is - the chances it has more issues.
● Node nsp can be used to find vulnerable npm packages.
References:
https://web.nvd.nist.gov/view/vuln/search
https://nodesecurity.io/tools
57

Peekr - Check Image Vulnerabilities
References:
https://peekr.scalock.com 58

Summary
● Containers are not the cure for everything.
Good programming is still the basis for good security.
Take a look at OWASP top 10 vulnerabilities:
https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
● CVEs are serious problem. Make sure you have a process to manage
them.
● Containers adds to your visibility and control - better manage
what’s being deployed.
● If you’ve been hacked then at least compromised code is running
inside a container.
60

Node.js meetup at Palo Alto Networks Tel Aviv

More Related Content

Viewers also liked (20)

Similar to Node.js meetup at Palo Alto Networks Tel Aviv (20)

Recently uploaded (20)

Node.js meetup at Palo Alto Networks Tel Aviv